Understanding OWE operation from the Aruba Networks demo presented at MFD3.
Aruba Networks Demos OWE
Opportunistic Wireless Encryption (OWE) is a security improvement coming to open SSIDs. It’s aimed at securing the insecure. We see it everywhere. A Wi-Fi network completely open for clients to join. It’s unencrypted traffic between clients and the AP.
OWE was demoed by Aruba Networks at Mobility Field Day 3 (MFD3) and I was able to capture the frames during the demo. Aruba needed to build a custom supplicant using Ubuntu in order for this demo to work since there are no working clients supporting OWE yet.
There was an AP broadcasting an SSID, MFD-OWE, in OWE Transition Mode.
An SSID in OWE Transition Mode will utilize 2 BSSIDs. One for the Open SSID, for clients that do not support OWE, and another BSSID for the OWE-capable SSID. That’s something to keep in mind for OWE Transition Mode.
When most clients support OWE, an SSID strictly supporting OWE can be configured.
In the demo, Aruba Networks created a custom supplicant within Ubuntu since there are no OWE capable clients available. In a Probe Response to the client, there will be an Information Element containing the BSSID and SSID for an OWE-capable client to send a Probe Request to.
The client sends a Probe Request frame to the OWE SSID, which is a hidden SSID.
Within the Association Request frame, the client will include an RSN Information Element. Within that RSNIE there will be the MFP requirement needed in OWE.
After association a 4-way handshake will follow and when complete, transmissions will be encrypted.
Information you’ll need for the pcap file:
Open SSID: MFD-OWE
BSSID of MFD-OWE: 20:a6:cd:60:00:b0
OWE SSID: _owetm_MFD-OWE2340208851
BSSID: 20:a6:cd:60:00:b1
Client MAC: 9c:b6:d0:d7:ce:dd
