Texas Austen - The June 5, 2018 - Wi-Fi Alliance ® launch of the Wi-Fi CERTIFIED enhanced open ™, a certification program, bring new benefits ® network in an open Wi-Fi users. To provide protection in the case of Wi-Fi Enhanced Open ™ does not require the user to verify the identity or credentials can not be distributed. These unauthenticated network is usually deployed in public places, such as local coffee shops and guest network with a web portal, these portals located in airports, hotels and sports facilities. Wi-Fi Enhanced Open ™, while maintaining the convenience and ease of use provides improved data privacy.
Wi-Fi open network enhancements provide protection against passive monitoring, without the need to enter a password or take other steps to join the network. Wi-Fi-based opportunities to enhance open wireless encryption (OWE), integrated encryption mechanism has been established to provide a unique encryption for each individual user, thereby protecting data exchanged between the user device and the Wi-Fi network. Protected management frame further protect the management traffic between the access point and a user equipment. The use of mandatory access control network portal network operator can maintain its ease of deployment, maintenance or because did not want to share network credentials.
[Passive listening and seamless experience]
However, if you still do not have any password to connect to a wireless network (with the same traditional Open Auth SSID), which will verify the identity can not provide any security. If your device supports "enhanced open" function, it will encrypt the data traffic after the initial association.
This is the "enhanced open" Wireless Association in the basic frame exchange 
OWE found
in RSNE, access point (AP) using the AKM suite OWE selector promotional support for the OWE. The following shows the use of OWE SSID beacon frame configuration in RSNE. You will see AKM Kit Type Values 18 (00-0F-AC: 18) expressed OWE support. 
If you look RSN function field, you will see the AP also released a management frame protection (MFP) MFP functions and essential bit is set to 1. When the client sent
when the message is sent, in the association request frame you will see the same message (# 88).
You can see the element has the following format DH parameters, wherein the element ID 255, 32 is extended.
In order to achieve the standard, it must support DH-Group 19, which is a 256-bit elliptic curve (ECP). You can see the use of the DH group number in a given packet capture. If the AP does not support the DH group association request indication, the AP responds with status code 77 indicating the group is not supported. 
OWE must agree to the AP in an association response frame contains RSNE OWE AKM. If "PMK cache" is not executed, it must also include DH parameter elements. This is the detailed information of the 90's. 
OWE PMK caching
在启用了“增强开放”的SSID上支持PMK缓存,其中STA和AP可以在一段时间内缓存PMK。一旦客户端第一次与OWE SSID相关联,就必须计算PMKID值。当STA随后连接到同一AP时,它可以在关联请求帧中包含PMKID。如果AP已缓存该PMKID标识的PMK,则它将PMKID包含在其关联响应帧中。在这种情况下,该关联响应帧中将不包含DH参数元素。从配置的角度来看,您可以通过在“ WLAN” ->“ 安全性” ->“ 第2层”选项卡下简单地选择“启用增强”,如下所示(使用运行WLC的Cisco AireOS 8.10.x)
在过渡模式下,您将创建两个SSID。一种启用了增强开放。另一个启用了开放式身份验证+转换模式。仅开放式身份验证SSID正在广播其SSID名称。因此,客户端设备只能看到一个SSID,但是,如果设备支持OWE,它将顺利连接到增强型开放式SSID。
上面显示了我们的测试拓扑。SSID1(CWAP-Open)已启用“增强开放”。请注意,SSID名称不是广播名称。我们在“ 增强开放-第1部分”博客文章中使用了相同的SSID 。 在OWE转换模式下,将SSID2(来宾)配置为具有开放验证(即L2安全性设置为“无”)。请注意,如下所示,我们在SSID2配置下将SSID1包括为“增强的开放式SSID。(Cisco AireOS 8.10.x WLC)
如果查看信标帧,则会看到来自两个SSID的信标帧,但是SSID名称仅在“访客” SSID中可见。如果查看标记的参数,则会注意到两个SSID中都有供应商特定元素“ OWE Transition Mode ”信标帧或探测响应帧。下面显示了SSID2 – Guest的信标帧。
这是WiFi Alliance OWE规范v1.0中定义的OWE转换模式元素格式
您将在该信标帧的OWE Transition Mode元素中看到这些字段信息。请注意,波段信息和频道信息是可选字段。有效选项是同时包含这两个信息字段,还是不同时包含这两个字段。在我们的情况下,这两个都不存在。在我的情况下,两个SSID均配置为5GHz频段(必须测试以后在每个SSID中修改那些频段)。注意,SSID名称和BSSID信息在OWE转换信息元素下列出。
这是名为“ CWAP-Open”的“ Enhanced Open” SSID的信标帧
注意“增强开放” SSID信标帧中的要点(“探测响应”帧中也有相同的信息)
• SSID长度为零
• 包含“ RSNE”以表示OWE支持。
• 包含OWE过渡元素
以下是我们感兴趣的那些元素的细信息(SSID,RSNE,OWE Transition)
但是,当AirCheckG2尝试连接时,它已连接到正在进行“开放式身份验证”的“访客” SSID。您会注意到2个打开的身份验证框架(#2757,2760)和关联请求/响应(#2762,2764),然后清除了文本数据框架。请注意,在以下wireshark显示过滤器中,该过滤器用于缩小与AG2相关的帧并过滤掉控制帧。wlan.addr == 6c:0b:84:c2:4e:99 &&不是wlan.fc.type == 1
However, when AirCheckG2 try to connect, it is connected to the ongoing "open authentication" and "guest" SSID. You will notice two open authentication framework (# 2757,2760) and the associated request / response (# 2762,2764), then clear the text data framework. Note that, in the following display Wireshark filter, the filter is associated with a frame narrow AG2 filtered off and control frames. wlan.addr == 6c: 0b: 84: c2: 4e: 99 && not wlan.fc.type == 1