Wi-Fi Protected Setup
Encyclopedia
Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard for easy and secure establishment of a wireless home network
.
Created by the Wi-Fi Alliance
and officially launched on January 8, 2007, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up the encryption
method WPA
, as well as making it easy to add new devices to an existing network without entering long passphrases.
and security
, and the concept is implemented through four usage models that enable a user to establish a home network
. Thus adding a new device to the network provides the user with up to the following four choices:
The last two models are usually referred as Out-of-band
methods as there is a transfer of information by another channel than the Wi-Fi channel itself.
Only the first two modes are currently covered by the Wi-Fi Protected Setup certification. The USB method has been deprecated and is not part of the certification testing.
The WPS standard defines three basic scenarios that involve these components:
The descriptive information is transferred through a new Information Element
(IE) that is added to the beacon, probe response and optionally to the probe request and association request/response messages. Other than purely informative Type-length-value
s, those IEs will also hold the possible, and the currently deployed, configuration methods of the device.
After the identification of the device's capabilities on both ends, a human trigger is to initiate the actual session of the protocol. The session consists of 8 messages that are followed, in the case of a successful session, by a message to indicate the protocol is done. The exact stream of messages may change when configuring different kinds of devices (AP or STA) or using different physical media (wired or wireless).
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
.
Created by the Wi-Fi Alliance
Wi-Fi Alliance
The Wi-Fi Alliance is a trade association that promotes Wireless LAN technology and certifies products if they conform to certain standards of interoperability. Not every IEEE 802.11-compliant device is submitted for certification to the Wi-Fi Alliance, sometimes because of costs associated with...
and officially launched on January 8, 2007, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up the encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
method WPA
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
, as well as making it easy to add new devices to an existing network without entering long passphrases.
Methods
The standard achieves its goal by putting much emphasis into usabilityUsability
Usability is the ease of use and learnability of a human-made object. The object of use can be a software application, website, book, tool, machine, process, or anything a human interacts with. A usability study may be conducted as a primary job function by a usability analyst or as a secondary job...
and security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
, and the concept is implemented through four usage models that enable a user to establish a home network
Home network
A home network or home area network is a residential local area network . It is used for communication between digital devices typically deployed in the home, usually a small number of personal computers and accessories, such as printers and mobile computing devices...
. Thus adding a new device to the network provides the user with up to the following four choices:
- PIN Method, in which a Personal Identification NumberPersonal identification numberA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
(PIN) has to be read from either a sticker or the display on the new wireless deviceStation (networking)In IEEE 802.11 terminology, a station is a device that has the capability to use the 802.11 protocol. For example, a station may be a laptop, a desktop PC, PDA, access point or Wi-Fi phone. A STA may be fixed, mobile or portable...
. This PIN must then be entered at the "representant" of the network, usually the Access PointWireless access pointIn computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
of the network. This is the mandatory baseline model; every Wi-Fi Protected Setup certified product must support it. - Push-Button-Method, in which the user simply has to push a button, either an actual or virtual one, on both the Access Point (or a registrar of the network) and the new wireless client device. Support of this model is mandatory for Access Points and optional for connecting devices.
- Near-Field-Communication Method, in which the user simply has to bring the new client close to the Access Point to allow a near field communicationNear Field CommunicationNear field communication, or NFC, allows for simplified transactions, data exchange, and wireless connections between two devices in proximity to each other, usually by no more than a few centimeters. It is expected to become a widely used system for making payments by smartphone in the United States...
between the devices. NFC Forum compliant RFID tags can also be used. Support of this model is optional. - USB Method, in which the user uses a USB flash driveUSB flash driveA flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
to transfer data between the new client device and the Access Point of the network. Support of this model is optional.
The last two models are usually referred as Out-of-band
Out-of-band
The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
methods as there is a transfer of information by another channel than the Wi-Fi channel itself.
Only the first two modes are currently covered by the Wi-Fi Protected Setup certification. The USB method has been deprecated and is not part of the certification testing.
Technical architecture
The WPS protocol defines three types of devices in a network:- Registrar: A device with the authority to issue and revoke credentials to a network. A registrar may be integrated into a wireless access pointWireless access pointIn computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
(AP), or it may be separate from the AP. - Enrollee: A device seeking to join a wireless network.
- AP: An AP functioning as a proxy between a registrar and an enrollee.
The WPS standard defines three basic scenarios that involve these components:
- AP with internal registrar capabilities configures an Enrollee STA. In this case, the session will run on the wireless medium as a series of EAPExtensible Authentication ProtocolExtensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
request/response messages, ending with the AP disassociating from the STA and waiting for the STA to reconnect with its new configuration (handed to it by the AP just before). - Registrar STA configures the AP as an enrollee. This case is subdivided in two aspects: first the session could occur on both a wired or wireless medium, and second the AP could already be configured by the time the registrar found it. In the case of a wired connection between the devices, the protocol runs over Universal Plug and PlayUniversal Plug and PlayUniversal Plug and Play is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence...
(UPnP), and both devices will have to support UPnP for that purpose. When running over UPnP, a shortened version of the protocol is run (only 2 messages) as no authentication is required other than that of the joined wired medium. In the case of a wireless medium, the session of the protocol is very similar to the internal registrar scenario, just with opposite roles. As to the configuration state of the AP, the registrar is expected to ask the user whether to reconfigure the AP or keep its current settings, and can decide to reconfigure it even if the AP describes itself as configured. Multiple registrars should have the ability to connect to the AP. UPnP is intended to apply only to a wired medium, while actually it applies to any interface to which an IP connection can be set up. Thus having manually set up a wireless connection, the UPnP can be used over it in the same manner as with the wired. - Registrar STA configures enrollee STA. In this case the AP stands in the middle and acts as an authenticator, meaning it only proxies the relevant messages from side to side.
Protocol
The WPS protocol consists as a series of EAP message exchanges that are triggered by a user action and relies on an exchange of descriptive information that should precede that user's action.The descriptive information is transferred through a new Information Element
Information Element
1. In terms of information logistics , an Information Element is an information component that is located in the organizational value chain....
(IE) that is added to the beacon, probe response and optionally to the probe request and association request/response messages. Other than purely informative Type-length-value
Type-length-value
Within data communication protocols, optional information may be encoded as a type-length-value or TLV element inside of the protocol. TLV is also known as tag-length value....
s, those IEs will also hold the possible, and the currently deployed, configuration methods of the device.
After the identification of the device's capabilities on both ends, a human trigger is to initiate the actual session of the protocol. The session consists of 8 messages that are followed, in the case of a successful session, by a message to indicate the protocol is done. The exact stream of messages may change when configuring different kinds of devices (AP or STA) or using different physical media (wired or wireless).
External links
- Wi-Fi Protected Setup Knowledge Center at the Wi-Fi Alliance
- UPnP device architecture