WPA3 Enterprise Modes (salient points)

Posted by vivekananda holla 1 Comment

WPA3 enterprise does not use SAE. It uses EAP packet handshake to generate a PMK. There are three modes of operation provided in the standard. The salient points for the Enterprise modes as described in the WPA3 standard are as follows:

  • WPA3 Transition mode
    • This mode supports both WPA2 Enterprise (AKM: 00-0F-AC:1)and WPA3 Enterprise (00-0F-AC:5).
    • This mode as can be seen from it’s support of WPA2 Enterprise provides a level of backward compatibility and is used in transitory networks moving from WPA2 Enterprise to WPA3 Enterprise.
    • Protected Management Frame (PMF) is optional in this mode.
      • Access point will set its Management Frame Protection Capable (MFPC) bit to 1 and Management Frame Protection required (MFPR) bit to 0 in its beacon and probe response frames
      • Station will set its Management Frame Protection Capable (MFPC) bit to 1 and Management Frame Protection required (MFPR) bit to 0 in its association request and re-association request frames
    • This uses AES-CCM-128 for encryption
    • SHA-256 is used during key derivation in WPA3 and can use SHA-1 for WPA2 Enterprise
    • WPA3 Enterprise transition mode is not used in 6 GHz band for Wi-Fi.
  • WPA3 Enterprise only mode
    • This mode supports WPA3 mode only (AKM: 00-0F-AC:5)
    • Protected Management frames (PMF) is mandatory for both Access points and clients
      • Both Access point and station need to set MFPC and MFPR bits to 1
    • This mode can use AES-CCM-128 or the stronger AES-GCM-256 for encryption
    • SHA-256 is used during key derivation
  • WPA3 Enterprise SUITE B (192 bit mode – also termed SUITE B 192b or just SUITE B)
    • This mode is used for higher security and conforms to Commercial National Security Standards (CNSA)
    • The Authentication Key Management (AKM) Suite is (AKM: 00-0F-AC:12)
    • Protected Management frame is mandatory in both Access point and station
      • Both MFPC and MFPR bits need to be set
    • AES-GCM 256 is used for encryption
    • SHA-384 is used during key derivation
    • This mode requires both server and client certificate validation and prevents password based EAP methods such as PEAP and MSCHAPv2. Hence, EAP-TLS is the supported method for WPA3-Enterprise SUITE B
    • Permitted EAP cipher suites for WPA3 SUITE B
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • ECDHE and ECDSA using the 384-bit prime modulus curve P-384
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • ECDHE using the 384-bit prime modulus curve P-384
        • RSA ≥ 3072-bit modulus
      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        • RSA ≥ 3072-bit modulus
        • DHE ≥ 3072-bit modulus

Opportunistic Wireless Encryption (OWE)

Comments

  1. Pingback: RSN Extended Information Element (RSNXE) | Hitch Hiker's Guide to Learning

Leave a Reply

Your email address will not be published. Required fields are marked *