Yesterday, Wi-Fi Alliance presented something called Wi-Fi Protected Setup. A brief summary can be found at DDJ as well. I’ll make an even briefer summary:

Setting up a wireless network isn’t trivial; there are many terms circulating: WEP, WPA, WPA2, PSK, EAP, EAPOL, WLAN, WAN, SSID, BSSID and so on. Requiring a home user to be aware of what an SSID is really isn’t that necessary, and neither is requiring him to know how to configure both his access point and WLAN clients to use WPA-PSK (or something similar). That’s where Wi-Fi Protected Setup comes into play: it’s a standard for simple PIN-code based configuration of WLAN clients. Here are some slides from Wi-Fi Alliance that sum it up neatly.

The idea is that a user plugs in his client card, installs the software, and – poof – up pops a window that asks him to enter his PIN code. Then the AP and the client will negotiate everything between themselves automagically. There’s also an alternative method using a button instead: the user presses a button on both AP and client in order to start this configuration. As far as I can see, that method uses the principle that if the user has physical access to the AP and the client, he is authorized to configure them both. Sounds excellent for home use, albiet a trifle unsecure. Not that I mind.

I’m all for simplification. In fact, I see no reason to require a PIN code even – the physical method should suffice for home users. That’s where my first doubt enters: Wi-Fi Protected Setup requires all clients (or Registrars rather) to support PIN setup…and the button method is optional. I don’t see the reason for that. Printers and USB hard drives would work excellently with button setup - it just becomes bothersome to require PIN setup for devices with no good access to user input. Oh, but they’ve thought about that: the PIN authorization procedure can also be performed by logging onto the AP’s graphical user interface.

What?

Okay, I admit that I haven’t read up much about this topic, but that seems intuitively to be unintuitive. The idea is to not require bothersome configurations or access to the AP’s GUI; this method of PIN authorization sounds like a last-minute addition. “Oh right. Crap. If all Registrars have to use PIN setup but USB devices have no input device, I guess it must be up to the AP to do this part of the task. Let’s not remove the PIN setup requirement – that would be too easy.”

To be a complete nitpicker, I also skimmed through the white paper for Wi-Fi Protected Setup to see if I could find some inconsistencies with the information I’ve seen so far. Search and ye shall look! No, I mean find. If you look at page 9 on the slides, you’ll note the following text:

WPA or WPA2 security is enabled, and the passphrase can be auto-generated or configured by the user

Neato. But oh-oh-oh, page 9 of the white paper mentions the following:

Use of a random PSK enchances security by eliminating use of pass phrases that could be predictable. [...] the credentials exchange process requires little user intervention after the initial setup action [...] is completed, because the network name and PSK are issued.

This shows a few things:

1. The second quote could be interpreted to mean that user-specified passphrases are still possible. I would not interpret it like that, though, due to the “issued” part.
2. The slides might have been written much earlier than the final paper, and feature some old ideas that were thrown out.
3. Either way, it still leaves some confusion regarding the use of PSKs, IMNSHO.
4. I may be one of the few people who actually note the different spelling of “passphrase” and “pass phrase” in the two writings (and is slightly irritated at the lack of consistency). I’m instantly reminded of an English lecture I had where the teacher asked us what the correct spelling of rain-forest is. He was very smug when he produced three different dictionaries and three different official spellings: rainforest, rain-forest and rain forest. His point was that there are often many “correct” ways; just make sure you’re consistent.
5. I need to lay off the black tea – I’m ranting about irrelevant inconsistencies.

Wi-Fi Protected Setup will be expanded in the future to include NFC and USB setup as well. Near-Field Configuration (I think that’s what it stands for) is based on simply moving the client close to the AP in order to transfer the authorization credentials, and USB setup means that the client device is physically connected to the AP (through – oh, I don’t know – maybe USB) to transfer said credentials. Then the clients automatically authenticates with the AP. Interestingly enough, a colleague mentioned that the NFC method was the first version suggested when Wi-Fi Protected Setup was discussed in Wi-Fi Alliance; I guess they chose to focus on “normal” clients first instead of pursuing that route.

All in all, I like the way things are going. Simplification is good; a behaviour that simulates automatic configuration like Bluetooth is just fine with me; less configuration and better security (since users now won’t leave their networks unprotected) is good. ‘S all good.

This entry was posted on Wednesday, January 10th, 2007 at 3:46 pm and is filed under Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.