WiFi Protected Setup (WPS, Wi-Fi Protected Setup) is a certification program implemented under organization of the Wireless Fidelity (WiFi, Wireless Fidelity) Alliance, and is mainly dedicated to simplifying setup of a wireless local area network (WLAN, Wireless Local Area Network) and configuration work of security performance. In a conventional manner, when setting up a wireless network, a user must set a security key at an access point manually, and then verify the key at a client to prevent an attacker from stealing WiFi resources. In the entire process, the user needs to have background knowledge about a WiFi device and have a capability of modifying a necessary configuration. The WPS can help the user to securely configure a network name (for example, a service set identifier (SSID, Service Set Identifier)), and configure powerful Wifi protected access (WPA, Wifi Protected Access) data encoding and authentication functions. To securely access the WLAN, the user needs to enter only a personal information number (PIN, Personal Identification Number). This greatly simplifies an operation of wireless security setup. However, in a WPS authentication process, only a PIN is required for network access, that is, if an attacker obtains the PIN, the attacker can steal WiFi resources of the wireless network.
In the prior art, a WPS configuration process may mainly include the following steps:
Step 1: A router and a terminal exchange their DH (Diffie-Hellman) public keys by using plaintexts.
Step 2: The router generates a shared key DH key by using a DH private key of the router and a DH public key of the terminal, and the terminal generates a shared key DH key by using a DH private key of the terminal and a DH public key of the router.
Step 3: The router generates a derivative key of the DH key according to the DH key generated by the router, and determines a hash value by using a hash algorithm and using the derivative key in combination with a first nonce generated by the router and a first half of a PIN.
Step 4: The router sends, to the terminal, the hash value determined in step 3 and the first nonce encrypted by using the derivative key generated in step 3.
Step 5: The terminal generates a derivative key of the DH key according to the DH key generated by the terminal, decrypts the first nonce, determines a hash value by using the hash algorithm and using the derivative key in combination with the first nonce and the first half of the PIN, and when the determined hash value is the same as the hash value that is determined by the router and received in step 4, continues to perform a subsequent step.
Step 6: The terminal determines a hash value by using the same hash algorithm used by the router and using the derivative key of the DH key of the terminal in combination with a second nonce and the first half of the PIN.
Step 7: The terminal sends, to the router, the hash value determined in step 5 and the second nonce encrypted by using the derivative key of the DH key of the terminal.
Step 8: The router decrypts the second nonce by using the derivative key of the DH key of the router, determines a hash value by using the hash algorithm and using the derivative key in combination with a second nonce generated by the router and the first half of the PIN, and when the determined hash value is the same as the hash value that is determined by the terminal and received in step 7, continues to perform a subsequent step.
Step 9: The router processes a second half of the PIN by using a method similar to that of step 3, obtains a hash value of the second half of the PIN, and sends it to the terminal.
Step 10: The terminal verifies the hash value of the second half of the PIN by using a method similar to that of step 5, and when the router passes the verification, determines that a secure connection is established with the router.
Step 11: The terminal processes the second half of the PIN by using a method similar to that of step 6, obtains a hash value of the second half of the PIN, and sends it to the router.
Step 12: The router verifies the hash value of the second half of the PIN by using a method similar to that of step 8, and when the terminal passes the verification, determines that a secure connection is established with the terminal.
In the foregoing WPS configuration process, an attacker may pretend to be a terminal knowing a PIN, exchange DH public keys with the router in step 1 by using a DH public key and a DH private key generated by the attacker, generate a shared key DH key between the attacker and the router in step 2, and receive a hash value that is generated based on a first half of the PIN and a first nonce and sent by the router in step 4 and the first nonce that is encrypted by using a derivative key of the DH key of the router.
Therefore, the attacker may decrypt the first nonce by using the shared key DHkey generated by the attacker and is the same as the DHkey of the router and using a derivative key of the DHkey. Because the attacker does not know the PIN, the attacker does not verify whether the received hash value sent by the router in step 4 is correct, but determines the first half of the PIN by using the decrypted first nonce and an offline exhaustive attack method. Because the first half of the PIN includes four digits, the attacker may perform the following operations on each four-digit number in sequence: determining a hash value by using the hash algorithm and the derivative key generated by the attacker in combination with the first nonce and the four-digit number, and when the determined hash value is the same as the received hash value sent by the router, determining that the four-digit number is the first half of the PIN. Because the PIN is relatively short, the attacker can calculate the first half of the PIN in an offline manner after 104 attempts.
Further, in the first WPS configuration process performed between the router and the attacker, the attacker does not know the first half of the PIN (the first half of the PIN is obtained subsequently by using the offline exhaustive attack method), and therefore, in step 6, the attacker cannot obtain the hash value that is determined based on the first half of the PIN. Therefore, in step 8, the router can verify that there is a potential security risk, and therefore the router does not perform subsequent data communication.
To acquire a second half of the PIN, a second WPS configuration is required. Because the attacker has obtained the first half of the PIN through the first WPS configuration, the attacker may acquire the second half of the PIN in a similar manner. That is, in the second WPS configuration process, the attacker receives a hash value that is generated based on the second half of the PIN and the first nonce and sent by the router in step 9, and may obtain the second half of the PIN by using a manner similar to the manner of obtaining the first half of the PIN, that is, the offline exhaustive attack method. Therefore, the attacker can obtain the entire PIN through the first WPS configuration and the second WPS configuration. The attacker can steal WiFi resources by using the PIN. Apparently, the WPS configuration mechanism in the prior art has a security vulnerability, and is not secure.