HOSTAPD wpa_supplicant Madwifi Detailed analysis (ix)--WPS principle and realization of a

This article is based on the "Wi-Fi simple Configuration Technical specification Version 2.0.5" document, please refer to the documentation for more details, just make some simple records of your own ideas.

I. Three kinds of implementation of WSC

WSC (WiFi simple configuration), a look at this name to know that this protocol is used for lazy, so I translated it into a "fast access wireless Network" protocol, this protocol mainly includes three kinds of quick connection:

1. WPS: People who look at this article, should know what WPS is for, but I believe there are many people do not understand, because the surrounding friends have always asked the WiFi password is how much, will not ask where the WPS button. But foreigners to this function is preferred, they set a password dozens of plus special characters, even don't remember, let alone tell you, so WPS became a good choice to solve the problem. Wired is more secure than wireless, one of the reasons is that we can not easily plug a network cable into his router up, but it is easy to search through the wireless router signal, through different means to crack. But router set a dozens of-bit ccmp encryption, I think no one would want to crack it.

WPS mainly consists of two quick access methods: PIN (personal identifiy number) and PBC (push button configuration).

ROUTER PIN is a set of serial numbers, it is written in the ROUTER, it can be seen from the ROUTER label, it is "external Registrar" authentication mode, only requires the router's PIN, this mode design problems allow the pin for brute-force guessing attacks. When pin validation fails, access points are sent a eap-nack message back to the client. Depending on the eap-nack message sent back, the attacker can determine if the first half of the pin is correct, and the last digit of the pin is also known because it is a pin checksum. This design greatly reduces the number of attempts to brute force to crack a pin, with a total of +10 attempts from 10 of the 8 to 10 of 4 3 of the time. According to reports that some wireless routers do not have any lock-action policy on brute force attempts, this greatly reduces the time for a successful brute force attack. There are also reports that some routers will need to be restarted because of brute force attempts to generate a denial-of-service condition. For this kind of problem, router generally limits the number of Pin_lock_down, if it is 5, then the verification 5 times will lock, not let pin.

The client pin is a randomly generated pin for the wireless client, and when connected to the router, enter it into the router to authenticate the connection, which is safer than the router pin.

When the PBC button is pressed, the router will start broadcasting a beacon packet with WCS ie, and when the wireless client receives this information, it means that there are APS found to be able to use WSP connections around here, and then the request is sent for association. This association is not a real connection, just for the completion of the 8-channel WPS certification to obtain router authentication information, including ssid,psk,encryption, etc; After obtaining this information, disconnect the router, This information is then used to implement the RSNA (the normal 4-way handshake process).

2. Peer (Peer-to-peer): This protocol can realize the direct interconnection between the two STA, is not think of Bluetooth function? Yes, it can be like the Bluetooth function, the two devices connected together to quickly transfer files, and stable and fast. But Bluetooth power saving is the mishap of direct WiFi, if you listen to songs or phone calls, I think it is a bit of a power consumption, but the use of Bluetooth headset to complete these functions is a cost-effective. In addition to power consumption this point, I think direct WiFi can almost complete bluetooth all things, I bought a Bluetooth speaker, separate room sound quality is poor, but using direct WiFi, to the first floor is OK, if this protocol mature, should be able to save a lot of network cable bar.

3. NFC (contactless radio frequency identification): This protocol allows your wireless client to just brush the router to surf the internet, is it more convenient? It's like a supermarket that brushes barcodes. If one day, you enter a restaurant, you just brush the phone, you will have all of your scheduled dishes are good, and will automatically help to connect with this wireless network, will feel very intimate? It's pretty beautiful to think about.

Ii. Basic Concepts

Registrar:an entity with the authority to issue and revoke Domain Credentials. A registrar may integrated to an AP, or it may be separate from the AP. A registrar May is not having A WLAN capability. A given Domain May has multiple Registrars. An entity that issues and revokes certificates, which may be integrated on an external AP or independent of the APS, may not have WLAN features, and there may be multiple registrars within a given domain. is not a person, plainly speaking, it is a server, let to identify the eunuchs come here to report, so the following call it "Authentication Server", Enrollee called "Access"

Enrollee:a Device seeking to join A WLAN Domain. Once an enrollee obtains a valid credential, it becomes a Member.

Stand-alone External Registrar (SAER): An External registrar, that's not embedded in a wireless STA. For example, the May is embedded in a Ethernet connected device, or May is software installed on any networking device.

WSC IE:WSC information element, this field is mainly in beacon package, probe requests and probe responses inside, to indicate that is WSC connection, from these packages of IE inside the information obtained is not encrypted authentication.

In-band (inner band): Data transfer using the WLAN communication channel, including WLAN multiband devices (e.g. 2.4GHz, 5GHz, and 60GHZ).

Out-of-band (Takeaway): Data transfer using a communication channel other than the WLAN.

The inner belt and take-away are two more important concepts, this is mainly reflected in when the PIN is entered, if the wireless client pin through the page or other means of input to router, then this is called the inner band, because it transmits the use of the same channel with the wireless, but if the use of NFC mode, So it's gone, because NFC works on channel 13.56MHz, it's definitely not a WLAN channel.

We are talking about inner bands, including router Pin,client PIN,PBC.

Third, the core structure

For the WPS certification structure, the document is painted like this:

About this diagram, a bit like the function of the portal, but also a bit like the implementation of the 802.1X protocol, regardless of which, for the user, the configuration is somewhat difficult.

This structure requires at least three devices, enrollee is used as a client, AP is used to make an access point, registrar is used to authenticate the server:

The role of enrollee is similar to supplicant, which initiates a registration request to registrar.
Registrar is used to check the legality of enrollee. In addition, the Registrar can also be configured on the AP.
The AP also needs to be registered with the Registar. So, from the registrar point of view, the AP is also enrollee.
The APS interact with Registrar and enrollee, enrollee Obtain the security configuration information for the AP from Registrar, and then enrollee use that information to join the wireless network provided by the AP.

Note that these three components are only a logical concept, and this structure is called: AP with an External registrar

In a specific implementation, APS and Registrar can be implemented by the same entity or by different entities, respectively.

But in practical applications, APS and Registrar are implemented by a single device, so I prefer this:

This structure is often said to be the Standalone AP.

Iv. In-band Setup Using a Standalone ap/registrar

In fact, there are eap-based setup of External Registrar and ethernet-based setup of External registrar, here is not analyzed, the following main analysis of commonly used standalone AP Way

1. After the AP-side WSC starts to work, it broadcasts a beacon packet with the WSC IE field to declare that the AP supports WSC

2. If enrollee receives a beacon packet from the end of the AP, it parses the WSC ie in the Beacon packet and sends the unicast Probe request packet to the AP, if Enrollee does not receive a beacon packet with WSC IE, Then it will search for the APS around to support WSC, so the probe request broadcast packet will be sent around.

If Enrollee discovers that there are two or more two APS running WPS, then Enrollee will stop executing in the discovery phase; Similarly, if the AP discovers that there are two or more than two enrollee trying to establish a WPS connection, the AP will stop running WPS. If one day you press the WPS button of your router, you find that the WPS lamp is flashing a few seconds, it may be that at the same time there are two enrollee trying WPS connection.

3. AP received with WSC IE Probe Request packet, will reply to probe response package, this package with WSC ie, will tell enrollee some information, this information many, Enrollee will determine the next move based on this information.

4. This dashed line is a watershed, for pin WPS need to enter a pin in this step, for the push button does not need to enter, of course, the pin has a sub-AP Pin and the client pin, this determines the need to be on the AP side or the enrollee end of the input pin, This input is In-band, and of course you can enter information using Out-band, such as NFC

5. When enrollee obtains the information on the AP side, and by judging the access conditions, Enrollee will attempt to authenticate with the AP and send the AUTH packet to the AP.

6. AP side know again this lad came, very magnanimous let him certification success, and reply Auth success package

7. The enrollee then sends the association request to associate the requests package with the WSC IE information, this information is important to tell the AP I use this side of the Protocol 802.1x WPS 1.0 protocol, Our next M1-M8 process will also be subject to this protocol for interaction, you have to prepare well, if you can not accept this agreement, please tell me in time.

8. At this point, the AP-side found, rest assured, you this kind of agreement I support, let you relate to complete the following information interactive process! The AP then sends a association response package to Enrollee to complete the association.

9. Send Eapol-start

10. Before the STA and AP carry out the EAP-WSC process, the AP needs to determine the identity of the STA and the authentication algorithm used. The process involves three EAP packet exchanges. The contents of this three-time packet exchange, first, the AP sends eap-request/identity to determine the STA ID

11. For an STA intending to use the WSC authentication method, it needs to set the identity "wfa-simpleconfig-enrollee-1-0" in the eap-response/identity package of the reply.

After the AP determines that the identity of the STA is "wfa-simpleconfig-enrollee-1-0", the Eap-request/wsc_start package is sent to initiate the EAP-WSC authentication process. This process will involve M1~M8-related knowledge.

13-20. M1 to M8 Interactive process

Is it a little impatient to see this? It doesn't matter, go to the knowledge of EAP and EAPOL to see this, or just look at the 802.1X protocol is good. 802.1x was originally dedicated to the wireless LAN involved, but later on the PPP play on the wind of the water.

eapol:extensible authentication Protocol over LAN, the Extensible Authentication protocol running in LAN, why is it possible to expand? The EAP protocol is the core of the IEEE 802.1x authentication mechanism, and it is done by the subsidiary EAP Method protocol, remember this graph, there are many kinds of EAP methods, but EAP does not specify the authentication method at the link establishment stage, Instead, the process is deferred to the "certification" stage so that the certification party can decide what authentication method to use after getting more information. So WPS is the authentication negotiation after the correlation is complete. Later analysis we will know that the result of their negotiation is the use of the Eap-wsc method, which is a new EAP algorithm defined by the WSC specification using the extended function of EAP.

M1: After confirming the next use of the ID, register will send a Wsc_start message to enrollee, tell Enrollee can start the information authentication interaction, then Enrollee will first send M1 message to register, Now, let's see what it does to register.

UUID-E: The UUID representing the STA

MAC address stands for STA MAC addresses

Enrollee Nonce: Represents a series of random numbers generated by STA, which is used for subsequent key derivation and other work

Public Key:sta and AP key derivation source is also PMK, in WSC Pin method does not use PSK (PIN code is not the role of PSK), both sides adopted the diffie-hellman[6] (d-h) key exchange algorithm. The algorithm allows both parties to use this method to determine the symmetric key. Note that the D-H algorithm can only be used for exchange of keys, not for the encryption and decryption of messages. After both sides of the communication determine the key to be used, the encryption algorithm is manipulated to encrypt and decrypt the message using other symmetric keys. The Public key property contains the D-h key value of enrollee.

Authentication type flags and encryption type flags: represents enrollee supported authentication algorithms and cryptographic algorithm types

Connection type Flags: Represents the 802.11 network type supported by the device, the value 0x01 represents the ESS, and the value 0x02 represents IBSS

M2 : If the M2 packet sent to enrollee by the register is routed through Out-of-band, the register will send the ConfigData in the package. When sending a M2 package using Out-of-band, the encryption of the CONFIGDATA data is optional because the assumption is that this communication process is safe and not overheard. However, even if you are using Out-of-band to send packets with configdata data, it is highly recommended that configdata be keywrapkey encrypted.

When configuring an AP using In-band, if an external register is used, the register needs to obtain the current configuration information of the AP in the M7 package to determine whether the new configuration is required to overwrite the old configuration of the AP or to retain the original configuration of the AP. For example, there is a "keep existing WiFi setting" feature on the router, if this function is turned off, indicating that the AP will go into the non-configured state, when using WPS connection, will be based on the new rules or wireless client information to configure the AP.

· Registrar the random number generated by the Nonce:registrar.

· Public key:d-h algorithm, the registrar side of the D-h Key value.

· Authenticator: A 256-bit binary string is obtained from hmac-sha-256 and Authkey (see below for details). Note that the Authenticator property contains only the first 64 bits of binary content.

Before the AP sends M2, it calculates a d-h (key KDK key) based on the enrollee nonce, Enrollee mac, and Registrar nonce and derivation algorithm, which is used by the KDK key to derive from the other three key types. These three keys are used to encrypt the Authkey (256-bit), cryptographic nonce, and configdata (that is, some security configuration information) for some properties in the RP Protocol, Keywrapkey (128-bit), and Emsk that derive other uses of key (Extended Mastersession Key).

M3 :

· Registrar nonce value derived from M2 's Registrar nonce attribute

· The calculation of e Hash1 and E Hash2 properties is complex, according to WSC specification, E Hash1 and e Hash2 are calculated as follows

1) using the Authkey and PIN code to generate two PSK respectively using the HMAC algorithm. Where PSK1 is generated by the first half of the pin, and PSK2 is generated by the second half of the pin code.

2) Encrypt two new random number nonce using Authkey to get e-s1 and E-S2

3) The use of HMAC algorithm and Authenkey respectively (E-S1, PSK1, STA d-h key and AP d-h key) to calculate the E Hash1; E HASH2 is calculated from the D-h key of E-s2, PSK2, STA d-h key and AP

· Authenticator is a string of authkey that the STA calculates by using Authkey (STA will also calculate a bits after receiving the M2 registrar nonce).

M4:

· The AP calculates R Hash1 and R Hash2. The PIN code used is the PIN code entered by the user via the AP Setup interface. Obviously, if the AP has an incorrect PIN code, the STA will find that they are inconsistent when comparing r hash 1/2 and E hash 1/2 , thus terminating the EAP-WSC process.

· Encrypted settings data obtained by the AP using Keywrapkey encryption r-s1.

M5:

M6:

encryped settings is used by Keywrapkey encryption R-S2 for APS.

M7:

From the content of M5 and M6, the STA's M7 will send the information to the AP using Keywrapkey encryption E-S2 to authenticate, and when the AP determines that the M7 message is correct, it will send a M8 message, and M8 will carry the critical security configuration information.

M8:

The security configuration information is stored in encrypted settings, which is encrypted by Keywrapkey. WSC specification stipulates that when ENROLLEE is STA (AP is also enrollee for registrar), Encrypted settings will contain several attributes, the most important of which is the credential attribute collection, The contents of this property set are as follows (the enrollee discussed here is STA):

When the STA receives the M8 and decrypts the Credential property collection, it gets the security settings information for the AP. Obviously, if you do not use WSC, users need to manually set up this information. When WSC is used, this information is sent to the STA by the AP in M8.

After the STA obtains this information, it is generally saved and modified to the wpa_supplicant.conf file, and the STA can be used to connect the AP properly with this configuration file.

root:~/run# Cat  Wpa_supplicant-ath11.confctrl_interface=/var/run/wpa_supplicant-ath11config_methods=virtual _display Virtual_push_button physical_push_buttonwps_cred_processing=2update_config=1uuid= 87654321-9abc-def0-1234-001122334450network={        scan_ssid=1        ssid= "r8500-5g-2"        Key_mgmt=wpa-psk        PROTO=RSN        psk= "12345678"        pairwise=ccmp         group=ccmp TKIP}

The STA can then use this information to join the target wireless network of the AP.

After the STA finishes processing the M8 message, it replies to the WSC_DONE message to the AP, indicating that it has successfully processed the M8 message.

· The AP sends Eap-fail and deauthentication frames to the STA. The STA will be canceled and associated with the AP after it receives the frame.

· The STA will rescan the surrounding wireless networks. Because the STA and the configuration information for the AP are obtained, it can use this information to join the wireless network where the AP resides.

HOSTAPD wpa_supplicant Madwifi Detailed analysis (ix)--WPS principle and realization of a