top of page
Search
Writer's pictureBhanu Prasad
Feb 8, 20213 min read

Wireless frames exchange between Access Point(Wi-Fi 6)& User device with WPA3-Personal SSID.

Updated: Dec 27, 2021


In this article we look into the frames exchanged between WI-FI 6 AP & User Device with WPA3-Personal.

Also, the article has the information WI-FI6 features BSS Color and Target Wake Time.

WPA3-Personal

  • WPA3 – WI-FI Protected Access 3 is the new security Standard.

  • WPA3 ensures management frames (like DISASSOC/DEAUTH …) are protected.

  • WPA3-Personal with password/ pre-shared key helps protect Brute force /Dictionary attacks. Ensure passwords are not easily guessable.

  • The pairwise master key (PMK) is unique for each client & derived before Association. This is not the case with WPA2-Personal.

  • WAP3-Personal is as secured as 802.1x due to Authentication Algorithm Simultaneous Authentication of Equals (SAE). SAE to generate PMK before ASSOCIATION uses a similar process(but more complex) like 4way-handshake in WPA2.Role-Based Network Access(RBNA) can be achieved by Device specific PSK

  • 802.11r facilitates fast roaming within WPA3-Personal to avoid voice communication delays and is mandatory with WPA3-Personal.

  • Dragon Fly Vulnerability is applicable only in Mixed Environments with WPA3 +WPA2 clients allowed on the same SSID.DEATH


Beacon WPA3-Personal


Beacon with WPA3_personal will have Authentication Key Management(AKM) type number 8 Under RSN Information.

Beacon with WPA3_personal will have the RSN capabilities Management Frame Protection Required as True and Management Frame protection Capable as True.



Working Capture WPA3-Personal


One of the major differences, when compared to WPA2_personal, there are no open Authentication Frames. Rather, four Authentication frames validate the User Device allowed to associate with the Access point.



Non-Working Capture WPA-3 Personal


  • If the Pre-shared key is wrong, the User Device is not allowed to Associate with the AP.

  • SAE Authentication between AP and User devices fails. We can see this in SAE AP Authentication confirm frame.


Disassociation Frame with WPA3-Personal


  • Disassociation/Deauth Frames in WPA2 are used for Man in the Middle(MITM) Attacks. In WPA3, these frames are also protected from such attacks.

BSS Color

  • BSS Color is a number associated with Color

  • BSS Color information available in

1.Beacon

2.Probe response

3.Association response

4.Réassociation response


  • Each STA’s learns about its BSS upon Association and other /OBSS.

  • BSS Color helps to Mitigate the problem of co-channel Interference especially found in 2.4GHz. This helps in a 100% WIFI 6 Client environment.

  • Each Radio/Band assigned different color per Access point. For example, for 2.4GHz, BSS color is 2, and 5 GHz BSS color is 5 Per BSS/ Access point.

How will BSS COLOR help with an example?


BSS COLOR at the BSS level. Let me explain what I meant with an example.


If a AP01 & AP02 are Broadcasting two SSID’s (SSID-1 & SSID-2).


AP01 On 5GHz, both SSID’s have the Same BSS color number.


SSID-1 BSS COLOR number is 0x03


SSID-2 BSS COLOR will also have the same number 0x03.


AP02 on 5GHz both SSID’s have the Same BSS Color number but will different from AP01


SSID-1 BSS COLOR number is 0x04


SSID-2 BSS COLOR will also have the same number 0x04


AP01 On 2.4GHz, both SSID’s have the Same BSS Color number but will be different from the 5GHz BSS Color number.


SSID-1 BSS COLOR number is 0x02


SSID-2 BSS COLOR number is 0x02.


AP02 on 2.4 GHz both SSID’s have the Same BSS Color number but will be different from AP01


SSID-1 BSS COLOR number is 0x01


SSID-2 BSS COLOR number is 0x01.


BSS COLOR Information is also available in Preamble, which helps the clients (WI-FI 6) to Ignore traffic from other AP’s nearby at Layer 1.


For Example, With WI-FI 5, if the client is associated with AP(AP01) on channel 1 and other nearby AP (AP02), which is also on channel 1, Broadcasting traffic. The client will be ignoring the traffic by validating BSSID, which is at Layer 2.


With WI-FI 6 (both AP’s & Client are WI-FI 6), If the client is associated with AP(AP01) on channel 1 and other nearby AP (AP02), which is also on channel 1, Broadcasting traffic. The client will ignore the traffic by looking at BSS COLOR information in the Preamble at Layer 1. This will help to improve the performance of the clients.


To Conclude, in WI-FI 6, two AP’s on the Same Channel will have different BSS COLOR, which will help WI-FI 6 Clients differentiate Valid BSS traffic to which Clients are associated, ignore Invalid Traffic at Layer 1 using BSS COLOR information.


Trigger Frame – Allocation OF Resource Units(RU)


  • Trigger Frame (specific type) where we can see resource units' allocation for the users. I had two WIFI 6 clients connected to the Access Point operating in 80MHz. Each client is allocated 484 tones.

  • Trigger Frame is a control frame. To see control frames Wireshark filter is WLAN.fc.type==01


Target Wake Time(TWT)

  • Stations can agree with the AP on a common wake up schedule, allowing the stations to wake up only when required. This helps to minimize energy consumption and contention within the Basic Service Set (BSS).

  • Target Wake Time support information is available in

  1. Beacon

  2. Probe request

  3. Probe response

  4. Association request

  5. Association response

  6. Réassociation request

  7. Reassociation response



Thanks for viewing the article, please leave a feedback comment (good or bad), so that I can improve.

837 views0 comments

Recent Posts

See All

RADIUS Attribute Proxy-State

RADIUS is a networking Protocol that provides AAA services and is commonly seen in any Enterprise network. In this article, we will...

0 comments

コメント

bottom of page