STA-AP: WPS STA PIN Procedure

WPS (Wi-Fi Protected Setup) is a WFA Certification program that is intended to allow the users to easily connect to a secure home or small office Wi-Fi network. It is also used for establishing the connection between two Wi-Fi Direct devices.

Connection establishment between a STA and AP using WPS can be done in of the the following ways:

• Push Button Configuration (PBC): By pressing a physical/virtual button on the STA and AP
• PIN
• Enter STA PIN in the AP
• Enter AP PIN in the STA
• A good description of this method and its vulnerabilities can be found here
• NFC (Near Field Communication)
• This is "out of band" method (PBC and PIN are "in band"). 
• An example of this is the "S-Beam"

This article is about what happens between an STA and AP in the "STA PIN in the AP" method.

Basic steps in WPS

Connection establishment to a WPA2 network using "In Band" WPS procedure consists of the following steps:

• Authentication and Association (Round 1)
• WPS EAP Procedure
• EAP Start, Identity request/response
• WPS registration procedure(M1 to M8)
• EAP Done (Ends with an EAP Failure as this is not real Network authentication) 
• Deauthentication
• Authenticaton and Association (Round 2)
• EAPOL 4-way handshake (WPA2 Keys)

WPS PIN procedure may fail in the following cases:

• STA(Enrollee) initiates the procedure before AP (registrar) has the PIN
• This is not a "total" failure. STA understands that it has to wait and retry.
• User enters an incorrect PIN in the AP

WPS STA PIN : Sequence Diagram

The below sequence diagram is based on tests run between a mobile phone (STA) and an AP. The sniffer logs for the tests can be found here.