Wireless communication systems have become ubiquitous and provide flexible and efficient support for many communication applications including mobile communication applications. One widespread set of wireless communication standards is the Wi-Fi family of communication standards which is for example used in many homes to provide wireless networking and Internet access. The Wi-Fi family of communication standards includes amongst others the widespread the IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, and IEEE 802.11n standards defined by the Institute of Electrical and Electronic Engineers (IEEE). Wi-Fi is also widely used in shops, hotels, restaurants etc. to provide wireless Internet access.
An important aspect for most wireless communication systems is that they provide secure communications. Such security should preferably ensure that third parties cannot eavesdrop on the over the air communications, i.e. that a third party cannot receive the radio transmissions and successfully decode the data. In order to provide such protection, data transmissions over the air may be encrypted. However, in order to encrypt data, the two devices must be able to securely setup an encryption key to be used. Another factor that is important is authentication of the communication devices such that a given communication device can be certain that it communicates with the intended other communication device rather than possibly a third communication device seeking to intercept the data messages.
The Wi-Fi link between a Wi-Fi Access Point (AP) and Wi-Fi Station (STA) or the Wi-Fi link between a Wi-Fi Direct Peer-to-Peer Group Owner (GO) and Client can be cryptographically protected for confidentiality and integrity. This is specified in the Wi-Fi Protected Access (WPA) specifications (specifically in “Wi-Fi Protected Access (WPA)-Enhanced Security Implementation Based on IEEE P802.11i standard”, Version 3.1, August, 2004). This standard provides two authentication methods. The first is called WPA2-Personal or WPA2-PSK (Pre-Shared Key) and provides a solution for home networks and small enterprises that have no authentication server. The second method is called WPA2-Enterprise and uses an IEEE 802.1X-authentication server.
In both systems, all keys that are required are derived from one key which is known as the Pairwise Master Key (PMK). In WPA2-PSK mode, the PMK is the same for all devices that have to communicate with one another using Wi-Fi which is protected by WPA2, and accordingly it has to be shared with all the relevant devices before WPA2 can be used. In WPA2-Enterprise, the PMK is different per pair of communicating devices and is determined in a protocol with the authentication server.
When two Wi-Fi devices set-up a Wi-Fi connection (e.g. a laptop with Wi-Fi that wants to join a Wi-Fi network has to set-up a Wi-Fi link with the Access Point of the network), they execute the so-called WPA four-way handshake in order to derive their common Pairwise Transient Key (PTK), which is the key from which all other keys protecting the specific link are derived. The PTK is derived from the PMK and some numbers that are sent in the clear over Wi-Fi during the four-way handshake. As a result any device that has followed the four-way handshake and which knows the PMK is able to compute the PTK, and thus is able to decrypt all Wi-Fi communication between the two devices. It is even possible for a Wi-Fi device to force another device to execute the four-way handshake with the AP again.
In WPA2-PSK mode, the PMK is a 256-bit value. It is difficult for humans to distribute 256-bit numbers (e.g. to read hexadecimal code on one device and enter it into another), therefore it is also possible to use a passphrase of up to 63 characters, from which the 256-bit PMK can be derived.
Although such passphrases are easier to handle for humans than random 256-bit numbers, it was still considered too cumbersome, and therefore the Wi-Fi Alliance developed a variant known as the Wi-Fi Simple Configuration (WSC) specification (“Wi-Fi Simple Configuration Technical Specification”, Version 2.0.2, 2011, Wi-Fi Alliance, also known as Wi-Fi Protected Setup—WPS). In this specification, a secure method of transferring network credentials (a network credential includes a PMK, or a passphrase from which a PMK can be derived) from one device to another is defined. This method uses 8 messages, referred to as M1-M8. Depending on the variation used, whether an error occurred, etc., not all 8 messages have to be used. When two devices have agreed to use WSC, one device sends message M1 to the other, and the other device then responds with message M2, etc. If one device starts to distrust the other, it terminates the protocol. If no problems are encountered, the device not knowing the PMK at the outset will have obtained it from the other device in a secure manner.
The WSC approach for establishing the encryption key for securing the transfer of network credentials is based on the Diffie-Hellman key exchange algorithm for agreeing a common secret key. The Diffie-Hellman key exchange algorithm is well known in the encryption field and is based on each device communicating only codes that may be known by anybody and by using private codes that only the individual device knows. An attacker cannot make use of the codes that may be known by anybody if he does not know the corresponding private codes.
For example, two parties may agree on two integers, a prime number p and a base g. These numbers may be public and generally known. Each party then selects a secret integer (the first party selects a, the second party selects b) which is only known by each individual party and which is never communicated to the other party or any other device.
The first party computes the value A=ga mod p and sends the result A to the other party. Only the calculated value A is communicated and the secret value a is not communicated. Furthermore, the function used to derive A is a so-called one-way function which is easy to use to calculate in one direction but cannot practically be inverted. Specifically, whereas it is relatively easy to calculate A when g, p and a are known it is very difficult to calculate a from A, g and p. For the particular function that is used in the Diffie-Hellman key exchange algorithm, this is known as the discrete logarithm problem.
Similarly the second party proceeds to calculate B=gb mod p and transmit it to the first party.
The first party then proceeds to calculate the value Ba mod p and the second party proceeds to calculate the value Ab mod p. Furthermore, it can be shown that Ba mod p=Ab mod p, i.e. the first and second party proceeds to calculate the same value. This value can thus be determined separately by each device based on their secret code, the value received from the other party, and some pre-agreed public values.
However, without knowledge of either a or b, i.e. without knowledge of any of the secret integers, it is very difficult to calculate the value. Although not impossible in theory it is in practice not possible to calculate the value or the secret integers provided the integers used are sufficiently large. Accordingly, it is not possible for an eavesdropping device to determine the value which is determined by both the parties. The value may therefore be used as an encryption key.
The Diffie-Hellman part of the WSC protocol is performed using the messages M1 and M2. Diffie-Hellman works such that no one listening to this exchange is able to compute the secret encryption key (the Diffie-Hellman (DH) key) that the two devices each arrived at. However, an issue with the Diffie-Hellman approach is that it does not provide device authentication, which means that each device has no information of which specific other device the encryption key has been setup with.
Message M1 contains among other things a random number (nonce) called N1 and the Diffie-Hellman public key of the device sending M1. N1 is used to protect against so-called replay attacks, whereby an attacker tries to use previously intercepted known good responses from legitimate devices to challenges. If challenges contain a random part with enough bits, it will not occur in practice that the same challenge is used more than once, so it does not make sense for attackers to memorize known good responses to challenges. Similarly, message M2 contains among other things a random number (nonce) called N2 and the Diffie-Hellman public key of the device sending M2. The random data may specifically be a nonce, or cryptographic nonce, which is a number or bit string which is used only once. This may for example be achieved by generating random numbers with sufficiently many bits, so the probability of generating two identical nonces is negligible. M2 may already contain information encrypted with the secret encryption key (the Diffie-Hellman (DH) key),
The approach may be sensitive to a man-in-the-middle attack where an eavesdropping device sets up communication links with the two communicating devices and forwards messages between the devices. Such a man-in-the-middle device may setup encryption separately with each of the communicating devices and may simply use the appropriate encryption for each device. The communicating devices will not be aware that they are communicating with the other device via an intermediate as they both think that they have set up encryption directly with the other device. Thus, it is possible for a third device to perform a man-in-the-middle attack, i.e. it can execute the Diffie-Hellman part of the WSC protocol separately with both devices resulting in it agreeing one Diffie-Hellman key with one device and another Diffie-Hellman key with the other device. Since it knows both keys, it can decrypt a message from one device, read it, re-encrypt it with the other DH key and then send it to the other device. Apart from some possible message delay, the other two devices will not be able to detect the man-in-the-middle device. What is sent by one device is received by the other. However, the third device will have full visibility of the communicated data.
The WSC procedure addresses this authentication issue by using a second, ‘out-of-band’ channel in a variety of ways.
One such way is based on a PIN-based setup. In this setup, the user has to read a PIN number (8 decimal digits) on one device and manually enter it into the other device. The PIN may be a static PIN, e.g. printed on the first device or on a sticker or card that is provided with the first device. The PIN may also be a dynamic PIN which is e.g. shown on a display of the first device.
The messages M3-M8 of the WSC setup are used to reveal the PIN to each other, part by part, in a cryptographic secure way. If both devices are confident that the other device knows the same PIN, they will proceed to use the Diffie-Hellman key to transfer the PMK known by one of the devices to the other device in the M7 or M8 messages. When both devices have knowledge of the same PMK, they can set-up WPA2 for Wi-Fi using the four-way handshake. Thus, in the approach the M3-M8 messages are necessary to authenticate the devices and to transfer the PMK.
WSC also suggests another approach based on the use of Near Field Communication (NFC). Near field communication is a communication technique that utilizes near field magnetic coupling to transfer data, and if necessary power, between suitably enabled devices. Specifically a Near Field Communication standard has been developed by ISO/IEC (the International Organization for Standardization/International Electrotechnical Commission) and the NFC Forum (http://www.nfc-forum.org/home/) to provide a two-way communication technology, able to operate in one of two modes, either using peer-to-peer communication, which is also sometimes called NFC Peer mode, or using an asymmetric arrangement with an active master communicating with a passive tag (similar to conventional RFID techniques). The operating range is typically in the order of just a few centimeters. The Wi-Fi Simple Configuration specification describes three ways to use NFC, namely                an NFC Token or NFC tag with a device PIN or device Password,        an NFC Token or NFC tag with network credentials,        NFC Peer mode for the transfer of a device PIN or device Password or network credentials.        
It should be noted that the terms NFC token and NFC tag tend to be used interchangeably to refer to the same entity. The official name defined by the NFC Forum and used in their specifications for NFC is that of an NFC tag. However, the term NFC token is also frequently used and is specifically used by the Wi-Fi Alliance which is responsible for the Wi-Fi standards. In the following, the term NFC tag will be used.
Whereas an NFC-enabled device can operate in reader/writer and peer-to-peer mode (and may also operate in NFC tag emulation mode), an NFC tag is typically a passive device, which means that the tag does not need its own power source (e.g. battery) to operate, but is powered by the energy of the device that reads from it or writes to it. Some NFC tags are read only, i.e. they store data which can only be read by an NFC-enabled device. Other NFC tags may be both read from and written to by an NFC-enabled device. In the NFC tag emulation mode, an NFC tag has, besides its NFC wireless interface, also an electrical interface which can be used be to read and write data to the NFC tag. In this way, the NFC tag will appear as e.g. a passive NFC tag to an external device interfacing with it over the NFC air interface, but the wired interface allows e.g. the NFC tag to be adapted and dynamically configured, or be used in two-way communication between the processor that is connected to its wired interface and the external device interfacing with it over the NFC air interface. The terms ‘NFC tag’, passive NFC tag and ‘tag’ are used interchangeably herein.
In the following the authentication procedures using NFC communication is described in more detail. For brevity and clarity, the term pairing secret will be used to refer to information that is intended not to be known by an attacking device, and in particular to refer to a device PIN, a device password, a PMK, or a network credential.
An 8-digit PIN is simpler for the user to handle than a 63-character passphrase. However, WSC offers an even simpler way for the user to transfer the PIN, namely with a so-called Password Token. A Password Token is an NFC tag in which the device PIN is stored (unencrypted). Although the WSC specification calls this a device password, it functions as a device PIN in the WSC protocol. NFC devices (e.g. an NFC reader reading an NFC tag) need to be within typically a couple of centimeters for reliable communication. This provides the advantage that a user can have a very high degree of certainty that if he brings two NFC devices close together, the NFC information that is read by one of these devices will have originated in the other device.
The WSC specification also specifies how to use NFC for the direct transfer of the (unencrypted) PMK, namely as part of the so-called network Credentials in a so-called Configuration Token.
An NFC Token or NFC tag can be built in the housing of a device or it can be integrated in a credit card sized card. Devices equipped with an NFC reader can read such NFC tags wirelessly using NFC read operations. Devices equipped with an NFC writer can write such NFC tags wirelessly using NFC or through wired connections.
NFC also specifies a so-called NFC peer mode of operation wherein two NFC devices communicate directly with each other using NFC but without using an NFC tag. The WSC specification allows for NFC Peer mode to also be used for the transfer of the device PIN, device Password and network Credentials, using the same formatting of the messages as used in an NFC tag, which means that the device PIN, device Password and network Credentials are not encrypted during these transfers.
Using NFC to set-up a secure Wi-Fi link is very easy for the user. In case of a separate NFC tag, the user simply touches (the NFC reader location of) a device with the NFC tag of the other device. In case of an integrated NFC tag, or in case of NFC Peer mode, the user touches (the NFC reader location of) a device with the other device (e.g. a smart phone with built-in NFC).
However, it has been found that the current NFC authentication operation does not provide optimal security. For example, if other devices can detect the authentication/security data, they may be able to get access to Wi-Fi networks or devices that they are not allowed to have access to.
For example, the device PIN or device Password is used to authenticate two Wi-Fi devices for each other as explained above. Only the two involved devices should know the device PIN or Password. However, if another device, e.g. a man-in-the-middle attacker, is able to determine the device PIN or device Password, it can use this to setup separate communications with the two devices. Specifically, the third device can use the information to establish a trust relationship with both of the original devices by exchanging messages M3-M8 with each of the devices. Thus, both devices will consider the third device as the authenticated other device and remain unaware that they are communicating through a man-in-the-middle-device.
In the Pre-Shared Key mode, the keys are derived in such a way that any device which knows the PMK, and which follows the WPA four-way handshake in which the key between two devices is determined, can independently determine the key. Therefore, if the network credentials are known, a third device can from then on decrypt all traffic on the Wi-Fi network that uses those credentials in PSK mode (the network credentials contain a passphrase or a bit string from which the PMK can be computed using a non-secret procedure.) Indeed if the third device missed the four-way handshake, it is even possible for this device to force another device to execute the four-way handshake with the third device again.
The authentication approaches using out of band communication in the form of NFC communications are based on NFC communication being considered to be secure due to the very restricted distances of NFC communication links. However, such systems may have a weakness in being dependent on these assumptions about the NFC communication link and may in some scenarios not provide optimal security. Although the very limited range of NFC communications provides some protection against other devices being able to obtain the secret information, it cannot be fully guaranteed that this will never happen. Indeed, recent research has indicated that NFC communications can be detected and decoded at substantial distances (indeed at distances of up to several meters).
Hence, an improved approach would be advantageous and in particular an approach allowing increased flexibility, user friendliness, improved security and/or improved performance would be advantageous.