2024年4月16日发(作者:)

看了《Wi-Fi Protected Setup in the wpa_supplicant》这篇文档,我想你就懂wps是怎么一回事了。

一、前言

The goal of Wi-Fi Protected Setup (WPS) is to automate the creation of a secure wireless network. The

protocol removes the need for users to understand what a SSID is or the difference between WEP, WPA, and

WPA2 and their associated ciphers. Essentially, the protocol automatically creates the network blocks specified

by the wpa_supplicant's configuration file. As such, the user typically only needs to run the WPS protocol once

for each AP. In WPS's simplest topology, there are two participants: the registrar and the enrollee. The registrar

has the authority to issue and revoke credentials on the network. Typically, but not always, this is the access

point. The enrollee, on the other hand, is the device seeking to join the wireless network. The purpose of the

WPS patch is to add the enrollee function to the wpa_supplicant. This document describes how to setup the

supplicant either via the configuration file or the control interface to use WPS.

大致意思: Wi-Fi保护设置(WPS)的目标是自动创建一个安全的无线网络,该协议使得用户不需要了解

SSID与WEP、WPA和WPA2及其相关密码之间的关系。从本质上说,该协议将自动创建网络模块指定的

wpa_supplicant配置文件。这样,对于每一个AP,用户通常只需要运行一次WPS协议。在WPS简单的拓扑结

构中有2个参与者:the registrar(AP)和 theenrollee(网卡)。the registrar(AP)在网络上通常(但不是总是)

有权发放和吊销认证。另一方面,The enrollee(网卡)是需求加入无线网络的设备。WPS补丁的作用是把

theenrollee(网卡)的功能加入到wpa_supplicant中。本文档描述了如何设置the supplicant: 要么通过配置文

件要么控制接口来使用WPS (下面对这2种方法进行了详细的介绍)。

二、 WPS Methods : WPS 的方法

Before you can configure thesupplicant, it is helpful to understand the two supported configuration

methods:Push Button Control (PBC) and PIN. Both methods accomplish the same goal, butprovide different

levels security and ease of use. The PBC method is thesimpler of the two. In this method, the user pushes a

button on the registrar(usually the AP) and a button on the enrollee (a laptop, cell phone, etc). Theprotocol then

takes care of connecting to the correct AP and retrieving theencryption settings. The advantage of PBC is a

very simple user interface, butthere are a few issues:

1. The user must push bothbuttons within two minutes of each other. WPS refers to this time period as

the"walk time".

2. Only one enrollee can usethe PBC method at a time. The second enrollee using PBC will receive an

errormessage and can either elect to wait until the other enrollee is done or usethe PIN method without waiting.

Note that this restriction is across alldetected SSID and BSSID on all channels.

3. The method isunauthenticated and does not protect against active attacks

大致意思: 在你配置supplicant之前,需要理解支持配置的两种方法:按键控制(PBC)和PIN。这2种

方法完成目标一致,但提供不同级别的安全性和易用性。PBC方法比较简单,用户只需在the registrar(通常为

路由器)和the enrollee(笔记本电脑,手机等有网卡的设备)各按一个键。然后,协议负责连接到正确的AP和

检索加密设置。PBC的优势是非常简单,但他也有一些问题:

1. 用户必须在2分钟内各自按键,WPS把这个时间叫做“walk time”。

2. 每次只能有一个enrollee使用PBC方法,第二个enrollee使用PBC会收到一条错误消息,并可以有2

个选择:要么等到其他enrollee完成,要么使用无需等待的PIN方法。注意,这个限制在所有频道上检测到的SSID

和BSSID都有效。

3. 该方法是未经证实的,不防止主动攻击。

The PIN method requires theuser to retrieve a PIN number from the enrollee and enter it into the

registrareither via a key pad or, more likely, through a web based interface. The userthen notifies the

enrollee that the registrar hasaccepted the PIN and can proceed with connection. This method is slightly

moreinvolved than PBC, but is no more complicated than getting money from a bank'scash machine.

大致意思: PIN方法要求用户从the enrollee中检索PIN码,并将其输入the registrar:要么通过按键,或更

有可能通过一个基于web的接口。然后用户通知the enrollee,the registrar已经接受了PIN并且可以进行连接。

这种方法比PBC方法稍微复杂,但是绝对没有从一个银行的取款机取到那么复杂。(外国人就是幽默!!!)

三、Supplicant Configuration : Supplicant 配置

The configuration file foreither PBC or PIN is the same. It should contain a network block with

twoelements:

大致意思: PBC和PIN的配置文件相同。包含有2个元素的网络块:

network={

proto=WPS

eap=WPS }

That's it! The differentiationbetween PBC and PIN is in the commands. To activate the PBC method, use

the"pbc" command in wpa_cli. For example,

大致意思: 这就是PBC和PIN命令的区别。激活PBC方法,使用"pbc"命令,例如:

# wpa_cli pbc

OK

#

To activate the PIN method, usethe "pin_get" command in wpa_cli to retrieve the automaticallygenerated

PIN number from the supplicant, enter the PIN into the AP (registrar),and finally use the "pin_entered"

command in wpa_cli to start theconnection process.