Skip to content

usnistgov/hostap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15,170 Commits

doc

doc

 
 

eap_example

eap_example

 
 

hostapd

hostapd

 
 

hs20

hs20

 
 

radius_example

radius_example

 
 

src

src

 
 

tests

tests

 
 

wlantest

wlantest

 
 

wpa_supplicant

wpa_supplicant

 
 

wpadebug

wpadebug

 
 

wpaspy

wpaspy

 
 

.config-hostapd

.config-hostapd

 
 

.config-wpasupplicant

.config-wpasupplicant

 
 

.gitignore

.gitignore

 
 

Android.mk

Android.mk

 
 

CONTRIBUTIONS

CONTRIBUTIONS

 
 

COPYING

COPYING

 
 

README

README

 
 

README.md

README.md

 
 

build_release

build_release

 
 

Repository files navigation

hostap and wpa_supplicant with DevID support

DPP hacks for wpa_supplicant and hostap with device identity.

This fork of hostap adds device identity support during the onboarding process.

This project is part of the Trustworthy Networks of Things project at NIST.

The following is a summary of the interactions:

As in standard DPP, the DPP url contains the public key of the device certificate (not the full certificate). The IOT device (supplicant) publishes this as a QR code. This is scanned by Configurator which does an authentication of the supplicant. The authentication is based on the public key of the certificate (not the full certificate). (The DPP url itself only contains the raw public key. ) Thus far it is standard DPP behavior.

After authentication, the supplicant sends a configuration request, requesting network credentials.

The following enhancement was added to DPP in the hostap submodule. (NOTE: This is not part of the standard DPP 1.0 protocol.)

The configuration request sent by the supplicant has the IDevID certificate. The verification step (performed by the Configurator during processing of the configuration request) checks the certificate to see if the public key of the DPP url matches the public key of the certificate and also verifies the certificate chain based on the CA certificate. If the presented iDevID certificate verifies, the configurator sends network credentials information to the supplicant, thereby onboarding the supplicant.

The advantage of sending the full certificate is that additional information such as the MUD URL can be imbedded in the certificate rather than presented as a parameter during onboarding. Thus even if the software of the device is compromised, the manufacturer assigned MUD URL is preserved in the certificate.

The assumptions are :

  • The device certificate is assumed be shipped with the device.
  • The device has the private key in a tamper proof store and uses this to complete the authentication with the configurator. This is the same key that was used to generate the device certificate.
  • The configurator has the CA certificate from the manufacturer.

Building

Copy the .config-hostapd and .config-wpasupplicant into hostapd/ and wpa_supplicant respectively.

Cd to the respective directories and build as usual.

Configuring wpa_supplicant for DevID certifcates

See wpa_supplicant/README-DPP.md

About

wifi-easyconnect dpp

Topics

dpp wpa-supplicant hostap 8021ar device-certificate

Resources

Readme

License

View license
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 36

+ 22 contributors

Languages