WPS (Wi-Fi Protected Setup) is a WFA Certification program that is intended to allow the users to easily connect to a secure home or small office Wi-Fi network. It is also used for establishing the connection between two Wi-Fi Direct devices.
Connection establishment between a STA and AP using WPS can be done in of the the following ways:
Connection establishment between a STA and AP using WPS can be done in of the the following ways:
- Push Button Configuration (PBC): By pressing a physical/virtual button on the STA and AP
- PIN
- Enter STA PIN in the AP
- Enter AP PIN in the STA
- A good description of this method and its vulnerabilities can be found here
- NFC (Near Field Communication)
- This is "out of band" method (PBC and PIN are "in band").
- An example of this is the "S-Beam"
This article is about what happens between an STA and AP in the "STA PIN in the AP" method.
Basic steps in WPS
Connection establishment to a WPA2 network using "In Band" WPS procedure consists of the following steps:- Authentication and Association (Round 1)
- WPS EAP Procedure
- EAP Start, Identity request/response
- WPS registration procedure(M1 to M8)
- EAP Done (Ends with an EAP Failure as this is not real Network authentication)
- Deauthentication
- Authenticaton and Association (Round 2)
- EAPOL 4-way handshake (WPA2 Keys)
WPS PIN procedure may fail in the following cases:
- STA(Enrollee) initiates the procedure before AP (registrar) has the PIN
- This is not a "total" failure. STA understands that it has to wait and retry.
- User enters an incorrect PIN in the AP
WPS STA PIN : Sequence Diagram
The below sequence diagram is based on tests run between a mobile phone (STA) and an AP. The sniffer logs for the tests can be found here.