Wi-Fi CERTIFIED™ for Wi-Fi Protected Setup™:
Executive Summary
Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance® that is
designed to ease the task of setting up and configuring security on wireless local area networks.
Introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-wide set of
network setup solutions for homes and small office (SOHO) environments. Wi-Fi Protected Setup
enables typical users who possess little understanding of traditional Wi-Fi® configuration and
security settings to easily configure new wireless networks, to add new devices and to enable
security. Products that are Wi-Fi CERTIFIED™ for Wi-Fi Protected Setup are expected to appear on the market during the first quarter of 2007.
The Wi-Fi Protected Setup certification program is based on a specification that was developed
by the Wi-Fi Alliance to enhance the user’s out-of-box experience with Wi-Fi CERTIFIED devices
which implement it. It is designed to increase non-technical users’ ability to quickly implement
security for a new Wi-Fi network or add new devices to an existing protected network without
relying on technical support.
Wi-Fi Protected Setup gives SOHO users several setup options. It uses familiar methodologies
such as typing in a Personal Identification Number /numeric code (PIN method), pushing a button
(Push-Button Configuration, or PBC), or use of Near Field Communication (NFC) tokens, to
enable users to automatically configure network names and strong WPA2 (Wi-Fi Protected
Access 2™) data encryption and authentication. The specification supports a wide array of Wi-Fi
enabled devices including notebook computers, cell phones, Voice over IP (VoIP) phones, MP3
players, digital still and video cameras, office projectors, printers, and televisions, as well as
traditional Wi-Fi networking devices such as access points (APs).
A Brief History of Wi-Fi Protected Setup™
The Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2), the third generation of Wi-Fi
security, in 2003. WPA2 is based on the IEEE 802.11i standard and added ―government grade‖
Advanced Encryption Standard (AES) security to Wi-Fi CERTIFIED products. Since March 2006,
support for WPA2 has been mandatory to attain Wi-Fi certification.
Standards-based interoperable security has been central to Wi-Fi CERTIFIED products since the
technology’s commercialization. The introduction of WPA2 helped spur an already active market
for Wi-Fi products. From 1999 through 2006, unit sales of wireless chipsets grew from less than
10 million to 200 million per year — an average growth rate of 45 percent per year, according to
data collected by market research firm In-Stat. Wi-Fi has extended beyond the traditional
computing scenarios of enterprise Wireless Local Area Networks (WLANs) and Wi-Fi hotspots to
devices that populate homes and consumers hold in their hands. Consumers now enjoy Wi-Fi
functionality in their Personal Digital Assistants (PDAs), cell phones, VoIP phones, MP3 players,
digital still and video cameras, office projectors, printers and Wi-Fi enabled televisions.
Each successive generation of security has required more sophistication from users in terms of
configuration and management – that increasing sophistication could be frustrating for new users.
In 2003, setting up a Wi-Fi network typically required numerous non-intuitive steps to be taken by
the user. New Wi-Fi adopters who lacked advanced technological knowledge or easy access to
technical support were returning products and relying on technical support call lines for support.
Additionally, average users with Wi-Fi-enabled consumer electronics devices want to add them to
networks easily.
In June 2004, Wi-Fi Alliance member companies, acting on feedback from small office and home
office (SOHO) customers about the difficulties they encounter when setting up and configuring
new Wi-Fi devices, formed the Wi-Fi Alliance Simple Config Task Group to establish an industry-
wide specification for easy setup of security-enabled Wi-Fi networks. The growing number and
complexity of Wi-Fi devices on the market presented an opportunity to develop a universal
approach to the process of improving the user experience.
The result of their work is Wi-Fi Protected Setup.
Wi-Fi Protected Setup simplifies the setup and configuration of secure networks and the addition
of new Wi-Fi CERTIFIED devices to existing networks. It provides out-of-the-box WPA2 user
authentication and data protection that gives users the confidence that their new devices will
interoperate securely with previously installed WPA and WPA2 Wi-Fi CERTIFIED devices.
小结:WPS 主要是为SOHO网络,简化其加入WAP /WPA2 网络的过程。
设置目的是针对WPA WPA2的加密方式.
What is Wi-Fi Protected Setup?
Wi-Fi Protected Setup is a specification developed by the Wi-Fi Alliance that describes an
optional set of security features for Wi-Fi CERTIFIED 802.11 products. It applies to 802.11
devices for home and small office, including consumer electronics and phones, as well as
computers and access points. Any device that has been Wi-Fi CERTIFIED under the 802.11 a, b,
g or n draft 2.0 test programs can also be certified for Wi-Fi Protected Setup. The Wi-Fi Alliance
certified the first products with Wi-Fi Protected Setup in January of 2007.
Wi-Fi Protected Setup is an optional certification; not all certified products include it. Developed specifically with the SOHO market in mind, it is not targeted for use in enterprise environments, where separate network servers are employed to control network access and govern encryption. Consumers should look for the Identifier Mark of Wi-Fi Protected Setup. Wi-Fi CERTIFIED
products with Wi-Fi Protected Setup to ensure it is present in the devices they purchase.
Wi-Fi Protected Setup applies to typical home networks in which devices communicate via an access point (AP) or router. It does not support ―ad hoc‖ networks in which devices directly communicate with one another, independently of an AP. It configures the network name (SSID) and WPA2 security key for the Access Point and Wi-Fi Protected Setup client devices on a network.
Wi-Fi Protected Setup’s simple, standardized approaches allow typical Wi-Fi users to set up and
expand their Wi-Fi networks with security enabled, even if they do not understand the underlying
technologies or processes involved. For example, users no longer have to know that SSID refers
to the name of the network or that WPA2 refers to the security mechanism.
Wi-Fi Protected Setup uses WPA2 Personal technology and is compatible with legacy devices
that are Wi-Fi CERTIFIED for WPA/WPA2 Personal. It does not add security features. WPA2
represents the latest in security for Wi-Fi technology. Users must remember that WLAN security
is only as strong as the weakest link and that using any legacy device that is not Wi-Fi
CERTIFIED for WPA2 Personal leaves their WLANs vulnerable. All Wi-Fi CERTIFIED products
certified since March 2006 support WPA2. Devices that do not support Wi-Fi Protected Setup
can still be added to a WPA2 protected network, using the manual methods provided by the
device manufacturers.
Products certified for Wi-Fi Protected Setup offer users at least one of three easy setup solutions:
Personal Information Number (PIN), Push Button Configuration (PBC), and Near-Field
Communication (NFC). The specification is also designed for extensibility to other methods.
Mandatory Configurations
The Wi-Fi Protected Setup specification mandates that all Wi-Fi CERTIFIED products that
support Wi-Fi Protected Setup are tested and certified to include both PIN and PBC
configurations in APs, and at a minimum, PIN in client devices. A Registrar, which can be located
in a variety of devices, including an AP or a client, issues the credentials necessary to enroll new
clients on the network. In order to enable users to add devices from multiple locations, the
specification also supports having multiple Registrars on a single network. Registrar capability is mandatory in an AP.
In PIN configuration, a PIN is provided for each device that will join the network. A fixed label or
sticker may be placed on a device to identify the PIN for the user, or a dynamic PIN can be
generated and shown on the device’s display (e.g., a TV screen or monitor). The PIN is used to
ensure that the device that the user intends to add to the network is the one that is added and to
help avoid accidental or malicious attempts of others to add unintended devices to the network.
The user enters the PIN into the Registrar via a graphical user interface (GUI) on the AP or by
accessing a management page via an onscreen interface presented on another device on the
network.
In PBC configuration, the user connects the device to the network and enables data encryption by
pushing buttons on the AP and client device. Users should be aware that there is a very brief
setup period between pushing the AP and client buttons during which unintended devices within
range could join the network.
Table 1 compares the steps required to set up and enable security protections on a WLAN in the traditional manner with the number of steps required in Wi-Fi Protected Setup’s mandatory
configurations.
In the traditional method, the user activates the AP by connecting it to a power source and to a
wired network (Step 1). From a computer that is also connected to the wired network, the user
launches a web browser to log into an administrative page and access the AP (Step 2). There,
the user assigns a network name to set the SSID (Step 3) and navigates to a security settings
page to select the type of security to be used (Step 4). After activating the security settings, the
user is prompted to enter a passphrase which the AP will use to generate the security key that
protects communications (Step 5). The user configures the device to be enrolled on the network
through a control panel on the device, activating its wireless interface and enabling the WLAN
connection (Step 6). The client device presents the user with the network names (SSIDs) of all
WLANs it finds in the vicinity. The user selects the appropriate network name (created in Step 3)
and connects to the network (Step 7). The user is then prompted to enter the passphrase created
in Step 5 (Step 8). The client and the AP exchange security credentials and the new device is
securely connected to the WLAN.
In most cases, Wi-Fi Protected Setup eliminates for the user Steps 2-5 of the legacy method. In
addition, it simplifies some of the remaining tasks required of the user, such as the establishment
of a passphrase.
With Wi-Fi Protected Setup, the user simply activates the AP and the client device, then either
enters the PIN provided by the manufacturer of the AP (PIN configuration) or pushes buttons on
the AP and client device(s) (PBC configuration) to initiate the secure set up. The user is no longer
involved in setting a passphrase; the security codes are activated and communicated automatically.
In addition to ensuring that the SSID and WPA2 security key are properly configured, Wi-Fi
Protected Setup provides over-the-air safeguards to prevent users who enter incorrect PINs from
accessing the network. It also includes a time-out function to cancel the configuration process
when identifying credentials are not transferred in a timely fashion.
Wi-Fi Protected Setup also enhances security by also eliminating user-created passphrases.
Before Wi-Fi Protected Setup, users were required to create and enter a passphrase on the AP
that they would reuse when adding any new device to the network in order to secure their
networks. Many opted for short familiar passphrases, such as the name of a child or pet -- easy to
remember but also easy for an outsider to guess.
Optional Configurations
The optional NFC method, like PBC, joins devices to a network without requiring the manual entry of a PIN.
In NFC configuration, Wi-Fi Protected Setup is activated simply by touching the new device to the AP or another device with
Registrar capability. The NFC method provides strong protection against adding an unintended device to the
network. Testing for NFC began in 2008. Other methodologies may also be added to the certification program over time, as the
specification is designed to be extensible to other technologies.
How Wi-Fi Protected Setup Works: A Detailed Look
Configuration and security on Wi-Fi Protected Setup devices can be compared to the familiar
―lock and key‖ metaphor of traditional home security. The specification provides a simple,
consistent procedure for adding new devices to established Wi-Fi networks based upon a
discovery protocol that is consistent across vendors. This procedure automatically uses a
Registrar to issue the credentials of devices being enrolled on the network. All Wi-Fi CERTIFIED
APs with Wi-Fi Protected Setup possess Registrar capability; additionally, the Registrar can
reside on any device on the WLAN. A Registrar that resides on the AP is referred to as an
internal Registrar. A Registrar that resides on another device on the network is referred to as an
external Registrar. A Wi-Fi Protected Setup network can support multiple Registrars on a single WLAN.
The process the user follows to configure a new device on the WLAN begins with an action that
can be compared to inserting a key into a lock (i.e. launching the configuration wizard and
entering the PIN, pushing the PBC button, or touching one NFC device to another). At this stage,
the user is seeking access.
Wi-Fi Protected Setup initiates the exchange of information between the device and the Registrar,
and the Registrar issues the network credentials (network name and security key) that authorize
the client to join the WLAN. In the lock-and-key metaphor, this is akin to turning the key in the
lock as access is granted. The new device can now securely communicate data across the
network, safe from unauthorized access by intruders.
In practice, when a new device that is Wi-Fi CERTIFIED for Wi-Fi Protected Setup comes within
range of an active AP, its presence is detected, communicated to the Registrar and the user is
prompted to initiate the action that authorizes the issuance of registration credentials.
The Wi-Fi Protected Setup network encrypts data and authenticates each device. Information and
network credentials are securely exchanged over the air using the Extensible Authentication
Protocol (EAP), one of the authentication protocols used in WPA2. A handshake then takes
place in which the devices mutually authenticate and the client is accepted onto the network. The
Registrar communicates the network name (SSID) and the WPA2 ‖pre-shared key‖ (PSK),
enabling security. Use of a random PSK enhances security by eliminating use of passphrases
that could be predictable.
The traditional installation method required the user to manually configure the AP to support a
PSK, and then manually enter the SSID and PSK on both the AP and the client. This approach is
subject to user errors through mistyping, confusion of PSK and SSID, and so on. With Wi-Fi Protected Setup, the credentials exchange process requires little user intervention after the initial
setup action (entering the PIN or pushing the PBC button) is completed, because the network name and PSK
are issued.
Frequently sked Questions: Wi-Fi Protected Setup™
l What is Wi-Fi Protected Setup?
Wi-Fi Protected Setup (previously called Wi-Fi Simple Config) is an optional certification program developed by the Wi-Fi Alliance designed to ease set up of security-enabled Wi-Fi networks in the home and small office environment. Wi-Fi Protected Setup supports methods (pushing a button or entering a PIN into a wizard-type application) that are familiar to most consumers to configure a network and enable security.
l Why is Wi-Fi Protected Setup needed?
Wi-Fi Protected Setup gear has advanced security features provided by WPA™ and WPA2™ (Wi-Fi Protected Access), but some users find those features difficult to configure correctly. As a result, many consumers leave their Wi-Fi networks partially or completely unsecured. Wi-Fi Protected Setup gives consumers a standardized way to more easily set up a Wi-Fi Protected Setup wireless local area network (WLAN), and to enable the security features. Additional devices can be easily added to the network over time.
With Wi-Fi technology connecting a wider array of devices, including PCs, phones and consumer
electronics, a simpler, standardized, approach to network configuration and security enablement is more important than ever. Wi-Fi consumers will be able to choose from a wide variety of product types and brands knowing that there is a straightforward method for adding these devices to their network.
l When will Wi-Fi Protected Setup products be available?
We expect the first Wi-Fi CERTIFIED™ Wi-Fi Protected Setup products to enter the market during the 1st Quarter of 2007.
l How does Wi-Fi Protected Setup work?
There are two primary approaches to network setup within Wi-Fi Protected Setup: push-button and PIN entry. PIN entry is mandatory in all Wi-Fi Protected Setup devices, while push-button is optional and may also be found in some devices.
PIN entry: in all Wi-Fi Protected Setup networks, a unique PIN (Personal Identification Number)
will be required for each device to join the network. A fixed PIN label or sticker may be placed on a device, or a dynamic PIN can be generated and shown on the device’s display (e.g., a TV
screen or monitor). PIN is used to make sure the intended device is added to the network being
set up and will help to avoid accidental or malicious attempts to add unintended devices to the
network.
A registrar device (which could be an Access Point/wireless router, PC television, or other device)
will detect when a new Wi-Fi device is in range, and prompt the user to enter the PIN, if he or she
wishes to add the new device to the network. In this mode, Wi-Fi Protected Setup network
encrypts data and authenticates each device on the network. The PIN entry method is supported
in all devices.
Push button configuration (PBC): in some Wi-Fi Protected Setup networks, the user may connect
multiple devices to the network and enable data encryption by pushing a button. The access
point/wireless router will have a physical button, and other devices may have a physical or
software-based button. Users should be aware that during the two-minute setup period which
follows the push of the button, unintended devices could join the network if they are in range.
l Are there other Wi-Fi Protected Setup methods besides PBC and PIN?
The Wi-Fi Protected Setup specification describes optional methods of network configuration using Near Field Communication (NFC) Cards and USB Flash Drives. Like the Push Button method, these approaches automatically join a device to a network without requiring the manual entry of PINs. However, Wi-Fi CERTIFICATION for USB and NFC is not currently available. Support for these methods is planned for mid-2007.The methods are described below:
USB Flash Drive (UFD): A USB flash drive can be used to transfer network settings to a new
device without requiring manual entry of its PIN. The UFD method provides strong protection
against adding an unintended device to the network. This is an optional for Simple Config Access
Points and devices.
Near Field Communication (NFC:) Near Field Communication readers can be used to transfer
network settings to a new device without requiring manual entry of its PIN. The NFC method
provides strong protection against adding an unintended device to the network. This is an
optional method for Wi-Fi Protected Setup Access Points and devices.
l Is Wi-Fi Protected Setup available in non-PC devices?
Wi-Fi Protected Setup supports computers, consumer electronics, phones, and access points/wireless routers.
l Do all devices in a network have to be Wi-Fi CERTIFIED for Wi-Fi Protected Setup to work
together?
No. Access points/wireless routers which are Wi-Fi CERTIFIED for Wi-Fi Protected Setup will provide a way for the user to “look” at the network settings and manually join older devices to the network.
With PIN configuration, users can ask the Wi-Fi Protected Setup device for special numbers, called WPA keys, and assign them to legacy devices to join the network. In push button configuration, some companies may offer a firmware upgrade for legacy devices but this will be at the discretion of the individual manufacturer.
All Wi-Fi devices in a Wi-Fi Protected Setup network must be Wi-Fi CERTIFIED for WPA or WPA2 security, however.
l Are Wi-Fi Protected Setup products more secure than other products that have WPA security
enabled?
Wi-Fi Protected Setup doesn’t add new security features to devices. It makes the existing security features easy to configure and enable. WPA™ and WPA2™ (Wi-Fi Protected Access) represents the very latest in security for Wi-Fi technology.
l Why does Wi-Fi Protected Setup support various ways to configure the network security?
Wi-Fi technology is increasingly going into consumer electronics and phones, but ease of setup and security are no less important on these devices than on laptops, printers, and wireless routers. The variety of ways to support Wi-Fi Protected Setup are included to support as wide a variety of devices as possible.