HOSTAPD wpa_supplicant Madwifi Detailed analysis (11)--wps principle and implementation three

This article mainly to tidy up about the side corner of WSC, some of the more important and not explained in front of some of the concepts to do some supplement, if the previous two articles understand more clearly, you can skip.

Let's start by adding some information about the PBC.

The first two articles analyze the PIN, and the main work of the M3-M7 message is to confirm that both Enrollee and registrar have the same pin on their hand, and then send Enrollee to ConfigData with M8. But the PBC's WPS connection is a very lazy behavior, it not only does not need to enter the correct PIN code, and directly tell us that our interactive verification pin code is "00000000", it can be said that M3-M7 's security work is almost superfluous, Enrollee's security guarantees are directly dependent on

(1). The discovery phase of the probe request and the description of the probe response, and the 2min waiting time window. When using the PBC mode, it is assumed that we agreed that a certain 2min of the PBC connection is safe, there will be no one to invade this time period, if someone is detected in the invasion or there are multiple enrollee trying to connect, registrar will terminate all interaction, And wait for some time before allowing to try again.

(2). Dh-key (k_tmp) degree of secrecy, because in the equation KwK = Hmac-dhkey (N1 | | Enrolleemac | | N2), the content in parentheses can be obtained by listening to the wireless WPS interaction message.

In fact, the PBC does not refer to the simple click of the WPS button, it is a generic, including all the conditions that can trigger the PBC method can be called the PBC, including software simulation trigger, DTV and hardware buttons and so on. Because PBC method is not a reliable way, it is not allowed to manage the AP configuration in this way, whether through M8 messages or management interfaces, which also means that the AP does not support the use of PBC to add external registrar, nor does it support the administration of derived keys for subsequent APS.

The use of the PBC mode requires that the user be in the 2min timeline, and both Enrollee and registrar will trigger the PBC to run. On both sides of the trigger, enrollee if an active registrar is found, it does not immediately execute registration Protocol,enrollee first scans all of its own supported 802.11 Channel to discover if there are other registrar nearby that have activated PBC mode.

Enrollee sends the probe request carrying device password ID (with the PBC flag) through the broadcast and collects probe response messages if enrollee from the probe collected Response message inside found more than two registrar in the PBC mode, Enrollee will terminate the connection, and then send a "session overlap" to the user, if a "session overlap" error occurred, The user receives a prompt from the UI that instructs the user to wait a while before trying again. It is noteworthy that in dual-band APS and dual-band STA environments, the STA may find that multiple registrar have active PBC mode, and if the dual-band STA discovers that there are running PBC on the two band of the dual-band AP, and the UUID inside the Beacon Packet and probe Response is the same, then STA will not regard this as the session overlap event. If the enrollee scan is complete and only one registrar has an active PBC, Enrollee will immediately start registration Protocol with the registrar.

When registrar activates the PBC, registrar begins to check if the received probe request package is from multiple enrollee and also detects if the probe request package is received within 120s after the button is pressed. In this 120 time window, if registrar received multiple enrollee sent by the PBC probe request package, or registrar received M1 message inside UUID-E and probe request inside UUID-E is not the same, Then registrar will be born "session overlap" error, and prompt the user. Registrar then exits the PBC mode until the following two conditions are met:

(1) The user presses the PBC button again

(2) in the New 2min time window, only one enrollee was detected running the PBC

If Registrar discovers another enrollee request package or probe message when it interacts with enrollee for the PBC registration protocol, then M1 will also take a "session Overla "error. At this point registrar will be the next time to receive M1-M8 messages, reply to a wsc_nack message back.

If you press the button again at 2min, it is equivalent to restarting it again and timing it again at 2min.

Registrar when you run the PBC, if you receive a M1 message, it compares probe in UUID-E and UUID-E request in M1 to confirm whether the next step continues sending M2 messages (i.e., if the uuid-e of the PBC M1 Message does not match the UUID-E from the PBC probe request message, and then the PBC M1 message shall being rejected by the Reg Istrar with m2d using Configuration Error 12-multiple PBC sessions detected). Enrollee after receiving M3, it will use device password for 00000000 for the subsequent m3-m8 interaction.

Is the flowchart of the PBC when using an external registrar:

The next step is to add some implications for each of the attributes data bits

1.AP Setup Locked

When this is set to 1, the AP enters a state that rejects the external registrar using the AP's PIN code to perform the registration protocol. In general, if there are 3 pin certification failures in the 60s will enter this state, lock 60s after the automatic release, or reconfigure the AP settings will be solved.

2.Association State

This value indicates the current configuration and the previous association state of the STA when sending discovery request

3.Authentication Type

This value is from authentication Types table, and if both registrar and enrollee use a WPS version of 2.0 or higher, you can use 0x0022 to represent mixed encryption (both Wpa-personal and Wpa2-personal enabled). 1.0h There is no description of mixed encryption, and for backwards compatibility, there is only one value 0x0020 wpa2-personal can be used in both the new version and the old version, only 0x0022 This encryption method can be set at the same time two, All other encryption methods can only be set to one.

4.Authentication Type Flags

This value indicates how the authentication type is encrypted

5.Authenticator

It is a keyed hash data whose value depends on the content of the message being processed, The WPS Specification 1.0 and 2.0 are all using the hmac-sha-256 algorithm, and in the M1-M8 message, the default value used by the HMAC algorithm is authkey. If the default key is not available, the key is used Identifier The key specified inside the attribute. To reduce the payload size of the message, Authenticator attribute generally only takes the first 64 bits of the 256 bits in the result.

This value can actually be regarded as a check code, its role is mainly used to confirm that the message has been sent correctly.

6.AuthorizedMACs

This is a table containing the enrollee MAC address that is used to register the enrollee that started the WSC process. This table is sent in the beacon Packet of the AP and the probe response package to tell enrollee if there was a previous registration to initiate the WSC process.

7.Configuration Methods

This attribute is important to determine which method to use for WPS interaction, usually with more PBC and PIN

Display also needs to be subdivided into physical display or virtual display. The difference is that physical display indicates that the PIN code can be displayed directly on the device's own screen, while virtual display can only be viewed in other ways (since most wireless routers do not have a screen, so in general, The user can only view the pin from the device page in the browser. keypad indicates that the PIN code can be entered in the device. In addition, whether the push button is supported is expressed by the push button bit. As with the PIN code, it also physical push button and virtual push button.

8.Configuration Error

9.Connection type & Connection type Flags

This value is used to denote enrollee properties, which are generally ESS

10.Credential

Access credentials for WLAN and related configuration information

11.Device Password ID

This attribute is primarily used to specify device password with 7 predetermined values and 7 reserved values, the default being the PIN code, which may be from a label, display, or user-specified password. Registrar-specified value indicates the device password obtained from Registrar, which may be either display or Out-of-band method, which may be added to the "Identity" in M1 in the future Attribute inside.

12.Encryption type & Encryption Type Flags

Specifies a type of encryption in which the criteria above 2.0 for WSC can support mixed encryption (both wpa-personal with TKIP and wpa2-personal with AES enabled), but when 1.0h and 2.0 intersect, only the 0x0008 Aes.

13.Message Type

Specifying message types

14.Network Key

Enrollee requires a wireless network encryption key, this property cannot be filled 0

15.Primary Device Type

The Primary Device Type property represents the primary type of the appliance. At the discovery phase stage, the interacting party can specify the type of device to search for (you need to set the requested device Type property, which has the same structure and value as the primary device type). In this way, only those parties that match the primary device type and the target devices types will respond.

The specification also defines a property called the secondary device type list, which contains device types that are supported by the device in addition to the primary device type. The specific device type is the same value as primary device. Discovery phase stage, the secondary Device Type list can also be used as a search match condition.

16.Request Type & Response type

· The request type attribute must be included in the Probe/association request frame, representing the STA as the action Enrollee want to initiate. This property generally takes a value of 0x01 (meaning Enrollee,open 802802.1X), represents the device as enrollee, and wants to carry out the WSC follow-up process. It also has a value of 0x00 (meaning Enrollee,info only), which means that the STA just wants to search for APS that support WSC, and temporarily does not want to join a network.

· The Response Type property represents the role that the sender plays. For the AP, the value is 0x03 (meaning AP), for Registrar, its value is 0x02, for enrollee, its value can be 0x00 (Enrollee,info only) and 0x01 (Enrollee,open 802.1X). The Standalone AP also belongs to the AP.

. RF Bands

18.wi-fi Simple Configuration State

For STA, the Wi-Fi simple Configuration state flag bit should always be ' not Configured ' (0x01) in the M1 it sends.

For the AP, the Wi-Fi simple config state flag bit is used in the beacon,probe response and M1 to indicate whether the AP is configured, and if the AP is just restored to the factory, the AP is "not Configured "status, the AP switches to the configured state" configured "(0x02) after any one of the following conditions is met:

1.AP after the external registrar configuration, that is, the AP to the external registrar send wsc_done message, the AP will become configured state

2. is automatically configured by the internal registrar, that is, the AP will become configured when it receives Wsc_done response messages from the first enrollee during the process of enrollee registration.

3.AP is manually configured by the user, that is, as long as the user has modified the SSID, encryption algorithm, authentication algorithm, password or any one of the keys, will let the AP never configure the state to switch to the configured state, but when the AP restored to the factory, it will become a non-configured state.

It is important to note that regardless of whether the AP is in a configured state or not configured, it will not affect the continuation of STA enrollee Registration protocol, which means that enrollee ignores the Wi-Fi simple Configuration of the AP State attribute.

Finally, the interactive process of WSC is briefly reviewed.

Discovery Phase : In fact, the discovery phase is mainly the compatibility of the device and the configuration information at both ends to verify that the next interaction is matched. The check information includes the WSC version information used, request type, device type, RF band,conguration method,device password ID, configuration and associated results, and so on. The UUID is also checked for the way the push button is.

Certification and Association phase : This process in the actual application, generally will not be wrong, because it does not have a real detection authentication key, it will ignore the corresponding RSN ie and WPA ie detection, directly reply to auth successful package

identification Phase : Before the EAP-WSC process is carried out on both the STA and AP, the AP needs to determine the identity of the STA and the authentication algorithm used. The process involves three EAP packet exchanges (refer). The contents of the three-time package exchange are as follows.

· The AP sends eap-request/identity to determine the ID of the STA.

• For an STA intending to use the WSC authentication method, it needs to set the identity "wfa-simpleconfig-enrollee-1-0" in the eap-response/identity package of the reply.

· After the AP determines that the STA's identity is "wfa-simpleconfig-enrollee-1-0", the Eap-request/wsc_start package is sent to initiate the EAP-WSC authentication process. This process involves M1~M8-related knowledge.

M1-M8: Please refer to the previous article, here is a brief review of the algorithm used in the meantime and some important keys

(1) Diffie-hellmen: It is a key exchange algorithm, not an encryption algorithm. For encrypted transmission of normal packets, after exchanging the keys, the shared key (D-hkey) can be used in conjunction with an encryption algorithm to encrypt the data to be sent, which can be decrypted with the shared key (D-hkey) after receiving the packet. Of course, in M1-M8, the D-hkey is not used directly for data encryption, but it is used to calculate a derived key kdk.

(2) Hmac-sha-256:hmac is a message digest algorithm, compatible with the characteristics of the MD and SHA algorithms, the hmac-sha-256 algorithm is one of them, HMAC, mainly using a hashing algorithm, a key and a message as input, generate a message digest as output. So in this algorithm, the main variable is the key and the message.

(3) KDK:KDK = hmac-sha-256dhkey (N1 | | Enrolleemac | | N2), which is used by D-hkey as a key, N1 | | Enrolleemac | | N2 as a message computed identification code, KDK used to derive Authkey, Keywrapkey and Emsk, these three keys each have their own purposes, especially Authkey, Keywrapkey for the encryption of M3-M8 has a key role.

(4) Derivation of three keys for AuthKey, Keywrapkey and Emsk

The algorithm used to derive these three keys is the KDF function: AuthKey | | Keywrapkey | | Emsk = KDF (KDK, "Wi-Fi easy and Secure Key derivation", 640), below is a brief introduction to how they derive. Note: The PRF function is a hmac-sha-256 function that can be keyed

KDF (Key, Personalization_string, total_key_bits):
Result: = ""
Iterations = (total_key_bits + prf_digest_size–1)/prf_digest_size
For i = 1 to iterations do
Result: = Result | | PRF (key, I | | personalization_string | | total_key_bits)
Return 1st Total_key_bits of result and destroy any bits left over

In this function, the key is a 256-bit kdk,i and Total_key_bits is an integer of 32bit, Personalization_string is a UTF-8 encoded string that does not end with a space, using the big-endian concatenation.

So KDF (KDK, "Wi-Fi easy and secure key derivation", 640) {      char *digest= "Wi-Fi easy and secure key derivation";      Char result[]= "";      iterations= (640 + strlen (Digest))/strlen (digest);            for (int i=1; i <= iterations; i++)      {          result=result| | Hmac-sha-256<em><span style= "font-size:10px;" >kdk</span></em><span style= "FONT-SIZE:12PX;" > (i| | digest| | 640) </span><em><span style= "font-size:10px;" ></span></em>      }      The first 640 bits of the return result}

It was so pleasant to get the results of the arrival 640-bit calculation. Let's talk about Authkey, Keywrapkey and Emsk.

authkey (in bits): Used to identify registration Protocol messages.
keywrapkey (BITS): Used to encrypt nonces and ConfigData.
emsk: It is a Extended Master Session key, which is used to derive other keys or for other applications.

I don't know, careful, have you found 256+128+256=? That's right! It's 640, you don't have to explain it here. Authkey | | Keywrapkey | | Emsk = KDF, AuthKey, Keywrapkey and Emsk three values how did you get it? is to divide the 640 bits into 3 segments, 256+128+256 are assigned to Authkey, Keywrapkey and Emsk respectively.

Perhaps the "| |" as "append stitching" will be better understood.

(5) Calculation of some important parameters in M1-M3:

Es1,es2 is a 128-bit random number generated on the enrollee side, which differs from N1,N2

Rs1,rs2 is a 128-bit random number generated on the Registrar side, which differs from N1,N2

E-HASH1 = Hmac-authkey (ES1 | | PSK1 | | PKE | | PKR)

E-HASH2 = Hmac-authkey (ES2 | | PSK2 | | PKE | | PKR)

R-HASH1 = Hmac-authkey (RS1 | | PSK1 | | PKE | | PKR)

R-HASH2 = Hmac-authkey (RS2 | | PSK2 | | PKE | | PKR)

Enc-keywrapkey (R-S1)

Enc-keywrapkey (E-S1)

Enc-kewrapkey (R-S2)

Enc-keywrapkey (E-S2)

Enc-keywrapkey (ConfigData)

Hmacauthkey (Mx | | mx+1*)

From these expressions it should be seen that Authkey, Keywrapkey in the M3-M8 message is how important role.

Disconnect Association : After acquiring access credentials to the WLAN, it is necessary to disconnect the AP, enrollee with the obtained information to re-establish a normal connection with the AP.

HOSTAPD wpa_supplicant Madwifi Detailed analysis (11)--wps principle and implementation three