WPA3 and Wi-Fi Enhanced Open

Android 10 introduces support for the Wi-Fi Alliance's (WFA) Wi-Fi Protected Access version 3 (WPA3) and Wi-Fi Enhanced Open standards. For more information, see Security on the WFA site.

WPA3 is a new WFA security standard for personal and enterprise networks. It aims to improve overall Wi-Fi security by using modern security algorithms and stronger cipher suites. WPA3 has two parts:

  • WPA3-Personal: Uses simultaneous authentication of equals (SAE) instead of pre-shared key (PSK), providing users with stronger security protections against attacks such as offline dictionary attacks, key recovery, and message forging.
  • WPA3-Enterprise: Offers stronger authentication and link-layer encryption methods, and an optional 192-bit security mode for sensitive security environments.

Wi-Fi Enhanced Open is a new WFA security standard for public networks based on opportunistic wireless encryption (OWE). It provides encryption and privacy on open, non-password-protected networks in areas such as cafes, hotels, restaurants, and libraries. Enhanced Open doesn't provide authentication.

WPA3 and Wi-Fi Enhanced Open improve overall Wi-Fi security, providing better privacy and robustness against known attacks. As many devices don't yet support these standards or haven't yet had software upgrades to support these features, WFA has proposed the following transition modes:

  • WPA2/WPA3 transition mode: The serving access point supports WPA2 and WPA3 standards concurrently. In this mode, Android 10 devices use WPA3 to connect, and devices running Android 9 or lower use WPA2 to connect to the same access point.
  • WPA2/WPA3-Enterprise transition mode: The serving access point supports WPA2-Enterprise and WPA3-Enterprise standards concurrently.
  • OWE transition mode: The serving access point supports both OWE and open standards concurrently. In this mode, Android 10 devices use OWE to connect, and devices running Android 9 or lower connect to the same access point without any encryption.

Android 12 supports Transition Disable indication, a mechanism that instructs a device to not use WPA2 and use WPA3 instead. When a device receives this indication, it uses WPA3 to connect to a WPA3 network that supports a transition mode. Android 12 also supports WPA3 Hash-to-Element (H2E) authentication exchange. For more information, see the WPA3 Specification.

WPA3 and Wi-Fi Enhanced Open are supported only in client mode.

Implementation

To support WPA3 and Wi-Fi Enhanced Open, implement the Supplicant HAL interface. Starting with Android 13, the interface uses AIDL for the HAL definition. For releases before Android 13, interfaces and vendor partitions use HIDL. The HIDL interface can be found in hardware/interfaces/wifi/supplicant/1.3/, and the AIDL interface can be found in hardware/interfaces/wifi/supplicant/aidl/,

The following are required to support WPA3 and OWE:

  • Linux kernel patches to support SAE and OWE

    • cfg80211
    • nl80211
  • wpa_supplicant with support for SAE, SUITEB192 and OWE

  • Wi-Fi driver with support for SAE, SUITEB192, and OWE

  • Wi-Fi firmware with support for SAE, SUITEB192, and OWE

  • Wi-Fi chip with support for WPA3 and OWE

Public API methods are available in Android 10 to allow apps to determine device support for these features:

WifiConfiguration.java contains new key management types, as well as pairwise ciphers, group ciphers, group management ciphers, and Suite B ciphers, which are required for OWE, WPA3-Personal, and WPA3-Enterprise.

Enable WPA3 and Wi-Fi Enhanced Open

To enable WPA3-Personal, WPA3-Enterprise, and Wi-Fi Enhanced Open in the Android framework:

  • WPA3-Personal: Include the CONFIG_SAE compilation option in the wpa_supplicant configuration file.

    # WPA3-Personal (SAE)
    CONFIG_SAE=y
    
  • WPA3-Enterprise: Include the CONFIG_SUITEB192 and CONFIG_SUITEB compilation options in the wpa_supplicant configuration file.

    # WPA3-Enterprise (SuiteB-192)
    CONFIG_SUITEB=y
    CONFIG_SUITEB192=y
    
  • Wi-Fi Enhanced Open: Include the CONFIG_OWE compilation option in the wpa_supplicant configuration file.

    # Opportunistic Wireless Encryption (OWE)
    # Experimental implementation of draft-harkins-owe-07.txt
    CONFIG_OWE=y
    

If WPA3-Personal, WPA3-Enterprise, or Wi-Fi Enhanced Open aren't enabled, users won't be able to manually add, scan, or connect to these types of networks.

Validation

To test your implementation, run the following tests.

Unit tests

Run SupplicantStaIfaceHalTest to verify the behavior of the capability flags for WPA3 and OWE.

atest SupplicantStaIfaceHalTest

Run WifiManagerTest to verify the behavior of the public APIs for this feature.

atest WifiManagerTest

VTS tests

If the HIDL interface is implemented, run:

atest VtsHalWifiSupplicantV1_3TargetTest

If the AIDL interface is implemented, run:

atest VtsHalWifiSupplicantStaIfaceTargetTest