Opportunistic Wireless Encryption (OWE) /enhanced open authentication helps secure the data to be precise encrypt data. If a hacker/anyone eavesdropping will not understand the data collected, the information is encrypted.
All the Wi-Fi 6 devices in the Market should support enhanced open authentication/OWE. If any Wi-Fi 6 device (Access Point or NIC) is unable to support enhanced open authentication /OWE will be able to support with the help of software/firmware/driver upgrade.
I tested with Samsung S20 and Windows 10 with Wi-Fi 6 NIC. A screenshot from Samsung s20. Unfortunately, I found that Apple devices cannot (as of today) support enhanced open authentication.
With Open Authentication, when users connect to the SSID, all information/data goes in cleartext. So anyone eavesdropping can see all the information you are sending wirelessly.
Note: The Access Point and the user device should support enhanced open authentication/OWE for data securely exchanged wirelessly between the access point and the user device.
Below are the frames exchanged between the user device and Access Point to secure data in enhanced open authentication/OWE. 802.11w (Protected Management Frames ) is mandatory with OWE/enhanced open authentication helps to prevent MITM attacks.
Association Request of the user device trying to establish a wireless connection with SSID with Authentication method Enhanced open/Opportunistic wireless encryption(OWE).
The screenshot below is the Association Response from the Access Point with the "Diffie-Hellman Public key" to the user device.
Pairwise Master Key (PMK) generated at the Access Point and the user device after successful association of the user device. This is followed by a 4-way handshake of EAPOL to generate and install PTK, GTK keys before exchanging the information (like e-mail, accessing any website, etc.) between the user device and the Access Point. Wirelessly.
PMK key generated in OWE/ enhanced open authentication similar to the process involved WPA3-Simultaneous Authentication Equals (WPA3-SAE). You can refer to my article WPA3-Simultaneous Authentication of Equals(SAE) to understand how PMK is generated.
Below is the screenshot actual frame exchange (excluding ack frames)
Pros using enhanced open authentication./OWE
There is no difference from the end-user point of view in connecting to the SSID supporting open authentication (data goes in plain text) / enhanced open authentication/OWE ( data is encrypted ).
Capturing the information/data of the user by a hacker using eavesdropping will not be of no use as it is impossible to decrypt the data.
Suppose the user is already associated with a correct Access Point with network connectivity. In that case, MITM attacks will not happen as enhanced open authentication / Opportunistic Wireless encryption (OWE) mandates using Protected Management frames.
Note: Protected Management frames help avoid spoofing attacks of Disassociation/De-authentication typically used in MITM.
Con:
While associating with enhanced open authentication/OWE SSID, the only thing to note is not to associate with Fake / Rogue AP placed by hijacker broadcasting the Same SSID.
Conclusion: If all the user devices and Access Point in the premises support enhanced open authentication/OWE and there is a need to have an SSID with zero input while connecting to the SSID from end-users, Please use OWE/enhanced open authentication.
Please do provide any comments or valuable feedback (good or bad ) so that i can improve.