WPS(Wi-Fi Protected Setup,Wi-Fi保护设置)是由Wi-Fi联盟(http://www.wi-fi.org/)组织实施的认证项目,主要致力于简化无线局域网的安装及安全性能配置工作。在传统方式下,用户新建一个无线网络时,必须在接入点手动设置网络名(SSID)和安全密钥,然后在客户端验证密钥以阻止“不速之客”的闯入。这整个过程需要用户具备Wi-Fi设备的背景知识和修改必要配置的能力。Wi- Fi Protected Setup能帮助用户自动设置网络名(SSID)、配置强大的WPA数据编码及认证功能,用户只需输入个人信息码(PIN方法)或按下按钮(按钮设置,或称PBC),即能安全地连入WLAN。这大大简化了无线安全设置的操作。Wi-Fi Protected Setup支持多种通过Wi-Fi认证的802.11产品,包括接入点、无线适配器、Wi-Fi电话以及其他消费性电子设备。
· WPS能够在网络中为接入点及WPS客户端设备自动配置网络名(SSID)及WPA安全密钥。
· 当连接WPS设备时,用户没有必要去了解SSID和安全密钥等概念。
· 用户的安全密钥不可能被外人破解,因为它是随机产生的。
· 用户不必输入预知的密码段或冗长的十六进制字符串。
· 信息及网络证书通过扩展认证协议(EAP)在空中进行安全交换,该协议是WPA2 使用的认证协议之一。
· WPS支持Windows Vista操作系统。
· WPS不支持设备不依靠AP而直接通讯的“ad hoc”网络。
· 网络中所有的Wi-Fi设备必须通过WPS认证或与WPS兼容,否则将不能利用WPS简化网络安全配置工作。
· 由于WPS中的十六进制字符串是随机产生的,所以很难在WPS网络中添加一个非WPS的客户端设备。
· WPS是一项新的认证技术,所以并非所有厂商都支持。
· WPS是一项非专有的规范,它是由Wi-Fi联盟实施的认证项目。
· WPS是Wi-Fi认证产品的可选认证项目。
o 并非所有的Wi-Fi认证产品都支持WPS,用户可在产品上寻找Wi-Fi Protected Setup 的标志,以确保所购产品已具备 Wi-Fi Protected Setup功能。
· 已通过Wi-Fi Protected Setup 的产品目前能够为用户提供两种安装解决方案:
o 输入PIN码——对于WPS认证的设备为强制配置。
o 按钮配置(PBC)——它可以是设备上的硬件按钮或软件模拟的按钮(对于无线客户端为可选配置)。
o NFC(Optional)-----The optional NFC method, like PBC, joins devices to a network without requiring the manual entry of a PIN. In NFC configuration, Wi-Fi Protected Setup is activated simply by touching the new device to the AP or another device with Registrar capability.
· 在PIN配置模式中,系统在接入点或无线路由器中设置注册表,用户通过在注册表中输入客户端PIN码为网络中新增设备分配证书(注意:在PBC模式中,当客户端PIN码为全0时,系统也需要设置注册表)。
· WPS并没有新增安全性能——它使得现有的安全技术更容易配置。
Configuration and security on Wi-Fi Protected Setup devices can be compared to the familiar ―lock and key‖ metaphor of traditional home security. The specification provides a simple, consistent procedure for adding new devices to established Wi-Fi networks based upon a discovery protocol that is consistent across vendors. This procedure automatically uses a Registrar to issue the credentials of devices being enrolled on the network. All Wi-Fi CERTIFIED APs with Wi-Fi Protected Setup possess Registrar capability; additionally, the Registrar can reside on any device on the WLAN. A Registrar that resides on the AP is referred to as an internal Registrar. A Registrar that resides on another device on the network is referred to as an external Registrar. A Wi-Fi Protected Setup network can support multiple Registrars on a single WLAN.
The process the user follows to configure a new device on the WLAN begins with an action that can be compared to inserting a key into a lock (i.e. launching the configuration wizard and entering the PIN, pushing the PBC button, or touching one NFC device to another). At this stage, the user is seeking access.
Wi-Fi Protected Setup initiates the exchange of information between the device and the Registrar, and the Registrar issues the network credentials (network name and security key) that authorize the client to join the WLAN. In the lock-and-key metaphor, this is akin to turning the key in the lock as access is granted. The new device can now securely communicate data across the network, safe from unauthorized access by intruders.
In practice, when a new device that is Wi-Fi CERTIFIED for Wi-Fi Protected Setup comes within range of an active AP, its presence is detected, communicated to the Registrar and the user is prompted to initiate the action that authorizes the issuance of registration credentials.
The Wi-Fi Protected Setup network encrypts data and authenticates each device. Information and network credentials are securely exchanged over the air using the Extensible Authentication Protocol (EAP), one of the authentication protocols used in WPA2. A handshake then takes place in which the devices mutually authenticate and the client is accepted onto the network. The Registrar communicates the network name (SSID) and the WPA2 ‖pre-shared key‖ (PSK), enabling security. Use of a random PSK enhances security by eliminating use of passphrases that could be predictable. The traditional installation method required the user to manually configure the AP to support a PSK, and then manually enter the SSID and PSK on both the AP and the client. This approach is subject to user errors through mistyping, confusion of PSK and SSID, and so on. With Wi-Fi Protected Setup, the credentials exchange process requires little user intervention after the initial
setup action (entering the PIN or pushing the PBC button) is completed, because the network name and PSK are issued.
The following diagrams illustrate how Wi-Fi Protected Setup configures a network. The gold lines indicate credentials exchange, while the green lines indicate communication over a security-enabled Wi-Fi connection. Fig. 1: Credentials Exchange
In a Wi-Fi Protected Setup, the Registrar device prompts the other devices on the network to issue their identifying information, and then provides them with credentials. Information is exchanged over the Wi-Fi network. In the scenario presented in Fig. 1, the Access Point is acting as Registrar. The credentials exchange can follow the push of a button on the client and on the AP in PBC method, or the entry of a PIN from the client device being added being entered by the user into a GUI when
using the PIN method.
Fig. 2: Adding Additional Devices As new clients are added to an existing network, they are configured via PIN or push button. Similarly, as new AP devices are added to an existing network they are configured via a PIN or push button. Which method is used is dependent upon which configuration method is supported by the client device
.
Fig. 3: Many Devices Suitable for Wi-Fi Protected Setup A wide variety of devices can be added to a Wi-Fi Protected Setup network using the PIN or PBC methods.
· Authentication: The process during which the identity of the wireless device or end-user is
verified so that it may be allowed network access.
· Credential: A data structure issued by a Registrar to a client, in order to allow it to gain
access to the network. .
· Discovery Protocol: A method used by the client and the Registrar to discern the presence and capabilities of networked devices.
· Extensible Authentication Protocol (EAP): A protocol that provides an authentication framework for both wireless and wired Ethernet enterprise networks.
Near Field Communication (NFC): A technology designed for short-range operation –
approximately 10cm or less. NFC communication is enabled by touching an NFC Device with
a contact-less card or NFC token.
· NFC Device: A device that acts as a contactless reader/writer. NFC devices can
communicate directly with each other and/or with NFC tokens.
· NFC Token: A physical entity compliant with one of the mandatory NFC Forum tag
specifications. An NFC Token cannot communicate with other NFC Tokens, but its content
can be read or written by an NFC Device.
· NFC Target Mark: A graphical sign that marks the area on NFC Devices where they have to
be touched with an NFC Token or another NFC Device to initiate an NFC connection.
· Personal Identification Number (PIN): A multi-digit number that is randomly generated to
enroll a specific client device on a WLAN. (In the Wi-Fi Protected Setup program, the pin is 4
or 8 digits.)