Narrow down by specifying conditions
現在1888件がヒットしています。check
Introduction
The Wi-Fi Alliance has announced Wi-Fi CERTIFIED WPA3™ from the perspective of security improvements accompanying the growing demand for Wi-Fi.
After that, WPA3 was an optional item in the certification exam, but it will be a mandatory item from July 1, 2020.
This time, I will try to operate WPA3-personal of WPA3 using Qualcomm's Wi-Fi product.
How to check the console and logs at that time to see if you were able to connect with WPA3-personal,
How is it different from WPA2-PSK? I would like to explain etc.
What is WPA3?
A Wi-Fi security protocol that succeeds WPA2.
Password protection function/advanced encryption protocol/PMF (Protected Management Frame) is used to provide enhanced security.
WPA3 provides WPA3-personal, which is equivalent to WPA2-PSK, and WPA3-Enterprise, which is equivalent to WPA2-EAP.
In addition, Transition mode maintains WPA2 compatibility to ensure connectivity with older devices.
What is WPA3-personal?
This is a WPA3 security protocol that uses a password (PSK: Pre-Shared Key) and succeeds WPA2-PSK.
Until WPA2-PSK, the user entered the password (PSK) written on the access point and generated a fixed PMK (Pairwise Master Key) from the PSK (PSK = PMK), but in WPA3-personal By using the SAE algorithm for the key exchange protocol, a different PMK is now generated from the PSK for each connection.
*Similar technology is also used in Wi-Fi CERTIFIED Enhanced Open™.
This resulted in the following improvements:
Decrease the danger of deciphering easy passwords and improve resistance to dictionary attacks
Prevention of decryption of past communication data due to password leakage
In addition, encryption of management frames by PMF is also provided.
It also maintains WPA2-PSK connectivity by supporting Transition mode that covers both WPA2 and WPA3.
This time, we will introduce how to connect with WPA3-personal using Qualcomm's QCA9377 evaluation board.
Advance preparation
This time, I used Qualcomm's QCA9377 USB interface module.
* There is also an SDIO interface module, but since the PC needs an SDIO port, we will use a USB module this time.
Check out this link for Qualcomm's Wi-Fi product lineup.
QCA9377 USB interface module
If you would like the QCA9377 module/SDK/setup manual, please contact us using the inquiry button at the bottom of the page.
Since we will be using a USB module this time, we will set up Ubuntu 14.04 + kernel 4.14 recommended by Qualcomm on the PC.
Expand the SDK and follow the manual steps to generate the WLAN driver/Firmware/wpa_supplicant.
Copy the artifacts to the path below
/lib/modules/wlan.ko
/lib/firmware/wlan/qcom_cfg.ini
/lib/firmware/*.bin
/bin/wpa_supplicantWPA3-personal requires additional configuration/handling from previous WLAN drivers/firmware/wpa_supplicant respectively.
QualcommSDK generates a module with those settings/processes.
Add network information to wpa_supplicant.conf
network={ ssid="wpa3-ap" key_mgmt=SAE psk="1234567890" pairwise=CCMP priority=10 ieee80211w=2 }To connect with WPA3-personal, the mandatory items different from WPA2-PSK are "key_mgmt" and "ieee80211w".
WPA3 requires PMF (except Transition mode), so you need to set “ieee80211w=2 (Required)”.
Settings on the access point side
Change access point settings.
The setting method differs depending on the model.
*As of June 2020, various manufacturers have released WPA3-personal compatible products.
connection
Now try to connect.
This time, the access point information has already been entered in the network information of wpa_supplicant.conf, so it will be automatically connected in the scan immediately after starting wpa_supplicant.
$sudo service network-manager stop
$sudo modprobe cfg80211
$sudo insmod /lib/modules/wlan.ko
$sudo wpa_supplicant -ddd -K -i wlan0 -D nl80211 -c <wpa_supplicant.confのパス> &
Check connection information
Try using wpa_cli to check the connection information.
$sudo wpa_cli -i wlan0 status
You can confirm that key_mgmt is SAE.
pmf is set to '2 (Required)' which means required except for Transition mode.
(Determined through negotiation between station settings (ieee80211w=2) and access point settings.)
The following two parameters are not set, so the default values are used.
mgmt_group_cipher=BIP
sae_group=19
wpa_supplicant logs
Key information (PMK) is output to the log by setting the "-K" option in the wpa_supplicant startup parameter.
1st connection
second connection
In WPA2-PSK, the same PMK is generated each time from the password entered by the user, but in WPA3-personal, based on the password, SAE is used in the authentication phase to generate a different PMK each time.
As a result, even if the password is leaked, the PMK will be changed every time, so eavesdropping and decryption of past communication records will not be possible.
Check Sniffer logs with Wireshark
Specify “Open System” for the Authentication algorithm in the WPA2 Authentication frame.
WPA3 specifies "Simultaneous Authentication of Equals (SAE)" and exchanges an Authentication frame twice (Commit, Confirm).
During this time a key (PMK) will be generated using the Dragonfly Key Exchange.
When the exchange of the Authentication frame is completed, the SAE is specified in the AKM of the Association frame.
After that, various keys used for frame encryption are generated with a 4-way handshake similar to WPA2.
Summary
WPA3-personal employs SAE to make PMK guessing impossible and improve security for password authentication.
Going forward, WPA3 will become a mandatory item in Wi-Fi Alliance certification tests, and market demand for WPA3 is expected to grow.
Qualcomm has a lineup of WPA3-personal compatible products.
If you are interested, please contact us below.
Inquiry
If you have any questions regarding this article, please contact us below.
To Qualcomm manufacturer information Top
If you want to return to the Qualcomm manufacturer information top page, please click below.
