Jump to content

Wi-Fi Protected Setup

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Cmavr8 (talk | contribs) at 18:05, 30 December 2011. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
File:RB1232.png
A wireless broadband router that supports WPS

Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network, but has been shown to easily fall to brute-force attacks.

Created by the Wi-Fi Alliance and officially launched on January 8, 2007, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up the encryption method WPA2, as well as making it easy to add new devices to an existing network without entering long passphrases. In some products, most notably TP-Link, it's known as QSS (Quick Security Setup)[1].

Methods

The standard achieves its goal by putting much emphasis into usability and security, and the concept is implemented through four usage models that enable a user to establish a home network. Thus adding a new device to the network provides the user with up to the following four choices:

  1. PIN Method, in which a Personal Identification Number (PIN) has to be read from either a sticker or the display on the new wireless device. This PIN must then be entered at the "representant" of the network, usually the Access Point of the network. This is the mandatory baseline model; every Wi-Fi Protected Setup certified product must support it. Also see "Security Issues".
  2. Push-Button-Method, in which the user simply has to push a button, either an actual or virtual one, on both the Access Point (or a registrar of the network) and the new wireless client device. Support of this model is mandatory for Access Points and optional for connecting devices.
  3. Near-Field-Communication Method, in which the user simply has to bring the new client close to the Access Point to allow a near field communication between the devices. NFC Forum compliant RFID tags can also be used. Support of this model is optional.
  4. USB Method, in which the user uses a USB flash drive to transfer data between the new client device and the Access Point of the network. Support of this model is optional.

The last two models are usually referred as Out-of-band methods as there is a transfer of information by another channel than the Wi-Fi channel itself.

Only the first two modes are currently covered by the Wi-Fi Protected Setup certification. The USB method has been deprecated and is not part of the certification testing.

Technical architecture

The WPS protocol defines three types of devices in a network:

  • Registrar: A device with the authority to issue and revoke credentials to a network. A registrar may be integrated into a wireless access point (AP), or it may be separate from the AP.
  • Enrollee: A device seeking to join a wireless network.
  • AP: An AP functioning as a proxy between a registrar and an enrollee.

The WPS standard defines three basic scenarios that involve these components:

  1. AP with internal registrar capabilities configures an Enrollee STA. In this case, the session will run on the wireless medium as a series of EAP request/response messages, ending with the AP disassociating from the STA and waiting for the STA to reconnect with its new configuration (handed to it by the AP just before).
  2. Registrar STA configures the AP as an enrollee. This case is subdivided in two aspects: first the session could occur on both a wired or wireless medium, and second the AP could already be configured by the time the registrar found it. In the case of a wired connection between the devices, the protocol runs over Universal Plug and Play (UPnP), and both devices will have to support UPnP for that purpose. When running over UPnP, a shortened version of the protocol is run (only 2 messages) as no authentication is required other than that of the joined wired medium. In the case of a wireless medium, the session of the protocol is very similar to the internal registrar scenario, just with opposite roles. As to the configuration state of the AP, the registrar is expected to ask the user whether to reconfigure the AP or keep its current settings, and can decide to reconfigure it even if the AP describes itself as configured. Multiple registrars should have the ability to connect to the AP. UPnP is intended to apply only to a wired medium, while actually it applies to any interface to which an IP connection can be set up. Thus having manually set up a wireless connection, the UPnP can be used over it in the same manner as with the wired.
  3. Registrar STA configures enrollee STA. In this case the AP stands in the middle and acts as an authenticator, meaning it only proxies the relevant messages from side to side.

Protocol

The WPS protocol consists as a series of EAP message exchanges that are triggered by a user action and relies on an exchange of descriptive information that should precede that user's action.

The descriptive information is transferred through a new Information Element (IE) that is added to the beacon, probe response and optionally to the probe request and association request/response messages. Other than purely informative Type-length-values, those IEs will also hold the possible, and the currently deployed, configuration methods of the device.

After the identification of the device's capabilities on both ends, a human trigger is to initiate the actual session of the protocol. The session consists of 8 messages that are followed, in the case of a successful session, by a message to indicate the protocol is done. The exact stream of messages may change when configuring different kinds of devices (AP or STA) or using different physical media (wired or wireless).

Security Issues

In December 2011, US-CERT (vulnerability VU#723755) reported a design flaw that makes brute-force attacks significantly easier to perform against Wi-Fi networks which have Wi-Fi Protected Setup enabled which can allow an unauthorized computer to gain access to the Wi-Fi network. The only effective workaround is to disable Wi-Fi Protected Setup[2].

Each PIN number is 8 digits long, with the last digit being a checksum of the previous digits[3]. Thus, there are always 7 unknown digits, yielding 107 = 10,000,000 possible combinations. Using this vulnerability, however, the acknowledgement messages sent back and fourth to the access point can be used to independently verify the first four and last three digits of the PIN[4]. This means that there are only 104 + 103 = 11,000 possible combinations, which is much more viable when performing a brute-force attack (since the number of combinations has been reduced by almost 3 orders of magnitude).

References

  1. ^ How to connect to your wireless network by QSS function which complies with WPS
  2. ^ Allar, Jared (December 27, 2011). "Vulnerability Note VU#723755 - WiFi Protected Setup PIN brute force vulnerability". Vulnerability Notes Database. United States Computer Emergency Readiness Team. Retrieved December 28, 2011.
  3. ^ "Windows Connect Now–NET (WCN-NET) Specifications". Microsoft Corporation. December 8, 2006. Retrieved December 30, 2011.
  4. ^ Viehbock, Stefan (December 26, 2011). "Brute forcing Wi-Fi Protected Setup" (PDF). Retrieved December 30, 2011.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Wi-Fi_Protected_Setup&oldid=468632777"