Millions of users taking advantage of unsecured public Wi-Fi networks also are taking their chances that their connections will not be monitored, intercepted or otherwise interfered with. The Wi-Fi Alliance has announced a program to add a layer of security to open Wi-Fi networks by encrypting communications between the user device and access point.
Wi-Fi CERTIFIED Enhanced Open, announced June 5, uses the Opportunistic Wireless Encryption (OWE) standard to encrypt the wireless link without authentication. This protects against passive monitoring without the burden of managing credentials or adding steps to the login procedure.
Enhanced Open is the first in number of Wi-Fi security enhancements coming this year. Later this summer the Wi-Fi Alliance expects to issue WPA3, the next generation of Wi-Fi Protected Access.
Network equipment incorporating Enhanced Open is expected to be available later this year and the alliance hopes that device manufacturers will also adopt the scheme. Implementation is simple and is transparent to the user, said Dan Harkins, distinguished technologist at Aruba, a Hewlett Packard Enterprise company. “It’s a no-brainer.”
The first Aruba products including Enhanced Open will be available in the third quarter of this year, he said.
It’s not perfect, but . . . .
Enhanced Open does not provide the level of security of a fully protected Wi-Fi network requiring authentication, but “it’s a lot better than it was,” said Harkins, who helped to write the OWE specifications.
When Wi-Fi security protocols were developed, security was all or nothing, he said. “We did that based on how we thought Wi-Fi would be used. It turns out that people are using it in ways we didn’t expect.”
Wi-Fi has become an entitlement and users expect it in public spaces from airports and hotel lobbies to bars and coffee shops. A business that doesn’t provide access risks losing customers. But these businesses are not interested in supporting security schemes requiring authentication credentials that would quickly become burdensome for the businesses and their customers. The use of pre-shared keys (PSK), in which passwords are posted publicly, is mere security theater, Harkins said. But the alternative is no security at all.
Users have accepted the risk of unsecured connections, but with the common use of public Wi-Fi for sensitive personal and business online activities that risk is increasing.
Opportunistic Wireless Encryption
Enhanced Open provides a step between full security or noting at all.
OWE is an extension of the Institute of Electrical and Electronics Engineers’ (IEEE) 802.11 Wi-Fi standard. Clients and access points using this extension perform a Diffie-Hellman key exchange during the access procedure to encrypt the link that is used for the “handshake” when the client connects to the AP. The Enhanced Open specifications overlays the Diffie-Hellman exchange over the existing 802.11 exchange.
“OWE requires no special configuration or user interaction but provides a higher level of security than a common, shared, and public PSK,” according to the Internet Engineering Task Force specifications. “OWE not only provides more security to the end user, it is also easier to use both for the provider and the end user because there are no public keys to maintain, share, or manage.”
Use of the Enhanced Open protocol will be automatic and transparent to the user when both the user device and AP have adopted it. Users of enabled devices will have the same “select and connect” access as currently with open networks. The Enhanced Open network will not display the “lock” icon used for secured networks, so that the user will know no credential is required.
One drawback to this transparent automatic process is that the user does not know when or if a link is encrypted. This makes it impossible for users to know when it is safe (or safer) to use public Wi-Fi for sensitive activities. Some indication that passive protection is in place would make the scheme more practical.
But even with its limitations, Wi-Fi Enhanced Open is a significant step forward in creating a secure, ubiquitous online environment.