1

Wi-Fi 6E OWE Frame Exchange

 1 year ago
source link: https://rowelldionicio.com/wi-fi-6e-owe-frame-exchange/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Wi-Fi 6E OWE Frame Exchange

January 9, 2023 By Rowell Leave a Comment

Watch this video on YouTube

Open SSIDs continue to be used across many networks. Prior to Opportunistic Wireless Encryption (OWE), communications between devices and access points were unencrypted. But we relied on applications to provide increased security.

An open SSID usually provides a device with network access after the 802.11 association.

OWE improves upon open networks, that don’t use a pre-shared key or 802.1X, by encrypting unicast and broadcast data. And in Wi-Fi 6E, an open SSID must be configured to use OWE.

OWE-Frame-Exchange-Infographic.png?resize=410%2C1024&ssl=1
OWE frame exchange infographic

Download the OWE Frame Exchange infographic PDF.

The magic of OWE lies within the Association frames. A Diffie-Hellman key exchange occurs during the 802.11 association. A Diffie-Hellman parameter element inserted, as can be seen in the screenshots below. Included is the Public Key of the transmitter. As a result, a pairwise secret is created and is used in the 4-Way Handshake.

Download my 6 GHz OWE pcap file.

An OWE SSID is identified by the RSN Information Element within the Auth Key Management (AKM) suite.

AKM Suite - OWE

AKM Suite – OWE

OWE includes a Diffie-Hellman Parameter element (ID 255) in the Association frame. The device will add its public key in the Association Request.

Association Request - OWE

Association Request – OWE

The Association Response looks similar, as the AP includes its public key:

Association Response - OWE

Association response – owe

The Diffie-Hellman Parameters are checked for validity, and once the device and AP move through association, the Diffie-Hellman key exchange is completed. As a result, a Pairwise Master Key (PMK) and PMKID is created.

Following the Association is the 4-Way Handshake in which the PMK is used.

The 4-way handshake generates a Key-Encrypting Key (KEK), Key-Confirmation Key (KCK), and Message Integrity Check (MIC) to protect the frames of the 4-Way Handshake.

At the end of the 4-Way Handshake we have the Pairwise Transient Key (PTK) encryption keys to protect unicast and broadcast data.

In my packet capture, these are the frame exchanges that occur between a Samsung S22+ and an OWE SSID configured on my EnGenius ECW336.

The exchange:

  1. Device sends probe request for SSID
  2. AP sends probe response
  3. Device sends an Authentication frame [Open System 802.11 Auth]
  4. AP sends acknowledgement frame [Open System 802.11 Auth]
  5. AP sends Authentication frame [Open System 802.11 Auth]
  6. Device sends acknowledgement frame [Open System 802.11 Auth]
  7. Device sends Association Request frame
  8. AP sends acknowledgement frame
  9. AP sends Association Response frame
  10. Device sends acknowledgement frame
  11. AP sends Message 1
  12. Device sends acknowledgement frame
  13. Device sends Message 2
  14. AP sends acknowledgement frame
  15. AP sends Message 3
  16. Device sends acknowledgement frame
  17. Device sends Message 4

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK