Wi-Fi Protected Setup PIN method EAP Messages

Question

Let's look at this example: router (access point) has 8-digit PIN (printed on label) and laptop wants to connect to network using WPS PIN. So user give router's PIN into laptop and laptop sends PIN to router that verify is it correct or not. This way of configuration is named external registrar.

WPS PIN Configuration is based on EAP messages. There are 8 messages between registrar (laptop) and enrollee (AP).

In M4 registrar proves knowledge of 1st half of PIN. Then if it is wrong enrollee sends EAP-NACK. If it is correct in M5 enrollee proves knowledge of 1st half of PIN.

In M6 registrar proves knowledge of 2nd half of PIN. Then if it is wrong enrollee sends EAP-NACK. If it is correct in M7 enrollee proves knowledge of 2nd half of PIN and sends AP configuration to registrar.

You can see here (page 5) for more details: https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

Why in M5 and M7 enrollee proves knowledge of 1st and 2nd half of PIN? Is it necessary? Why enrollee just does not send confirmation message?

Answer 1

When the enrollee sends proof of knowledge of the PIN, then the registrar can be assured that it is registering with the enrollee it expects. It works as a form of dual authentication.

Imagine a malicious, rogue WiFi AP that is programmed to accept any PIN, and therefore send 'confirmation messages' to any supplied input. An unsuspecting user could be connecting to the malicious WiFi, thinking they are connecting to their trusted network. By proving that it knows the PIN, the AP shows that it is the expected AP.