This is the third in a series of continuing blogs about Wi-Fi 6E and the new spectrum bonanza in the 6 GHz frequency band. This blog will summarize the latest Wi-Fi security certification enhancements and discuss how they relate to Wi-Fi security considerations for the 6 GHz frequency band. The Wi-Fi Alliance began certifying 802.11ax technology in August 2019, with a new certification called Wi-Fi CERTIFIED 6. In late 2020, the Wi-Fi Alliance announced Wi-Fi 6E as an “extension” for certifying the 802.11ax features and capabilities of Wi-Fi 6 to the 6 GHz band. Wi-Fi 6E is the industry name that identifies Wi-Fi devices that operate in 6 GHz. And as shown in Figure 1, many of the world regions are making all or portions of the 6 GHz frequency band available for Wi-Fi. As of this writing, 42 countries have approved new regulations for the unlicensed use of 6 GHz. The Wi-Fi Alliance maintains a web page with a current list of countries enabling Wi-Fi in the 6 GHz band: https://www.wi-fi.org/countries-enabling-wi-fi-6e.

Figure 1 – 6 GHz Wi-Fi through the world

Prior to the expected 6 GHz Wi-Fi bonanza, ongoing enhancements have also been made towards shoring up Wi-Fi security with both WPA3 and Enhanced Open for all Wi-Fi frequencies. As to be expected, there will be Wi-Fi security considerations when deploying Wi-Fi in the 6 GHz frequency band. The Wi-Fi Alliance will require WPA3 security certification for Wi-Fi 6E devices that will operate in the 6 GHz band. Furthermore, support for Enhanced Open security certification will also be mandatory.

In August 2019, the Wi-Fi Alliance began testing APs and clients for the Wi-Fi Certified WPA3 certification. Wi-Fi Protected Access 3 (WPA3) defines enhancements to the existing WPA2 security capabilities for 802.11 radios. It supports new security methods, disallows outdated legacy protocols, and requires the use of management frame protection (MFP) to maintain the resiliency of mission-critical networks. WPA3-Personal Leverages Simultaneous Authentication of Equals (SAE) to protect users against password-guessing attacks. WPA3- Enterprise now offers an optional equivalent of 192-bit cryptographic strength.

WPA3-Personal

By far, the most significant change defined by WPA3 is the replacement of PSK authentication with Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks. SAE is based on a Dragonfly key exchange. Dragonfly is a patent-free and royalty-free technology that uses a zero-knowledge proof key exchange, which means a user or device must prove knowledge of a password without revealing the password. Think of SAE as a more secure PSK authentication method. The goal is to provide the same user experience by still using a passphrase. However, the SAE protocol exchange protects the passphrase from brute-force dictionary attacks. The passphrase is never sent between Wi-Fi devices during the SAE exchange.

As shown in Figure 2, an SAE process consists of a commitment message exchange and a confirmation message exchange. The commitment exchange is used to force each radio to commit to a single guess of the passphrase. Next, the confirmation exchange is used to prove that the password guess was correct. The passphrase is used in SAE to deterministically compute a secret password element used for the authentication and key exchange protocol. Once the SAE exchanges are complete, a unique pairwise master key (PMK) is derived and installed on both the AP and the client station. The PMK is the seeding material for the 4-Way Handshake that is used to generate dynamic encryption keys. SAE authentication is performed prior to association. Once the PMK is created and the association process completes, the AP and the client can then commence a 4-Way Handshake to create a pairwise transient key (PTK). The PTK is the dynamically generated key used to encrypt unicast traffic.