The last time Hackerfall tried to access this page, it returned a not found error.
A cached version of the page is below, or click here to continue anyway

If you are from the Wi-Fi Alliance and feel this should not be public, feel free to contact me, my email is not far. TL;DR : WPS PIN with fixed PIN (printed on sticker) can be broken in 18 packets, and they knew it.

Welcome to the Internet, beware of the errors :)

: I thought the Enrollee was the client, and the Registrar the AP (see spec :

Enrollee: A Device seeking to join a WLAN Domain. Once an Enrollee obtains a valid credential, it becomes a Member. Registrar: An entity with the authority to issue and revoke Domain Credentials. A Registrar may be integrated into an AP, or it may be separate from the AP. A Registrar may not have WLAN capability. A given Domain may have multiple Registrars.

, but I was wrong. Thus, what I wrote below contains errors. Correction and implementation are left as an exercise to the reader.

- WPS NFC : No security (nor implementations), you just need to be in range. (<2m)
- WPS Push Button : Press the button, authenticate (before an attacker does).
- WPS PIN : Enter the 4/8 digit PIN displayed on the AP tiny screen.

- Client (Enrollee) send a N1, a 128-bit random number, and PK E, a Diffie-Hellman public key to Registrar (AP)
- Registrar answers back with N2, a 128-bit random number and PK R, a Diffie-Hellman public key.
Now, the two sides can compute the session keys :

- The 1536-bit MODP group is taken from RFC 3526.
- PK E = 2^A % p
- PK R = 2^B % p
- Diffie Hellman Key : DHKey = SHA256(zeropad((2^AB)%p,192))
- Key Derivation Key (KDK) : HMAC-SHA-256(DHKey, N1 Enrollee MAC N2)
- AuthKey, KeyWrapKey and Extended Master Session Key are derived from the KDK with a key derivation function. The key derivation function concatenates HMAC-SHA-256(KDK,uint32_be(iteration) "Wi-Fi Easy and Secure Key Derivation" uint32_be(total_bits)). total_bits is 640 (AuthKey+KWK+EMSK = 256+128+256 = 640) AuthKey KWK EMSK = HMAC-SHA-256(KDK, 0x00000001 "Wi-Fi Easy and Secure Key Derivation" 0x00000280) HMAC-SHA-256(KDK, 0x00000002 "Wi-Fi Easy and Secure Key Derivation" 0x00000280) HMAC-SHA-256(KDK, 0x00000003 "Wi-Fi Easy and Secure Key Derivation" 0x00000280)

These keys are used to encrypt the secret nonces R-S1, E-S1, R-S2, E-S2, and ConfigData. (but not the hashes, see pixie dust attack). From now, Diffie-Hellman key exchange is done and every packet has a suffix consisting of the HMAC-SHA-256(AuthKey) signing the last two packets.

- The Enrollee sends two hashes, as proofs that he knows PIN1 and PIN2. He will send the keys later.
The two parts of the PIN (PIN1=XXXX and PIN2=YYYZ) are derived in two PSK :

- PSK1 = HMAC-SHA-256(AuthKey,XXXX)
- PSK2 = HMAC-SHA-256(AuthKey,YYYZ)

The Enrollee creates two 128-bit secret nonces, E-S1, E-S2 and then computes

- E-Hash1 = HMAC AuthKey (E-S1 PSK1 PK E PK R )
- E-Hash2 = HMAC AuthKey (E-S2 PSK2 PK E PK R )

The Registrar creates two 128-bit secret nonces, R-S1, R-S2 and then computes

- R-Hash1 = HMAC AuthKey (R-S1 PSK1 PK E PK R )
- R-Hash2 = HMAC AuthKey (R-S2 PSK2 PK E PK R )

The hash values are gradually exchanged and verified in messages M3-M7. If a verification check of one of the Device Password parts fails, the receiving side must acknowledge the message with a failure indication, and the Enrollee and Registrar must stop the protocol and discard all keys and nonces associated with the session.

- The Registrar sends two hashes, and the first secret R-S1.
- The Enrollee sens the first secret nonce, E-S1. The Registrar knows if the Enrollee knows the first half of the PIN.
- The Registrar sends the second secret, R-S2.
- The Enrollee sends the second secret nonce, E-S2. The Registrar can confirm that the Enrollee knows the PIN.
- The Registrar sends the WPA2 password. (encrypted :D )

- R-Hash1 = HMAC AuthKey (R-S2 PSK1 PK E PK R )
- PSK1 = HMAC-SHA-256(AuthKey,XXXX)