Wpa3 support in OpenWrt?

Ansuel · July 14, 2018, 9:00pm

i sent a mail to hostapd mailing list...

they say that wpa3 is already suppoterd but i can't find any commit on the git repo...

Any idea?

chunkeey · July 14, 2018, 10:35pm

well, WPA3 feels more like a extension to WPA2 than something completely new. You can find the spec documents (on github ) and many articles on the web about "WPA3 features"... and their implications.
(Sorry, but I'm not going to write them all down.)

When you know what feature(s) you are most interested, then enable the options in hostapd & wpa_supplicant build config:

CONFIG_OWE - Opportunistic wireless encryption
(encryption without authentication - that thing that is useful for (public) hotspots)

CONFIG_DPP - Device Provisioning Protocol ( Wi-Fi Easy Connect(TM) )
(The "Connect a IoT-device with the help of your smartphone" feature.)

CONFIG_SAE - Simultaneous Authentication of Equals
(This is the PSK-replacement. It's resistant to offline dictionary attacks. it implements forward secrecy, etc.)

(CONFIG_SUITEB)
CONFIG_SUITEB192
(Optional 192-bit security mode for "WPA3-Enterprise")

(Note: You probably want to build the "full" variant. And if you are planning to built wpa_supplicant or wpad, you'll have to enable 11W in the wpa_supplicant build config... as well as openssl (ideally of course with openssl 1.1.x - of course wolfssl could work as well but I haven't tested that one yet). so: Pick your poison )

(Note2: Of course: OWE, SAE need to be configured on the OpenWrt device too. Luckily, you can find some notes in the current hostapd.conf about how to enable and use these things.)

good luck

Ansuel · July 14, 2018, 11:17pm

Ummmm so we still don't have wpa3 but we have the modes that require wpa3 right?

jeff · July 15, 2018, 2:12am

As soon as there are some WPA3 clients, all the hooks appear to be in place in the master branch of hostap. Someday some hooks in LuCI likely would be helpful, but I'm not holding my breath for WPA3 Wi-Fi Certified compliant client devices in the next year or two. Or five...

I agree with @chunkeey assessment, an extension to WPA2 -- there isn't anything new in terms of benefit for most home users other than SAE instead of PSK and maybe that the DPP is somewhat better than the mess of the WPA2 easy-connect debacle.

lleachii · July 16, 2018, 3:38pm

How do I use WAP3 then if it's included in Master?

I have a WLAN where all devices should be capable of WPA3. I'm ready to test!

chunkeey · July 16, 2018, 4:38pm

Well, from what I know only the SAE part (CONFIG_SAE) is really a required part of the WPA3 spec. OWE, DPP and the NSA Suite-B 192Bit ciphers are optional / feature specific.

So you just have to enable the options in the hostapd and wpa_supplicant build config files (it's easier to start from the -full + -openssl variants). Then build and install the package... And you are "Done"...

Well not really, you'll have to "know" what you are doing in regards to the runtime-config generation. And most importantly you have to know what you actually want. As far as SAE goes, it introduces a couple of new parameters that sort of either replaces or extends the "wpa_passphrase".

For now, the easiest way to deal with them at them moment is to specify them with the help of the "hostapd_options" in uci /e/c/wireless. From what I can tell, the "full" integration into the existing hostapd.sh and LuCI will be really tricky though. Unless of course you have no problems running your own custom solution.

psyborg · July 16, 2018, 5:42pm

is it chipset specific or driver support is needed only? looking ar9271 datasheet there is no mention of 11w, yet client driver for windows exposes MFP option in advanced settings

chunkeey · July 16, 2018, 8:00pm

Well, I don't want to post the WPA3_Specification_v1.0.pdf here. But if you get the document (The Version I have is just 7 pages!) go look in Section 2.1.1 and 2.1.2 it tells you there that Protected Management Frames feature is required for SAE.

wgqoufsn · August 14, 2018, 12:31pm

Any news on that? Would be great to have WPA3 support for open wifi. Having traffic encryption to each client in an open wlan would be awesome.

I dont think that its important to have WPA3-closed-source device first. It would be great benefit also in the worldwide press when OpenWrt is the first firmware that supports WPA3. Client and AP mode can be done in OpenWrt itself.
So WPA3 support available for the people on the planet would be first available for free software users of free wlan devices with free ath9k chipsets. Thats would be awesome.

PS: Could someone rename the topic here from lede to OpenWrt?

mocmocamoc · September 3, 2018, 10:37am

An interesting post by someone who got it to work:

gist.github.com

https://gist.github.com/est31/d92d17acbb4ea152296f9b38764cd791

wpa3-project.md

# Trying to deploy WPA3 on my home network

## Introduction

Recently, news broke about a new possible offline attack on WPA2 [using PMKID](https://hashcat.net/forum/thread-7717.html). To summarize the attack, WPA2 protected APs can end up broadcasting PMKID values which can then be used to offline-brute-force the password.

These PMKID values are computed this way:
```
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
```

This file has been truncated. show original

lleachii · September 3, 2018, 11:57am

From what I understood previously, and from your link, OpenWrt needs:

to enable the CONFIG_SAE flag in wpad-mini and/or wpad
add WPA3 "stuff" to LuCI and UCI
DONE!

chunkeey · September 3, 2018, 9:13pm

Well, wpad-mini will probably need 11W too, since WPA3 hijacks the MFP feature bits. But otherwise yes: uci/LuCI is holding it back since nobody knows how complete the uci/LuCI integration should be.

macromorgan · September 4, 2018, 10:52pm

Funny this topic is coming up now, I'm playing with my A5V11 to see if I can get WPA3 to work on it.

Note that it appears you need either OpenSSL or WolfSSL, so the wpad-mini won't work (simply enabling SAE causes it to fail during compile).

I've built a build with CONFIG_SAE and CONFIG_OWE set on wpad-wolfssl and it seems to compile just fine. I'm just trying to get it to fit into 4MB of flash along with zram and Luci (if I minify lua sources I can get it to fit, but I want to play around with non-minified sources).

I'm trying now to compile wpad-mini with a reference with WolfSSL and SAE/OWE, we'll see how that works...

jeff · September 4, 2018, 11:31pm

wpad-mesh supports SAE for 802.11s and may be sufficient. Selecting the "full" wpad might be an easier path to follow than trying to "hack" wpad-mini into submission, at least for exploratory purposes.

macromorgan · September 4, 2018, 11:42pm

I have a feeling you're right...

lleachii · September 11, 2018, 8:26pm

chunkeey · October 7, 2018, 6:39pm

Heads-up: @hauke posted his initial WPA3 patches.
http://lists.infradead.org/pipermail/openwrt-devel/2018-October/014182.html

This adds basic support for SAE which is the new WPA3-PSK SAE mode and
OWE. For OWE the options to configure the transition mode are still
missing. WPA3 Enterprise support is still missing.

It would be nice if this gets some testing, currently I only tested it
with a Linux client using hostapd, are there any other clients
available?

This can also be found here:
https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/hostapd
I will update the branch more often than these mails.

Ansuel · October 7, 2018, 7:10pm

I read that wpa3 is not supported in most phone any news on this?

diizzy · October 7, 2018, 7:31pm

You're probably like a year early or so

Ansuel · October 7, 2018, 7:43pm

i mean i read that hostapd pushed support for sae mode about 1 year ago so any device older than 1 year (or anything not compiled with sae support will not run or will run but with sae disabled?)

i also read that wpa3 include an hybrid mode that makes wpa2 device only compatible with wpa3