Let’s just call a spade and spade. And by that I mean that Aruba Networks played their trump card at Mobility Field Day 3 (MFD3), and it was the Ace of Spades.
For three days, delegates of MFD3 listened to vendors talk about A.I. and machine learning and analytics and location and BLE and a little on 802.11ax. What wasn’t talked about much is the new WPA3 standard/certification that we have been waiting on since WPA2 was first introduced back in 2004. WPA2 is now a surly teenager in human years but in the world of technology has now been likened to a pensioner heading into retirement. 14 years is a LONG time to have anything in technology a standard. In the 802.11 realm, it’s just slightly younger than 802.11g!
Let that sink in for a second.
Then comes along this company called Aruba Networks as the last presenter at MFD3. They started with the standard quick introduction and then talked about a new product that is intended to be used as a Point-To-Point (PTP) link with dual radios; one at 5 GHz (802.11ac) and the other at 60 GHz (802.11ad) that by itself is cool enough to stand on it’s on. You can watch that presentation here if you want to learn more about it (which you should, it’s cool) and then a quick hit on their 802.11ax stuff. Again, pretty cool along with a good slide about dates surrounding 802.11ax. If it wasn’t for what came next, this would be my focus but the next topic changed everything for me, so their hardware will have to wait for a different post.
The next presenter was a gentleman named Chuck Lukaszewski, and he brought the goods. Chuck presented on Aruba’s efforts in the realm of security, WPA3, and more importantly, Opportunistic Wireless Encryption (OWE). OWE was recently changed from a requirement by the Wi-Fi Alliance for WPA3 certification to an optional feature, much to the chagrin of wireless professionals everywhere. The general consensus was if it’s optional then no vendor is going to put any effort into it because why would they? Chuck changed all of that with this slide:
I’m sure that myself and others will talk about these other new terms, “SAE” and “Suite B/CSNA” which are still part of the required certifications, but I want to focus on OWE, the optional part that we all wanted but had given up hope on. If you watch the presentation, it’s easy to pick up on how excited we all were to not only know that this wasn’t dead, but that Aruba was actually able to demo this in action, live, and in front of a technical audience. 802.11ax might promise crazy QAM rates (1024 QAM to be precise) along with BSS coloring and OFDMA (allowing clients to utilize LESS than a full channel if they don’t need it, LOVE that one by the way) but sometimes the improvements that are needed are not always the sexy and marketing bullet points that C-Series executives want to see on their hit sheets. 1.21 JiggaBytes Per Second (JBPS, I just made that up) is much cooler on a marketing sheet than “hey, we did something that is cool but your will never be able to tell because it is seamless to you” but let me assure you, it’s the one thing that we NEED in the wireless industry.
Everyone knows that you don’t use the Wi-Fi in public places because you are going to get hacked by the guy sitting a couple of chairs away and your life will be in shambles. Guess what OWE solves? Exactly! This feature is not meant to authenticate the user, nor account for what they are doing. That will always be left to the Enterprise version of the WPA2 and now WPA3 standard, this is meant purely for the guest client/user that you want to allow onto your Wi-Fi and you want to ensure that no one can sniff their traffic while they are onsite. This doesn’t interrupt captive portals (shudder) since that operates further along the network path so you can still stop users from accessing the internet; no, this is intended as a feature that shores up the bane of the Wi-Fi world – guest Wi-Fi is insecure due to the open nature of the network.
I call this my “Mom” feature. My mom uses technology, but she doesn’t understand much more than other mothers of her generation. She doesn’t understand why having a 4 Way Handshake (seen above) right after the association packets is a good thing, but I don’t need her to know why or understand. All she needs to know is that if she selects a device that supports OWE from the WPA3 certification and is at a location that supports OWE, she can now have some level of assurance that when she surfs the internet and sees the lock symbol in the upper left, she doesn’t have to call me freaking out. People not calling me freaking out is a good thing by the way.
So what’s next? Good question. Start by going and watching Chuck’s presentation at Mobility Field Day 3. Watch the reaction from the delegates at what they presented, and then watch the video again to let it sink in of what you just saw. GCMP/CCMP protected data over the air on a guest Wi-Fi network. The user only has to select the network and the protocols then take care of the rest.
Next, start bothering your infrastructure vendor of choice to find out what they are doing in the realm of OWE. Is it on their roadmap? When are they going to be releasing something about OWE? If it’s not something they working on, why not? Aruba has taken the lead on getting this into the public space, it’s now inherent on us, especially those of us in the Large Public Venue (LPV) realm to push ALL vendors to support this.
After the infrastructure vendors, start working on the client side. Remember, you need a client side device that can do this, or the ability to add it, to make this work. Ask Apple, Samsung, Motorola, LG, Dell, HP, and all the others, what their roadmap is for supporting this. Predictions are we will see 802.11ax clients next year and I really hope they have the supplicant side ability to do this. If not, as an industry we are missing a HUGE opportunity here and I for one won’t sit idly by and watch this opportunity slip away simply because we don’t have to.
I am sure I will harp on this subject more in the future, I think that it’s just that important. When and if I come up with anything new I will make sure that I share it, but for now I want to thank Aruba Networks and their engineers for taking the lead in this effort.
It’s not the new features you thought you wanted, it’s the features that you didn’t think you needed!
OWE is a garbage implementation of “security” since it does not rely on establishment or chain of trust. Lauding it as a great security improvement is outrageous considering it is the equivalent of encrypting messages to any random stranger that claims to be the one you want to connect to.
Seriously, it doesn’t fix the main claim you make: “Everyone knows that you don’t use the Wi-Fi in public places because you are going to get hacked by the guy sitting a couple of chairs away and your life will be in shambles” since “some guy sitting a couple of chairs” can just pretend to be the SSID you’re trying to connect to.
This feature feels rushed in rather than well thought out and I hope everyone avoids it until it can actually be made secure through PKI or some trusted pairing mechanism.