Wi-Fi Protected Setup

From Wikipedia, the free encyclopedia

You have new messages (last change).

Wi-Fi Protected Setup (WPS) is a standard for easy and secure establishment of a wireless home network, created by the Wi-Fi Alliance and officially launched on January 8, 2007.

The goal of the WPS protocol is to simplify the process of connecting any home device to the wireless network, and so it was first named 'Wi-Fi Simple Config'. Also, the protocol is meant to prevent home users from exposing their networks to any sort of attack, and especially free-loading onto their connection to the internet, by configuring in an easy way the Wi-Fi Protected Access parameters of the Network.

The standard achieves its goal by putting much emphasis into usability and security , and the concept is implemented through four usage models that enable a user to establish a home network, while only the first two models are currently covered by the Wi-Fi Protected Setup Certification, so e.g. to add a new device to the Network the user can have up to four choices:

  1. PIN Method, in which a PIN (Personal Identification Number) has to be read from either a sticker on the new STA or a display, if there is one, and entered at the "representant" of the Network, either the AP or a Registrar of the Network, cf below the Protocol Architecture.
    This is the mandatory baseline model, every Wi-Fi Protected Setup certified product must support it.
  2. PBC Method, in which the user simply has to push a button, either an actual or virtual one, on both the AP (or a Registrar of the Network) and the new wireless client device (STA).
    Support of this model is mandatory for APs and optional for STAs.
  3. NFC Method, in which the user simply has to bring the new STA close to the AP or Registrar of the Network to allow a Near Field Communication between the devices. NFC Forum compliant RFID tags can also be used.
    Support of this model is optional.
  4. USB Method, in which the user uses a USB stick to transfer data between the new STA and the AP or Registrar of the Network
    Support of this model is optional.

The last two models are usually referred as Out-of-band methods as there is a transfer of information by another channel than the Wi-Fi channel itself.

This page will address the common scenario involving an Infrastructure Network and not the uncommon scenario of an IBSS which is optionally supported in the standard as well.

Contents

[edit] Protocol Architecture

The WPS protocol defines three types of devices in a network:

  • Registrar: A device with the authority to issue and revoke credentials to a network. A Registrar may be integrated into an AP, or it may be separate from the AP.
  • Enrollee: A device seeking to join a wireless LAN network.
  • Authenticator: An AP functioning as a proxy between a Registrar and an Enrollee.

The WPS standard defines three basic scenarios that involve these components:

  1. AP with internal registrar capabilities configures an Enrollee STA. In this case, the session will run on the wireless medium as a series of EAP request/response messages, ending with the AP disassociating from the STA and waiting for the STA to reconnect with its new configuration (handed to it by the AP just before).
  2. Registrar STA configures the AP as an Enrollee. This case is subdivided in two aspects: first the session could occur on both a wired or wireless medium, and second the AP could already be configured by the time that that Registrar found it. In the case of a wired connection between the devices, the protocol runs over UPnP, and both devices will have to support UPnP for that purpose. When running over UPnP, a shortened version of the protocol is run (only 2 messages), for no authentication is required other than that of the joined wired medium. In the case of a wireless medium, the session of the protocol is very similar to the internal registrar scenario, just with opposite roles. As to the configuration state of the AP, the registrar is expected to ask the user whether to reconfigure the AP or keep its current settings, and can decide to reconfigure it even if the AP describes itself as configured. Multiple registrars should have the ability to connect to the AP.
  3. Registrar STA configures Enrollee STA. In this case the AP stands in the middle and acts as an Authenticator, meaning it only proxies the relevant messages from side to side.

It should be noted that UPnP is regarded to only apply to a wired medium, while actually it applies to any interface that an IP connection can be set upon. Meaning that after manually setting up a wireless connection, the UPnP can be used over the wireless medium in the same manner as with the wired.

[edit] Protocol Structure

The WPS protocol itself consists as a series of EAP message exchanges that is triggered by a user action and relies on an exchange of descriptive information that should precede that user's action.

The descriptive information is transferred through a new IE that's added to the Beacon, Probe Response and optionally to the Probe Request and Association Request/Response messages. Other than purely informative TLVs, those IEs will also hold the possible, and the currently deployed, configuration methods of the device. The WPS IE, has a type field with a value of '221', and OUI of 00-50-F2-04. The Data part of the IE is constructed out of TLVs that describe the device and its capabilities.

After the identification of the device's capabilities on both ends, a human trigger is to initiate the actual session of the protocol. The session consists of 8 messages, that are followed in the case of a successful session by a message to indicate the protocol is done. The exact stream of messages may change when configuring different kinds of devices (AP or STA) or using different physical mediums (wired or wireless).

[edit] Wi-Fi Protected Setup Certification

Currently there are several products certified to use the WPS standard. Most of these products have been chosen as part of the test-bed for the certification prior to being certified themselves.

The Products in the test-bed are:

  • Atheros AR5002AP-2X Concurrent 802.11a & 802.11b/g Dual Band Access Point
  • Atheros AR5006X Universal 802.11a/b/g Wireless Network Adapter
  • Broadcom BCM94704AGR
  • Buffalo AirStation WHR-HP-AMPGV
  • Buffalo AirStation # WLI-CB-AMG54
  • Conexant Solos
  • Marvell Dual Band Wireless Home Gateway Model# AP-85
  • Marvell Libertas 802.11a/g/b Wireless (USB55)
  • Ralink RT5201 dual-band Access Point Reference Design
  • Ralink RT5201 dual-band reference design
  • Ralink RT5201USB dual-band reference design
  • Realtek RTL8186P&RTL8225 802.11a/b/g Wireless SoC / RTL8186P
  • Realtek RTL8185&8225 802.11g 54M WLAN NIC / RTL8185&8225-NIC
  • Realtek RTL8187&8225 USB2.0-802.11g WLAN dongle / RT USB2.0-11g Dongle
  • Realtek RTL8187B&RTL8225 USB2.0-802.11g WLAN dongle / RT USB2.0-11g Dongle

Microsoft Windows Vista presents a new tool called WCN, that holds WPS capability through UPnP alone and using the PIN method only.

The IntelĀ® PROSet/Wireless Software Version 11.1 enables the use of WPS as well, but for specific hardware only.

The Only product today to have gone through the certification after the test-bed announced is:

  • Texas Instruments AR7W/TNETW1350A Access Point

This information may change in the near future.

[edit] See also

  1. The Wi-Fi Alliance Official Site
  2. Wi-Fi Protected Setup Knowledge Center at the Wi-Fi Alliance
  3. The UPnP Forum Main Page
  4. UPnP Device Architecture
Retrieved from "http://en.wikipedia.org../../../w/i/-/Wi-Fi_Protected_Setup_0838.html"