Wi-Fi CERTIFIED Wi-Fi Protected Setup:

Easing the User Experience for Home and Small Office Wi-Fi Networks

Wi-Fi Alliance December 2010

The following document and the information contained herein regarding Wi-Fi Alliance programs and expected dates of launch, are subject to revision or removal at any time without notice. THIS DOCUMENT IS PROVIDED ON AN "AS IS", "AS AVAILABLE" AND "WITH ALL FAULTS" BASIS. THE WI-FI ALLIANCE MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR GUARANTEES AS TO THE USEFULNESS, QUALITY, SUITABILITY, TRUTH, ACCURACY OR COMPLETENESS OF THIS DOCUMENT AND THE INFORMATION CONTAINED IN THIS DOCUMENT.

Overview
Users of home and small office networks need access to the highest available security mechanisms, and they need to be able to make simple additions and changes to the connected equipment without access to a technical support group. Wi-Fi CERTIFIED Wi-Fi Protected Setup offers users incomparable ease of use in setting up small Wi-Fi networks that operate at the highest levels of security available in equipment today with a simple, almost totally automated setup process that can require as little interaction as the push of a button. Wi-Fi Protected Setup provides an industry-wide mechanism to set up and configure networks for home and small office (SOHO) environments. Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to easily configure new wireless networks, to add new devices and to enable security. Products that are Wi-Fi CERTIFIED for Wi-Fi Protected Setup have been on the market since 2007. The Wi-Fi Alliance has enhanced the Wi-Fi Protected Setup program with new features that improve usability and lead systems to the highest level of security protection available in the equipment in use. Today, roughly 10% of all people in the world use Wi-Fi to 1 stay connected. There are more than 1 billion devices in use today, with an estimated 580 million units shipped in 2009. Shipments for 2011 are forecasted at 1 billion, growing 2 to 1.5 billion by 2013. Wi-Fi is widely available in homes, Wi-Fi hotspots, and enterprise environments, and is found in many types of devices, including notebook computers, cameras, media players, photo frames, TVs, gaming devices, and mobile phones, among others. At the time of this papers publication, the Wi-Fi Alliance has more than 350 member companies and has completed more than 8,500 product certifications since March 2000. The sheer increase in the amount of Wi-Fi-enabled devices on the market today makes the ease of use provided by Wi-Fi Protected Setup a necessary feature for every user.

1 2

Wi-Fi Alliance estimate of installed base of Wi-Fi devices, 2009. ABI Research, 2010. Page 1 of 12

What is Wi-Fi Protected Setup?

Wi-Fi CERTIFIED Wi-Fi Protected Setup helps assure consumers that the Wi-Fi devices they purchase can be easily configured with security features enabled on their Wi-Fi networks, and that they can add new Wi-Fi Protected Setup devices to established networks with greater ease. Wi-Fi Protected Setup is a certification program designed to support Wi-Fi CERTIFIED 802.11 products including consumer electronics and phones, as well as computers and access points. It applies to 802.11 devices for home and small office, including those that communicate through 802.11a/b/g/n, as well as multiple-band devices and those designed to operate Wi-Fi Direct features. The Wi-Fi Alliance certified the first products with Wi-Fi Protected Setup in January of 2007. Since then, new features have been introduced to make the setup and configuration of security features even easier to use. In the past year alone, more than 1,000 products, including home access points , gateways and handsets have passed the testing necessary to be identified as Wi-Fi CERTIFIED Wi-Fi Protected Setup. Wi-Fi Protected Setup is an optional certification. Developed specifically with the SOHO market in mind, it is not targeted for use in enterprise environments, where separate network servers are employed to control network access and govern encryption. Consumers should look for the Wi-Fi Protected Setup logo to ensure it is present in the devices they purchase. Wi-Fi Protected Setup applies to typical home networks in which devices communicate via an access point (AP), router, or directly to other Wi-Fi CERTIFIED products via Wi-Fi Direct. It configures the network name (SSID) and Wi-Fi Protected Access, or WPA2, security key for the AP and Wi-Fi Protected Setup client devices on a network. Wi-Fi Protected Setups simple, standardized approach allows typical Wi-Fi users to set up and expand their Wi-Fi networks with security enabled, even if they do not understand the underlying technologies or processes involved. For example, users no longer have to know that SSID refers to the name of the network or that WPA2 refers to the security mechanism. Wi-Fi Protected Setup automatically pushes your network to use the highest level of functioning security available in your equipment. Consumers no longer need to sort through security choices.

Simple Setup Options

Wi-Fi CERTIFIED Wi-Fi Protected Setup products offer users at least one of two easy setup solutions Personal Identification Number (PIN) or Push Button Configuration (PBC). APs must offer both options, and client devices must at least offer PIN setup. Both setup options offer improved advantages over using traditional manual setup procedures. Legacy devices may be added to a Wi-Fi network that includes devices Wi-Fi CERTIFIED for Wi-Fi Protected Setup by using the manual methods provided by device manufacturers.

Page 2 of 12

PIN Method

With the PIN method, a PIN is provided for each device that will join the network. A fixed label or sticker may be placed on a device to identify the PIN for the user, or a dynamic PIN can be generated and shown on the devices display (e.g., a TV screen or monitor). The PIN is used to ensure that the device that the user intends to add to the network is the one that is added, preventing accidental or malicious attempts of others to add unintended devices to the network. The user enters the PIN into the Registrar via a graphical user interface (GUI) on the AP or by accessing a management page via an onscreen interface presented on another device on the network, e.g. by the keypad of a handheld device, or keyboard on a PC.

Push Button Configuration Method With the PBC method, the user connects the device to the network and enables data encryption by pushing buttons on the AP and client device, or through the device acting as the Group Owner in a Wi-Fi Direct connection. The button on the AP may also be replaced with a button on the external Registrar, e.g. another device on the network as mentioned in the PIN description above. Users should be aware that there is a setup period between pushing the AP and client buttons during which unintended devices within range could join the network. Automated Methods vs. Manual Setup In the traditional manual method of network setup, the user must take several manual actions and then create their own SSID or passphrase. The advantage of Wi-Fi Protected Setup is that the user no longer needs to be involved in these actions. The Wi-Fi Protected Setup function makes the setup steps virtually invisible to the user. In the traditional method, the user activates the AP by connecting it to a power source and to a wired network. From a computer that is also connected to the wired network, the user launches a web browser to log into an administrative page and access the AP. There, the user assigns a network name to set the SSID and navigates to a security settings page to select the type of Page 3 of 12

security to be used. After activating the security settings, the user is prompted to enter a passphrase which the AP will use to generate the security key that protects communications. All this requires the user to have above-average knowledge of system setup and configuration. The user must then also configure the device to be enrolled on the network through a control panel on the device, activating its wireless interface and enabling the WLAN connection. The client device presents the user with the network names (SSIDs) of all WLANs it finds in the vicinity. The user selects the appropriate network name that they created earlier, and connects to the network. The user is then prompted to enter the passphrase created earlier. The client and the AP exchange security credentials and the new device is securely connected to the WLAN. In most cases, Wi-Fi Protected Setup eliminates many steps of the manual method for the user. In addition, it simplifies some of the remaining tasks required of the user, such as the generation of an SSID and a passphrase. With Wi-Fi Protected Setup, the user simply activates the AP and the client device, then either enters the PIN provided by the manufacturer of the AP (PIN method) or pushes buttons on the AP and client device(s) (PBC method) to initiate the secure setup. The user is no longer involved in setting a passphrase; the security codes are activated and communicated automatically. In addition to ensuring that the SSID and WPA2 security key are properly configured, Wi-Fi Protected Setup provides over-the-air safeguards to prevent users who enter incorrect PINs from accessing the network. It also includes a time-out function to cancel the configuration process when identifying credentials are not transferred in a timely fashion. Wi-Fi Protected Setup also enhances the security of the wireless network by creating stronger passphrases than a user might choose in manual setup. Before Wi-Fi Protected Setup, users were required to create and enter a passphrase on the AP that they would reuse when adding any new device to the network in order to secure their networks. Many opted for short familiar passphrases, such as the name of a child or pet easy to remember but also easy for an outsider to guess.

How Wi-Fi Protected Setup Works

Wi-Fi Protected Setup provides a simple, consistent procedure for adding new devices to established Wi-Fi networks based upon a discovery protocol that is consistent across vendors. This procedure automatically uses a Registrar to issue the credentials to devices being enrolled on the network. All Wi-Fi CERTIFIED APs with Wi-Fi Protected Setup possess Registrar capability. Additionally, the Registrar can reside on any device on the network. A Registrar that resides on the AP is referred to as an internal Registrar. A Registrar that resides on another device on the network is referred to as an external Registrar. A Wi-Fi Protected Setup network can support multiple Registrars on a single network. The process the user follows to configure a new device on the WLAN begins with an action that launches the configuration wizard and enters the PIN or pushes the PBC button. At this stage, the user is seeking access. Wi-Fi Protected Setup initiates the exchange of information between the device and the Registrar and the Registrar issues the network credentials (SSID and security key) that authorize the client to join the network. Once access is granted, the new device can now securely communicate data across the network, safe from unauthorized access by intruders. Once the Wi-Fi Protected Setup protocol is finished and access to the network is granted, the user does not have to follow the setup procedure each time they access the network. The device will automatically search to find access onto the network at power up. The Wi-Fi Protected Setup network can encrypt data and authenticate each device. It can also be used in an open network, without encryption. Information and network credentials are securely exchanged over the air using the Extensible Authentication Protocol (EAP-WSC), one of the Page 4 of 12

authentication protocols used in WPA2. A handshake then takes place in which the devices mutually authenticate and the client is accepted onto the network. The Registrar communicates the SSID and the WPA2 pre-shared key (PSK), enabling security. Use of a random PSK enhances security by eliminating use of passphrases that could be predictable and easily broken. The traditional installation method required the user to manually configure the AP to support a PSK, and then manually enter the SSID and PSK on both the AP and the client. This approach is subject to user errors through mistyping, confusion of PSK and SSID, and so on. With Wi-Fi Protected Setup, the credentials exchange process requires little user intervention after the initial setup action (entering the PIN or pushing the PBC button) is completed, because the network name and PSK are issued. The following diagrams illustrate how Wi-Fi Protected Setup configures a network. The gold lines indicate credentials exchange, while the green lines indicate communication over a securityenabled Wi-Fi connection. Credentials Exchange Information is exchanged over the Wi-Fi network. In the scenario presented, the credentials exchange can follow the push of a button on the client and on the AP in PBC method, or the entry of a PIN from the client device being added being entered by the user into a GUI when using the PIN method.

Adding Additional Devices As new clients are added to an existing network, they are configured via PIN or push button. Which method is used is dependent upon which configuration method is supported by the client device.

Many Devices Suitable for Wi-Fi Protected Setup A wide variety of devices can be added to a Wi-Fi Protected Setup network using the PIN or PBC methods.

Page 5 of 12

Wi-Fi Network Security

With WPA2, today's generation of Wi-Fi security, Wi-Fi CERTIFIED equipment offers advanced security tools to enterprise, home, and mobile users worldwide, across a wide and everexpanding range of devices. WPA2 functionality is supported in all new Wi-Fi CERTIFIED devices and access points and it is activated and used on a daily basis by a growing number of Wi-Fi users. WPA2 is founded on two key protocols: (1) Advanced Encryption Standard (AES), the encryption protocol used by the United States and other governments to protect confidential and classified information, and by enterprise environments to secure WLANs, and (2) IEEE 802.1X, a standard widely used in corporate networks to provide robust authentication and sophisticated network access control features. WPA2 is based on IEEE 802.11i and provides 128-bit AES-based encryption. It also provides mutual authentication with Pre-Shared Key (PSK; in Personal mode) and with IEEE 802.1X / EAP (in Enterprise mode). In 2004, the Wi-Fi Alliance introduced WPA2 certification. The introduction of Wi-Fi Protected Setup in 2007 simplified and encouraged the activation of WPA2 in residential networks. With WPA2, Wi-Fi technology has reached a mature state that allows it to provide excellent, state-ofthe-art security to all Wi-Fi users, across different device form factors, vendors, and geographical regions. Mutual authentication. WPA2 uses IEEE 802.1X (WPA2-Enterprise) and PSK (WPA2-Personal) to provide mutual authentication. With one-way authentication, the client device sends its credentials and, if access is authorized, the client device is connected to the network. Mutual authentication requires the client device to verify the network credential before establishing the connection, to prevent the user from connecting to unauthorized access points. Strong encryption. AES is defined as a Federal Information Processing Standard (FIPS Publication 197) and is the first publicly available encryption mechanism that meets the requirements of the United States government for protecting sensitive and classified 3 information . To date, AES has proved to be extremely resilient in the face of the high number of published attacks triggered by AESs wide adoption. The data travelling across a WPA2 network is encrypted using the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) algorithm with AES, which together provide the most advanced standards-based data encryption method available. AES support is required by many protocols and applications used worldwide in enterprise networks. Interoperability. WPA2 is a standards-based solution, supported by all Wi-Fi CERTIFIED equipment that has undergone testing since 2006. WPA2 can be activated within any session in which the access point and the client device support WPA2, regardless of the equipment brands involved. This greatly expands the availability of WPA2 and gives confidence to network operators and users that their networks, devices, and data flows can be protected everywhere. Ease of use. WPA2 is not only a powerful tool to protect Wi-Fi users, it is also easy to activate with Wi-Fi Protected Setup. See the appendix section of this paper for a discussion on commonly asked questions regarding Wi-Fi security.

Confidential information can use 128-bit AES; classified information requires 192- or 256-bit AES.

Page 6 of 12

Summary
In todays digital lifestyle, where the average consumer is juggling multiple digital devices and applications and sharing content across all of them, the complexity of setting up those connections can be overwhelming. Wi-Fi CERTIFIED Wi-Fi Protected Setup devices can handle all the connection and security setup in an almost seamless, invisible process. Setting up a home or small office wireless network no longer requires that you invite over your engineering friend, or relative who knows how to connect everything. Wi-Fi Protected Setup is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Initially introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-wide set of network setup solutions for homes and small office environments. Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to easily configure new wireless networks, to add new devices and to enable security. Wi-Fi Protected Setup provides users a uniform set of setup approaches, including the entry of a PIN and a push button sequence, which make it easier to configure new Wi-Fi CERTIFIED devices and enable security on Wi-Fi networks in home and small office environments. It is designed to enhance the users out-of-box experience with Wi-Fi CERTIFIED devices, reduce dependence on vendor technical support, reduce the number of product returns at retail and increase user satisfaction with the technology. Wi-Fi Protected Setup makes network configuration easier by eliminating the requirement that users understand concepts such as PSK and SSID, and by removing the unforgiving process of manual key entry for PSKs. Wi-Fi Protected Setup is designed for extensibility. It supports both the 2.4GHz and 5GHz frequency bands to support 802.11a/b/g/n Wi-Fi CERTIFIED devices. Though it is an optional certification, it can be applied to devices for home and small office, including those that are multiband. Consumers should look for the Wi-Fi Protected Setup designation and identifier mark on Wi-Fi CERTIFIED products. For more information about Wi-Fi Protected Setup or other Wi-Fi CERTIFIED programs, plus a listing of certified products, visit www.wi-fi.org.

About the Wi-Fi Alliance

The Wi-Fi Alliance is a global non-profit industry association of hundreds of leading companies devoted to the proliferation of Wi-Fi technology across devices and market segments. With technology development, market building, and regulatory programs, the Wi-Fi Alliance has enabled widespread adoption of Wi-Fi worldwide. The Wi-Fi CERTIFIED program was launched in March 2000. It provides a widely-recognized designation of interoperability and quality, and it helps to ensure that Wi-Fi enabled products deliver the best user experience. The Wi-Fi Alliance has completed more than 8,500 product certifications to date, encouraging the expanded use of Wi-Fi products and services in new and established markets.
TM

2010 Wi-Fi Alliance. All rights reserved. Wi-Fi, Wi-Fi Alliance, WMM, Wi-Fi Protected Access, the Wi-Fi CERTIFIED logo, the Wi-Fi logo, the Wi-Fi ZONE logo, and the Wi-Fi Protected Setup logo are registered trademarks of the Wi-Fi Alliance; Wi-Fi CERTIFIED, Wi-Fi Protected Setup,Wi-Fi Direct, Wi-Fi Multimedia, and the Wi-Fi Alliance logo are trademarks of the Wi-Fi Alliance.

Page 7 of 12

APPENDIX: Wi-Fi Security Frequently Asked Questions

Is Wi-Fi secure? WPA2 is the latest version of Wi-Fi security, and it should be used to protect all Wi-Fi devices. WPA2 was introduced in 2004 and has been required in Wi-Fi CERTIFIED products since April 2006. It supports Advanced Encryption Standard (AES), the most advanced encryption standard. AES is the encryption standard endorsed by the United States government. The Wi-Fi Alliance recommends that users select equipment supporting WPA2 to help protect their network from known attacks to their security and privacy. With WPA2, Wi-Fi technology has reached a mature state that allows it to provide excellent, state-of-the-art security to all Wi-Fi users, across different device form factors, vendors, and geographical regions. In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view. Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the Internet (virtual private network (VPN), etc.) What security technology is used in Wi-Fi? Is it NIST approved? Wi-Fi security is based on IEEE 802 standards that use the cryptographic algorithms that are recommended by the NIST (National Institute of Standards and Technology). The IEEE 802.11 standard encrypts all communications with the AES that was selected by NIST. The authentication process for Wi-Fi is based on the IEEE 802.1X standard for port-based access control. There are several ways to authenticate devices that allow simple home installation with passwords or enterprise grade solutions with central authentication servers. Authentication with RADIUS servers use the Extensible Authentication Protocol (EAP) with methods that have been defined by the Internet Engineering Task Force (IETF) and reviewed and approved by NIST. What is WPA2? WPA2 is today's generation of Wi-Fi security. It is founded on two key protocols: (1) AES, the encryption protocol used by the United States and other governments to protect confidential and classified information, and by enterprise environments to secure WLANs, and (2) IEEE 802.1X, a standard widely used in corporate networks to provide robust authentication and sophisticated network access control features. WPA2 is based on IEEE 802.11i and provides 128-bit AESbased encryption. It also provides mutual authentication with Pre-Shared Key (PSK; in Personal mode) and with IEEE 802.1X / EAP (in Enterprise mode). In 2004 the Wi-Fi Alliance introduced WPA2 certification. In 2006, WPA2 certification became mandatory for all Wi-Fi CERTIFIED equipment. In addition, in 2007 the Wi-Fi Alliance introduced the Wi-Fi Protected Setup program to simplify and encourage the activation of WPA2 in residential networks. With WPA2, Wi-Fi technology has reached a mature state that allows it to provide excellent, state-of-the-art security to all Wi-Fi users, across different device form factors, vendors, and geographical regions. Is WEP still used? The AES replaced WEP security in 2004. The AES algorithm is NIST approved and is the basis of the WPA2 wireless security certified by the Wi-Fi Alliance. After 2013, no Wi-Fi CERTIFIED devices will contain WEP. There are some home wireless networks in use today that only support WEP.

Page 8 of 12

Is WPA2 end-to-end security? WPA2 provides security at the Link Layer of the ISO model, thereby protecting the data as it traverses the Wi-Fi wireless link. If the Wi-Fi network is connected via routers to non-Wi-Fi networks, other security protocols would be invoked to provide link-level security within those networks, and typically also to provide end-to-end protection. For example, banking transactions from a Wi-Fi laptop over the Internet are ordinarily double protected as the data traverses the Wi-Fi link protected first by WPA2s link-level encryption provided over the Wi-Fi link, and also protected by end-to-end encryption over not just the Wi-Fi link but the entire Internet.

Page 9 of 12

Glossary
Access Point (AP): Often a Wi-Fi router, a device that connects wireless devices to a network. Advanced Encryption Standard (AES): The preferred standard for the encryption of commercial and government data using a symmetric block data encryption technique. It is used in the implementation of WPA2. (See 802.11i, WPA2.) Authentication: The process, during which the identity of the wireless device or end-user is verified, so that it may be allowed network access. Credential: A data structure issued by a Registrar to a client, in order to allow it to gain access to the network. Device: An independent physical or logical entity capable of communicating with other devices across a Local Area Network (LAN) or Wireless Local Area Network (WLAN). Client: Any device connected to a network that is able to access files and services (files, print capability) from the server or other devices on the network. Discovery Protocol: A method used by the client and the Registrar to discern the presence and capabilities of networked devices. Extensible Authentication Protocol (EAP): A protocol that provides an authentication framework for both wireless and wired Ethernet enterprise networks. Guest: A Member with credentials that provide only temporary access to a Wireless Local Area Network (WLAN). 802.11a/b/g/n: IEEE standards for a wireless networks that operate at 2.4GHz (b/g/n) or 5GHz (a/n) with rates up to 11Mbps (b), 54Mbps (a, g), or 75-600Mbps (n). Local Area Network (LAN): A system of connecting PCs and other devices within the same physical proximity in order to share resources, such as an Internet connection, printers, files and drives. When Wi-Fi is used to connect the devices, the system is known as a wireless LAN or WLAN. Network Name: A name used to identify a wireless network. In wireless standards, this is referred to as the service set identifier or SSID. Personal Identification Number (PIN): A multi-digit number that is randomly generated to enroll a specific client device on a WLAN. (In the Wi-Fi Protected Setup program, the pin is 4 or 8 digits.) Pre-Shared Key (PSK): A mechanism that allows the use of keys or passwords to initiate WPA/WPA2 security. Push Button Configuration (PBC): A configuration method triggered by pressing a physical or logical button on the enrollee device and on the Registrar. Registrar: A logical entity with the authority to issue and revoke domain credentials. A Registrar may be integrated into any device, including an access point. Note that a Registrar may or may not have WLAN capability, and a given domain may have multiple Registrars. Registration Protocol. A registration protocol is used to assign a credential to the enrollee. It operates between the enrollee and the Registrar. External Registrar: A Registrar that runs on a device separate from the access point. Internal Registrar: A Registrar that is integrated in an access point. Page 10 of 12

WEP: Wired Equivalent Privacy, an early-generation technology, now superseded by WPA2. Wi-Fi: A term developed by the Wi-Fi Alliance to describe WLAN products that are based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 (a/b/g/n) standards. Wi-Fi CERTIFIED: A product compliant with certification standards designating IEEE 802.11-based products that has passed interoperability testing requirements developed and governed by the Wi-Fi Alliance. Wi-Fi Network or Wireless Local Area Network (WLAN): A LAN of wireless devices. Wi-Fi Protected Access version 2 (WPA2): A next-generation security protocol/method for wireless networks that provides stronger data protection and network access control than WPA. Wireless Router: A wireless router is device that accepts connections from wireless devices to a network and includes a network firewall for security, and provides local network addresses.

Common Acronyms

AES: Advanced Encryption Standard AP: Access Point EAP: Extensible Authentication Protocol LAN: Local Area Network PBC: Push Button Configuration PDA: Personal Digital Assistant PIN: Personal Identification Number PSK: Pre-Shared Key SSID: Service Set Identifier SOHO: Small Office-Home Office SSID: Service Set Identifier TKIP: Temporal Key Integrity Protocol WLAN: Wireless Local Area Network WPA: Wi-Fi Protected Access WPA2: Wi-Fi Protected Access version 2

Page 11 of 12