Wpa3 support in OpenWrt?

Does wpa3 only a software thing or the hardware needs to support it? Lede will support wpa3?

We don't know yet. As far as I know the WPA 3 standard is not even published yet and hostapd Git shows no trace of WPA 3 yet either.

1 Like

@Ansuel, take a look at: https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

It list four things:

  • Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and
  • will simplify the process of configuring security for devices that have limited or no display interface.
  • Another feature will strengthen user privacy in open networks through individualized data encryption.
  • Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.

When?
Another article linked on their site is: https://www.rcrwireless.com/20180108/wireless/wi-fi-kicks-off-2018-with-security-boost-tag6

It states:

–The emergence of next-generation Wi-Fi, or 802.11ax. WFA said that it anticipates that 802.11ax will start making its way into chipsets this year.

Another site (https://www.cnet.com/news/public-wifi-ces-wpa3-security-privacy-online-traffic-safe/) states:

The new security standards won't arrive overnight, Robinson said. The Wi-Fi Alliance only sets the standards, and it can take months or years for router manufacturers to support them and for us to buy the new network gear.
But although the shift from WPA2 to WPA3 will be slow, it should improve security without too much of a technical headache.

1 Like

So what does "WPA3 announced" mean? What is announced? Is there any specification published? Is this just PR for Wifi Alliance or they actually finished WPA3 specification?

Different sites (https://boundless.aerohive.com/technology/Wi-Fi-Alliance-Announces-WPA3-At-CES.html, or just google) already leaked some information about the draft:

Details will hopefully emerge when the WFA "standard" is released in 2018 (or 2019?). I also read things about brute-force protection but I am not sure what is meant here and whether someone is actually adding it to the standard. The CNSA sounds like a EAP (RADIUS) server thing. And DPP is also mentioned on some sites but on most sites not - but work is currently done to get DPP working with QR codes and similar things in hostapd (aka WPS done right this time?). It could be that DPP is not part of WPA3 because WPS is also not part of WPA2

You just gotta love it when Wi-Fi Alliance does marketing and promises a lot of stuff without even having a draft of the standard.
Until a draft is published nothing is certain.
Hopefully it should be done this year

1 Like

All,

https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security

https://www.wi-fi.org/discover-wi-fi/security

https://www.wi-fi.org/file/wpa3-specification-v10

i read that wpa3 is software so think we can add support to it...

1 Like

Of course, there's the question of client support as well. There's a "WPA3-Personal Transition Mode" for non-enterprise APs, which likely would need to be implemented during the 5-10+ years until WPA-2 devices are either updated or are replaced.

A WPA3-Personal access point (AP) in transition mode enables WPA2-Personal and WPA3-Personal simultaneously on a single basic service set (BSS) to support client devices using a mix of WPA2-Personal and WPA3-Personal with the same passphrase. Client devices that support both WPA2-Personal and WPA3-Personal connect using the higher-security method of WPA3-Personal when available. To ensure interoperability with legacy devices that do not support PMF, WPA3-Personal Transition Mode configures the network as PMF capable (Management Frame Protection Capable bit = 1 and Management Frame Protection Required bit = 0), rather than PMF required.

The full benefits of WPA3-Personal are only available when not operating in WPA3-Personal Transition Mode. Once WPA3-Personal availability reaches a sufficient level amongst client devices, network owners should disable WPA3-Personal Transition Mode.

Having read through the "specs", they don't look "directly actionable" in their detail. Most are 7 pages or less.

If there is more and it can be truly a software-only implementation, I would think that hostap would implement it.

http://lists.infradead.org/pipermail/hostap/2018-March/038334.html

The master branch of hostap.git includes support for WPA3 and DPP.

i read that wpa3 improve security so we just need hardware capable of hardware encryption... Any modern router should already support it...

If you find the commit that adds wpa3 support to hostapd i can try to make a backport patch!

1 Like

At least as I read Wi-Fi CERTIFIED WPA3 Technology Overview.pdf, the primary security "improvement" is not any "new" crypto for non-enterprise networks, but primarily the replacement of PSK with SAE along with mandating CCMP and protected management frames (the latter of the two already are available with WPA2, but not mandated).

Of those, SAE is the "most interesting" as it helps reduce the risk of password extraction/guessing. SAE is already used by 802.11s.

1 Like

i sent a mail to hostapd mailing list...

they say that wpa3 is already suppoterd but i can't find any commit on the git repo...

Any idea?

well, WPA3 feels more like a extension to WPA2 than something completely new. You can find the spec documents (on github :smile: ) and many articles on the web about "WPA3 features"... and their implications.
(Sorry, but I'm not going to write them all down.)

When you know what feature(s) you are most interested, then enable the options in hostapd & wpa_supplicant build config:

CONFIG_OWE - Opportunistic wireless encryption
(encryption without authentication - that thing that is useful for (public) hotspots)

CONFIG_DPP - Device Provisioning Protocol ( Wi-Fi Easy Connect(TM) )
(The "Connect a IoT-device with the help of your smartphone" feature.)

CONFIG_SAE - Simultaneous Authentication of Equals
(This is the PSK-replacement. It's resistant to offline dictionary attacks. it implements forward secrecy, etc.)

(CONFIG_SUITEB)
CONFIG_SUITEB192
(Optional 192-bit security mode for "WPA3-Enterprise")

(Note: You probably want to build the "full" variant. And if you are planning to built wpa_supplicant or wpad, you'll have to enable 11W in the wpa_supplicant build config... as well as openssl (ideally of course with openssl 1.1.x - of course wolfssl could work as well but I haven't tested that one yet). so: Pick your poison :tropical_drink: )

(Note2: Of course: OWE, SAE need to be configured on the OpenWrt device too. Luckily, you can find some notes in the current hostapd.conf about how to enable and use these things.)

good luck :signal_strength: :metal:

Ummmm so we still don't have wpa3 but we have the modes that require wpa3 right?

As soon as there are some WPA3 clients, all the hooks appear to be in place in the master branch of hostap. Someday some hooks in LuCI likely would be helpful, but I'm not holding my breath for WPA3 Wi-Fi Certified compliant client devices in the next year or two. Or five...

I agree with @chunkeey assessment, an extension to WPA2 -- there isn't anything new in terms of benefit for most home users other than SAE instead of PSK and maybe that the DPP is somewhat better than the mess of the WPA2 easy-connect debacle.

How do I use WAP3 then if it's included in Master?

I have a WLAN where all devices should be capable of WPA3. I'm ready to test!

Well, from what I know only the SAE part (CONFIG_SAE) is really a required part of the WPA3 spec. OWE, DPP and the NSA Suite-B 192Bit ciphers are optional / feature specific.

So you just have to enable the options in the hostapd and wpa_supplicant build config files (it's easier to start from the -full + -openssl variants). Then build and install the package... And you are "Done"...

Well not really, you'll have to "know" what you are doing in regards to the runtime-config generation. And most importantly you have to know what you actually want. As far as SAE goes, it introduces a couple of new parameters that sort of either replaces or extends the "wpa_passphrase".

For now, the easiest way to deal with them at them moment is to specify them with the help of the "hostapd_options" in uci /e/c/wireless. From what I can tell, the "full" integration into the existing hostapd.sh and LuCI will be really tricky though. Unless of course you have no problems running your own custom solution.

2 Likes

is it chipset specific or driver support is needed only? looking ar9271 datasheet there is no mention of 11w, yet client driver for windows exposes MFP option in advanced settings

Well, I don't want to post the WPA3_Specification_v1.0.pdf here. But if you get the document (The Version I have is just 7 pages!) go look in Section 2.1.1 and 2.1.2 it tells you there that Protected Management Frames feature is required for SAE.

Any news on that? Would be great to have WPA3 support for open wifi. Having traffic encryption to each client in an open wlan would be awesome.

I dont think that its important to have WPA3-closed-source device first. It would be great benefit also in the worldwide press when OpenWrt is the first firmware that supports WPA3. Client and AP mode can be done in OpenWrt itself.
So WPA3 support available for the people on the planet would be first available for free software users of free wlan devices with free ath9k chipsets. Thats would be awesome.

PS: Could someone rename the topic here from lede to OpenWrt?