Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date: 2015-09-13

Submission

doc.: IEEE 802.11-15/1128r1September 2015

Dan Harkins, Aruba Networks (an HP company)Slide 1

Opportunistic Wireless EncryptionDate: 2015-09-13

Authors:

Submission


Dan Harkins, Aruba Networks (an HP company)Slide 2

Abstract

This submission presents an idea for addressing a problem with public wi-fi hotspots

Submission


Dan Harkins, Aruba Networks (an HP company)

Slide 3

The Situation

• Wireless Internet access as an entitlement– “oh, no wi-fi, let’s go somewhere else”

• Coffee shop, bar, or restaurant wants to offer patrons “free wi-fi”– They want to provide a service but don’t want

it to be a pain to configure or use– They want to provide some notion of both

service and security to customers

Submission


Dan Harkins, Aruba Networks (an HP company)

Slide 4

The Problem

• Perpetual battle: Security vs Ease-of-Use– They want it to be easy-to-use

• Don’t bug the staff too much– “no I said the L is capital”• Don’t irritate the customer– “wait, what? say that again”• Don’t require specialized knowledge– “what’s an ‘EAP method’?”, “How do

I know what my ‘anonymous identity’ is?”, “Which of these 400 certificates do I need to select?”

– They want some notion of security• Want it to be better-than-nothing security• Don’t want to have to get/generate/install a certificate• Secure access by patrons has to scale (see easy-to-use)

• Result: Both sides lose

FAIL

September 2015 Dan Harkins, Aruba Networks (an HP company) 5

Submission

doc.: IEEE 802.11-15/1128r1

The Solution? OWE

• Make it simple to provision– just switch it on• Make it virtually impossible to misconfigure– no

user entry required• Make public wi-fi “suck less” than it does when

using a shared PSK• Raise the bar that is necessary to perform

pervasive monitoring just a bit higher• OWE is an outgrowth of an IETF BOF on improving

the captive portal experience

Slide 6 Dan Harkins, Aruba Networks (an HP company)

September 2015

Submission

doc.: IEEE 802.11-15/1128r1

IETF Proposal

• https://tools.ietf.org/html/draft-wkumari-owe-00– Network appears “open” to the user (no “lock icon”)– Uses a Vendor Specific Element in beacons and probe responses to

indicate OWE– After association in an OWE network, STA and AP do PSK authentication

using the SSID as the password

• Upside– No need to explain/enter anything, just works– Code changes AP side are trivial; STA side, manageable

• Downside– Inherits all the security problems of shared PSK– Publicly advertises the PSK so arguably worse!


September 2015

Submission

doc.: IEEE 802.11-15/1128r1

My Proposal

• Don’t do it in the IETF, let’s do it here• AP advertises an OWE AKM• When associating to an SSID with OWE

include Diffie-Hellman exponentials in (Re)Associate Request and Response

• STA and AP perform Diffie-Hellman, use shared secret to derive a PMK

• Use this (truly pairwise) PMK with 4-way HS


September 2015

Submission

doc.: IEEE 802.11-15/1128r1

Benefits

• More secure than a shared PSK– Not susceptible to passive attack– All those tools downloadable from Internet to crack PSKs

won’t work!

• Easier to set-up than PSK– Nothing to provision or describe, no user error

• Easier to use by customers– Absolutely nothing needed to do! It just works.

• Makes pervasive monitoring that much harder• Easier to use plus better security! Winner, winner!


September 2015

Submission

doc.: IEEE 802.11-15/1128r1

�


September 2015

ขอขอบคณ Thank You!

Submission

doc.: IEEE 802.11-15/1128r1


September 2015

Questions?

Submission

doc.: IEEE 802.11-15/1128r1

OWE Straw Poll

• Option 1: Good idea, we should do it!• Option 2: Bad idea, let the IETF do it!• Option 3: I was reading my email and not

paying attention, sorry.


September 2015

Documents

Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date: 2015-09-13