Sunday, February 2, 2014


WPS (Wi-Fi Protected Setup) is a WFA Certification program that is intended to allow the users to easily connect to a secure home or small office Wi-Fi network. It is also used for establishing the connection between two Wi-Fi Direct devices.

Connection establishment between a STA and AP using WPS can be done in of the the following ways:

  • Push Button Configuration (PBC): By pressing a physical/virtual button on the STA and AP
  • PIN
    • Enter STA PIN in the AP
    • Enter AP PIN in the STA
      • A good description of this method and its vulnerabilities can be found here
  • NFC (Near Field Communication)
    • This is "out of band" method (PBC and PIN are "in band"). 
    • An example of this is the "S-Beam"

This article is about what happens between an STA and AP in the "STA PIN in the AP" method.

Basic steps in WPS

Connection establishment to a WPA2 network using "In Band" WPS procedure consists of the following steps:

  • Authentication and Association (Round 1)
  • WPS EAP Procedure
    • EAP Start, Identity request/response
    • WPS registration procedure(M1 to M8)
    • EAP Done (Ends with an EAP Failure as this is not real Network authentication) 
  • Deauthentication
  • Authenticaton and Association (Round 2)
  • EAPOL 4-way handshake (WPA2 Keys)

WPS PIN procedure may fail in the following cases:
  • STA(Enrollee) initiates the procedure before AP (registrar) has the PIN
    • This is not a "total" failure. STA understands that it has to wait and retry.
  • User enters an incorrect PIN in the AP

WPS STA PIN : Sequence Diagram

The below sequence diagram is based on tests run between a mobile phone (STA) and an AP. The sniffer logs for the tests can be found here.


  1. Thoughtful explanation.I Strucked why AP sends deauth at first time when STA tries to associate.After see ur blog I got struck free.Thanks..

  2. Thanks for nice explanation. I tried to download the sniffer logs from the "WPS STA PIN : Sequence Diagram" section "Click here" part. But its not downloading. Looks like logs are removed from that location. Could you please share it across. That will help me to a great extent. Thanks a lot once again.