1 00:00:04,380 --> 00:00:09,160 Hello and welcome this video titled WPA3 Easy Connect. 2 00:00:09,160 --> 00:00:16,060 So before we discuss WPA3 Easy Connect and what problem it solves, let's 3 00:00:16,060 --> 00:00:22,240 go back to the real early days of Wi -Fi back in the early 2000s and talk 4 00:00:22,240 --> 00:00:25,200 about some of the problems that existed back then. 5 00:00:25,200 --> 00:00:30,080 So back in those days, Wi-Fi was pretty early, a lot of people were just 6 00:00:30,080 --> 00:00:34,720 getting introduced to it and a lot of non-technical users were sort of 7 00:00:34,720 --> 00:00:40,940 confused by this idea that they had to enter in a WPA or WPA2 passphrase, 8 00:00:40,940 --> 00:00:45,260 especially if what they were dealing with was something like a camera 9 00:00:45,260 --> 00:00:51,320 or a printer or a TV that had a very tiny screen or limited input controls, 10 00:00:51,320 --> 00:00:56,580 which like it says here made inputting that passphrase tedious or error 11 00:00:56,580 --> 00:01:01,980 prone. For example, here we got a passphrase that's quite good, quite 12 00:01:01,980 --> 00:01:06,220 well constructed, nice and secure, but we got a printer over here and 13 00:01:06,220 --> 00:01:09,380 you got to type that thing into these tiny little things which are about 14 00:01:09,380 --> 00:01:10,960 the size of a pinhead. 15 00:01:10,960 --> 00:01:12,420 Good luck with that. 16 00:01:12,420 --> 00:01:17,120 So Wi-Fi developers look for a way to securely deliver the Wi-Fi credentials 17 00:01:17,120 --> 00:01:20,220 to these types of devices in a simple way. 18 00:01:20,220 --> 00:01:23,720 So a person wouldn't have to type in a big long password. 19 00:01:23,720 --> 00:01:28,580 So back in these days, the early solution was something called Wi-Fi protected 20 00:01:28,580 --> 00:01:33,980 setup or WPS. Now I'm not going to get into the gory details of how WPS 21 00:01:33,980 --> 00:01:39,260 works because it's not really supported, it's actually not a good thing, 22 00:01:39,260 --> 00:01:43,560 it's got a lot of weaknesses to it, but it sort of sets the stage for 23 00:01:43,560 --> 00:01:46,680 Wi-Fi easy connect that we're going to talk about here in just a moment. 24 00:01:46,680 --> 00:01:52,460 Now this is launched way back by the Wi-Fi Alliance in 2007. 25 00:01:52,460 --> 00:01:56,260 And with WOT with WPS, of which there are still devices to this day like 26 00:01:56,260 --> 00:02:00,120 access points and things that support it, you have two different device 27 00:02:00,120 --> 00:02:05,300 roles. You've got the registrar, which is the access point itself, and 28 00:02:05,300 --> 00:02:08,680 you have the enrollee, which is your client. 29 00:02:08,680 --> 00:02:14,600 So the way that WPS worked is that a secure encrypted tunnel was created 30 00:02:14,600 --> 00:02:20,700 between these devices so that the registrar could pass to the enrollee 31 00:02:20,700 --> 00:02:24,420 the Wi-Fi passphrase, the WPA, WPA2 passphrase. 32 00:02:24,420 --> 00:02:27,920 So you wouldn't have to type in that passphrase. 33 00:02:27,920 --> 00:02:30,360 So how was that encrypted tunnel created? 34 00:02:30,360 --> 00:02:34,760 If you're not going to type in a passphrase, how do we have a secret that 35 00:02:34,760 --> 00:02:36,940 somehow creates a tunnel? 36 00:02:36,940 --> 00:02:39,500 Well, with WPS, it came in two different flavors. 37 00:02:39,500 --> 00:02:43,520 And a lot of times, for example, access points might support both of these. 38 00:02:43,520 --> 00:02:46,500 One might be a WPS pin. 39 00:02:46,500 --> 00:02:49,740 Like, for example, you might go into an access points web UI or it's GUI 40 00:02:49,740 --> 00:02:52,880 and it would give you the pin, like you see right here. 41 00:02:52,880 --> 00:02:55,480 The pin was always an eight digit pin. 42 00:02:55,480 --> 00:03:03,080 And so if the WPS enrollee, the client device, had a little screen, it'd 43 00:03:03,080 --> 00:03:07,000 be a lot easier to type in eight digits of the pin like this than a potentially 44 00:03:07,000 --> 00:03:10,760 very long, complex WPA passphrase. 45 00:03:10,760 --> 00:03:14,060 It had a combination of letters and numbers and special characters and 46 00:03:14,060 --> 00:03:15,400 all of that stuff. 47 00:03:15,400 --> 00:03:19,300 Or even more simplistically, a lot of times the device would just have 48 00:03:19,300 --> 00:03:23,560 a WPS button, like on this access point right here. 49 00:03:23,560 --> 00:03:28,440 And you would just simply press the WPS button on both sides, which would 50 00:03:28,440 --> 00:03:30,740 open up WPS for a few seconds. 51 00:03:30,740 --> 00:03:34,520 And that would allow an encrypted tunnel to be formed. 52 00:03:34,520 --> 00:03:36,880 Now, once again, not going to get into mechanics of all this. 53 00:03:36,880 --> 00:03:43,180 But the whole idea was for the access point to use this encrypted tunnel 54 00:03:43,180 --> 00:03:49,300 to transfer the WPA or WPA to passphrase down to that enrollee without 55 00:03:49,300 --> 00:03:52,260 ever typing it in on the enrollee itself. 56 00:03:52,260 --> 00:03:55,380 Now, there were some significant problems with this. 57 00:03:55,380 --> 00:04:00,680 For one thing, WPS is not supported for WPA three wireless LANs. 58 00:04:00,680 --> 00:04:04,100 So if you want WPA three, can't do that. 59 00:04:04,100 --> 00:04:06,320 That functionality is gone. 60 00:04:06,320 --> 00:04:10,860 Also, the WPS pin derived method of typing in that eight digit number 61 00:04:10,860 --> 00:04:13,020 was actually proven crackable. 62 00:04:13,020 --> 00:04:16,540 They proved that within an eight digit number like that, with not too 63 00:04:16,540 --> 00:04:18,620 much effort, people could crack it. 64 00:04:18,620 --> 00:04:22,500 And then they'd be able to access your wireless LAN, even though they're 65 00:04:22,500 --> 00:04:23,720 not supposed to be there. 66 00:04:23,720 --> 00:04:26,540 They're not authorized users of the wireless LAN. 67 00:04:26,540 --> 00:04:30,120 And the problem with the push button method, where you push the button 68 00:04:30,120 --> 00:04:34,740 down, is it made your wireless LAN available within a time window of about 69 00:04:34,740 --> 00:04:40,940 two minutes for any nearby device that had WPS capability to join that 70 00:04:40,940 --> 00:04:44,780 wireless LAN. And once again, we don't want everybody on our wireless 71 00:04:44,780 --> 00:04:48,400 LAN. We only want authorized users. 72 00:04:48,400 --> 00:04:52,140 And here's one of the biggest problems with some devices is what if we 73 00:04:52,140 --> 00:04:58,300 had a device that had a radio in it, but it didn't have a WPS push button 74 00:04:58,300 --> 00:05:02,940 and it had no screen and no way for you to enter the pin? 75 00:05:02,940 --> 00:05:06,420 Well, then how you couldn't use WPS on something like that. 76 00:05:06,420 --> 00:05:10,800 And that sort of brings us to the problems of some of today's devices. 77 00:05:10,800 --> 00:05:14,520 So number one, remember, the goal here is that we only want authorized 78 00:05:14,520 --> 00:05:18,020 users and devices to gain access to the wireless LAN. 79 00:05:18,020 --> 00:05:20,960 I mean, if you weren't concerned about that, you would just have an open 80 00:05:20,960 --> 00:05:24,300 wireless LAN without any authentication or encryption whatsoever. 81 00:05:24,300 --> 00:05:27,700 So the fact that you're using a pre -share key or passphrase means you 82 00:05:27,700 --> 00:05:30,000 only want authorized users on it. 83 00:05:30,000 --> 00:05:34,500 But today, there's a lot of Wi-Fi devices that are what's called headless. 84 00:05:34,500 --> 00:05:37,840 Headless meaning there's no management web UI, there's no command line 85 00:05:37,840 --> 00:05:42,920 available, there's no way you can control anything about the Wi-Fi on 86 00:05:42,920 --> 00:05:47,420 that device. For example, Wi-Fi video cameras and doorbells, smart appliances, 87 00:05:47,420 --> 00:05:49,420 and smart light bulbs. 88 00:05:49,420 --> 00:05:54,020 So how can we securely provide Wi-Fi credentials to these types of devices? 89 00:05:54,020 --> 00:05:59,040 So here, we basically got sort of the same problem as we had that WPS 90 00:05:59,040 --> 00:06:00,600 was designed to solve. 91 00:06:00,600 --> 00:06:04,400 But at least with WPS, those client devices had a button you could press 92 00:06:04,400 --> 00:06:08,180 or some tiny little screen or keyboard where you could type in the numbers. 93 00:06:08,180 --> 00:06:11,640 Now we've got things like Wi-Fi enabled light bulbs that don't even have 94 00:06:11,640 --> 00:06:14,700 that. So how do we get our Wi-Fi credentials? 95 00:06:14,700 --> 00:06:18,620 In this case, our WPA3 credentials, because now we're looking at WPA3 96 00:06:18,620 --> 00:06:23,880 to those devices so that they can do the whole SAE handshake and get that 97 00:06:23,880 --> 00:06:29,240 done. And that's where Wi-Fi easy connect comes into play. 98 00:06:29,240 --> 00:06:36,860 So Wi-Fi easy connect also defines some device roles, the configurator 99 00:06:36,860 --> 00:06:38,800 and the enrollee. 100 00:06:38,800 --> 00:06:42,880 Now one thing is different here, the enrollee, that's still the same thing 101 00:06:42,880 --> 00:06:44,860 as previously, right? 102 00:06:44,860 --> 00:06:49,960 Like your headless device, that Wi-Fi light bulb or that Wi-Fi thermostat 103 00:06:49,960 --> 00:06:52,960 that doesn't have any button or anything you can press on it, but we still 104 00:06:52,960 --> 00:06:54,700 need it to connect via Wi-Fi. 105 00:06:54,700 --> 00:06:55,680 That's the enrollee. 106 00:06:55,680 --> 00:07:02,580 However, with WPS, the registrar was the access point itself. 107 00:07:02,580 --> 00:07:05,720 It participated in the WPS process. 108 00:07:05,720 --> 00:07:10,540 Here in Wi-Fi easy connect, the configurator is going to be an intermediary 109 00:07:10,540 --> 00:07:16,280 device such as your smartphone, such as your tablet that has already connected 110 00:07:16,280 --> 00:07:20,280 to the wireless LAN, already knows what the credentials are because you 111 00:07:20,280 --> 00:07:22,620 typed it into your tablet or your smartphone. 112 00:07:22,620 --> 00:07:26,280 And now that device is going to turn around and send those credentials 113 00:07:26,280 --> 00:07:32,580 to the light bulb or to the thermostat that is using Wi-Fi easy connect. 114 00:07:32,580 --> 00:07:37,640 So what's happening here is between the configurator, which is, for example, 115 00:07:37,640 --> 00:07:43,360 your smartphone, and you're establishing a mutually authenticated encrypted 116 00:07:43,360 --> 00:07:49,940 channel using public key cryptography to deliver the WPA3 credentials. 117 00:07:49,940 --> 00:07:52,820 And then once that light bulb has the credentials, it can disconnect from 118 00:07:52,820 --> 00:07:58,680 you and then connect to the actual WPA3 SAE wireless LAN using those credentials 119 00:07:58,680 --> 00:08:01,660 that it learned from you, the configurator. 120 00:08:01,660 --> 00:08:04,880 All right, so let's talk about how this actually works. 121 00:08:04,880 --> 00:08:07,620 So Wi-Fi easy connect goes in phases. 122 00:08:07,620 --> 00:08:09,180 And there's three phases here. 123 00:08:09,180 --> 00:08:12,660 There's the bootstrap information exchange. 124 00:08:12,660 --> 00:08:15,840 There's the device provisioning protocol. 125 00:08:15,840 --> 00:08:20,020 And then after that, there's the normal 802.11 connection to the BSS, 126 00:08:20,020 --> 00:08:25,380 where that enrollee will just use WPA3 SAE as normal to connect to the 127 00:08:25,380 --> 00:08:32,000 Wi-Fi. So the bootstrap information exchange process, as we can see here, 128 00:08:32,000 --> 00:08:34,680 it takes place before the device provisioning protocol. 129 00:08:34,680 --> 00:08:39,860 And this is where the configurator, your phone, for example, your tablet, 130 00:08:39,860 --> 00:08:42,800 learns of the enrollee's public key. 131 00:08:42,800 --> 00:08:44,560 So this is a critical piece here. 132 00:08:44,560 --> 00:08:51,140 So a device such as a light bulb or a thermostat or a video camera that 133 00:08:51,140 --> 00:08:57,260 supports Wi-Fi easy connect comes pre -packaged right out of the box with 134 00:08:57,260 --> 00:09:00,760 a hard-coded public and private key pair. 135 00:09:00,760 --> 00:09:03,720 And that's going to be used in this step right here. 136 00:09:03,720 --> 00:09:10,080 So the first step is we need to use some out-of-band mechanism, out-of 137 00:09:10,080 --> 00:09:17,060 -band meaning not Wi-Fi, not 802.11 for the smartphone or the tablet, the 138 00:09:17,060 --> 00:09:24,080 configurator, to retrieve that public key from the light bulb from the 139 00:09:24,080 --> 00:09:28,640 thermostat. And that's what the bootstrap information exchange is used 140 00:09:28,640 --> 00:09:32,540 for. Typically, we think of this as being used by QR codes. 141 00:09:32,540 --> 00:09:35,880 A QR code, you know, on the outside of that light bulb, on the outside 142 00:09:35,880 --> 00:09:40,140 of that thermostat, that QR code can actually encode within it the public 143 00:09:40,140 --> 00:09:45,820 key of that device, of that enrollee, as well as its serial number, as 144 00:09:45,820 --> 00:09:48,780 well as a couple other things that we'll look at in just a second. 145 00:09:48,780 --> 00:09:52,760 So once that out-of-band bootstrap information exchange has happened, 146 00:09:52,760 --> 00:09:57,020 where, for example, with your phone, you scan the QR code and you've gotten 147 00:09:57,020 --> 00:09:59,660 that public key, or there's other ways to do here. 148 00:09:59,660 --> 00:10:02,780 For example, with near-field communications, right? 149 00:10:02,780 --> 00:10:05,160 This is like where you have your credit card and you go to the credit 150 00:10:05,160 --> 00:10:08,700 card reader and instead of inserting it, you just sort of bring it close 151 00:10:08,700 --> 00:10:13,620 to the credit card reader and it's able to, you know, using radio frequencies 152 00:10:13,620 --> 00:10:18,080 extract from your credit card the information needs near-field communications. 153 00:10:18,080 --> 00:10:20,580 You could even use Bluetooth low energy, right? 154 00:10:20,580 --> 00:10:26,680 So Easy Connect doesn't really specify and define what protocol should 155 00:10:26,680 --> 00:10:30,540 be used in the bootstrap information exchange. 156 00:10:30,540 --> 00:10:36,060 Most commonly, it's QR codes, but anything outside of 802.11 Wi-Fi can 157 00:10:36,060 --> 00:10:40,660 be used. The main point here is that we want to get that public key from 158 00:10:40,660 --> 00:10:44,140 the enrollee into the configurator. 159 00:10:44,140 --> 00:10:49,040 However you do that, most commonly QR codes, then you've done your bootstrap 160 00:10:49,040 --> 00:10:50,800 information exchange. 161 00:10:50,800 --> 00:10:53,400 Then you'll begin the device provisioning protocol. 162 00:10:53,400 --> 00:10:57,140 So let's go a little bit more into that bootstrap phase. 163 00:10:57,140 --> 00:11:00,500 Okay, so like it says, this allows headless clients, just think of that 164 00:11:00,500 --> 00:11:05,240 light bulb, for example, to be able to offer their public key in an offline 165 00:11:05,240 --> 00:11:08,300 channel to the configurator. 166 00:11:08,300 --> 00:11:10,600 We've already talked about this. 167 00:11:10,600 --> 00:11:11,960 There's nothing really new on here. 168 00:11:11,960 --> 00:11:14,440 So, for example, here's a QR code. 169 00:11:14,440 --> 00:11:24,160 There could be anything in that, but if that QR code was specifically 170 00:11:24,160 --> 00:11:29,000 once the smartphone or the tablet has scanned that, now we move on to 171 00:11:29,000 --> 00:11:33,560 the device provisioning protocol. 172 00:11:33,560 --> 00:11:36,540 And the device provisioning protocol is going to happen in two stages, 173 00:11:36,540 --> 00:11:41,600 two steps. There's going to be the authentication protocol, where we exchange 174 00:11:41,600 --> 00:11:47,220 public keys between the phone, your configurator, and the enrollee, that 175 00:11:47,220 --> 00:11:50,980 light bulb. We're going to create a secure encrypted tunnel. 176 00:11:50,980 --> 00:11:53,200 So that's going to happen in the authentication protocol. 177 00:11:53,200 --> 00:11:56,880 Then once that's done, then we go into the configuration protocol, where 178 00:11:56,880 --> 00:12:00,980 the configurator actually says, okay, here's the SSID of the wireless 179 00:12:00,980 --> 00:12:02,640 LAN you want to join. 180 00:12:02,640 --> 00:12:07,300 Here's the WPA3 passphrase for that particular wireless LAN. 181 00:12:07,300 --> 00:12:09,060 You're going to need that. 182 00:12:09,060 --> 00:12:11,860 All right, so let's go through each stage. 183 00:12:11,860 --> 00:12:14,660 First of all, starting with the device provisioning protocol authentication 184 00:12:14,660 --> 00:12:19,460 stage. So notice a couple things here about the enrollee right off the 185 00:12:19,460 --> 00:12:24,000 bat. Number one, this enrollee, as soon as you give it power, you know, 186 00:12:24,000 --> 00:12:27,420 you screw in the light bulb, or maybe this is a little video camera, whatever 187 00:12:27,420 --> 00:12:32,600 it is, it's automatically listening to some sort of Wi-Fi channel, most 188 00:12:32,600 --> 00:12:36,680 commonly something in the 2.4 gigahertz band like channel one, six, or 189 00:12:36,680 --> 00:12:38,580 11. So it's listening there. 190 00:12:38,580 --> 00:12:40,560 And it's pre-programmed to do that. 191 00:12:40,560 --> 00:12:44,600 So in this QR code, that's one of the other things that's in there, not 192 00:12:44,600 --> 00:12:48,280 just the public key that's hard-coded into this guy, but also the channel 193 00:12:48,280 --> 00:12:50,060 he's listening to. 194 00:12:50,060 --> 00:12:51,500 Okay, so that's already there. 195 00:12:51,500 --> 00:12:54,040 So you plug that guy in, he's ready to go. 196 00:12:54,040 --> 00:12:59,060 Now, you whip out your tablet or your smartphone, and you connect to the 197 00:12:59,060 --> 00:13:03,720 wireless LAN, the WPA3 wireless LAN, you find the SSID, you type in the 198 00:13:03,720 --> 00:13:07,500 passphrase, go through the whole SAE process, and now you're securely 199 00:13:07,500 --> 00:13:12,040 joined to it. So now that the configurator has those credentials, it's 200 00:13:12,040 --> 00:13:15,300 going to be his job to give those credentials to the enrollee. 201 00:13:15,300 --> 00:13:16,640 And here's how it's going to happen. 202 00:13:16,640 --> 00:13:18,740 So step number one is the bootstrap phase. 203 00:13:18,740 --> 00:13:23,560 So he turns his little camera eyeball onto that QR code, scans the QR 204 00:13:23,560 --> 00:13:27,000 code, and retrieves from it those things we've talked about, the public 205 00:13:27,000 --> 00:13:31,200 key, the channel that device is listening to a few other things. 206 00:13:31,200 --> 00:13:35,080 And like we said, this doesn't have to be a QR code scan could do Bluetooth 207 00:13:35,080 --> 00:13:37,380 low energy or other things as well. 208 00:13:37,380 --> 00:13:40,840 So at that point, the bootstrap phase is done. 209 00:13:40,840 --> 00:13:44,420 The configurator has retrieved the information he needs. 210 00:13:44,420 --> 00:13:50,260 Now, at this point, the configurator will create any femoral public and 211 00:13:50,260 --> 00:13:51,840 private key pair. 212 00:13:51,840 --> 00:13:53,840 Okay, so just for this session. 213 00:13:53,840 --> 00:14:00,220 Now this is important because if so once this is all done, this configurator 214 00:14:00,220 --> 00:14:03,540 is going to go back to being connected to this access point. 215 00:14:03,540 --> 00:14:09,640 So if the configurator ever scanned the QR code a second, third, fourth 216 00:14:09,640 --> 00:14:14,820 time of this device, it would create a new public private key pair. 217 00:14:14,820 --> 00:14:19,660 So this is only created so that the device provisioning protocol can do 218 00:14:19,660 --> 00:14:24,220 its thing. And so he can securely transmit the Wi-Fi credentials to this 219 00:14:24,220 --> 00:14:29,960 enrollee. Now the enrollee has a hard coded public private key pair in 220 00:14:29,960 --> 00:14:32,660 there. Okay, so he's got that. 221 00:14:32,660 --> 00:14:37,120 And like I said, the public key was transmitted or encoded, I should say, 222 00:14:37,120 --> 00:14:41,580 in the QR code. All right, so now the configurator is going to set up 223 00:14:41,580 --> 00:14:46,620 a Wi-Fi direct point to point connection with this enrollee. 224 00:14:46,620 --> 00:14:53,420 Now this is not a full fledged 802.11 infrastructure mode Wi-Fi connection. 225 00:14:53,420 --> 00:14:56,960 I don't know if you know anything about Wi-Fi direct is kind of interesting. 226 00:14:56,960 --> 00:14:59,700 You might want after this video is done, you might just want to chat GPT 227 00:14:59,700 --> 00:15:01,400 that and see how it works. 228 00:15:01,400 --> 00:15:04,780 But it's just it's a point to point connection that actually uses special 229 00:15:04,780 --> 00:15:11,620 802.11 action frames called public action frames to do everything it needs 230 00:15:11,620 --> 00:15:15,780 to do. So there's not going to be any 802.11 data frames or beacons or 231 00:15:15,780 --> 00:15:19,740 anything here. It's going to be an exchange of special action frames between 232 00:15:19,740 --> 00:15:22,000 the configurator and the enrollee. 233 00:15:22,000 --> 00:15:25,940 And this is all going to happen across the channel that the enrollee is 234 00:15:25,940 --> 00:15:34,920 already listening to that's his own public key. 235 00:15:34,920 --> 00:15:40,840 In this case, it's little a plus some data he has encrypted with the enrollee's 236 00:15:40,840 --> 00:15:44,600 public key that he got when he scanned that QR code. 237 00:15:44,600 --> 00:15:49,940 So once the enrollee gets that Wi-Fi direct message with that stuff in 238 00:15:49,940 --> 00:15:57,580 it, then he's going to derive his own ephemeral public private key pair. 239 00:15:57,580 --> 00:16:00,780 So notice he's actually got two of them now. 240 00:16:00,780 --> 00:16:05,520 He's got one that's always in there static embedded in the QR code. 241 00:16:05,520 --> 00:16:09,700 But every time everybody tries to reach out to him over Wi-Fi direct, 242 00:16:09,700 --> 00:16:14,400 he's going to derive a unique fresh set of public private keys. 243 00:16:14,400 --> 00:16:18,740 Once he's got that, now he's got everything he needs to derive a shared 244 00:16:18,740 --> 00:16:21,380 session secret key. 245 00:16:21,380 --> 00:16:24,620 He's got the public key of the configurator. 246 00:16:24,620 --> 00:16:29,820 And the configurator has proven himself, he's authenticated himself to 247 00:16:29,820 --> 00:16:34,320 the enrollee. He said, look, I'm authenticated to talk to you because 248 00:16:34,320 --> 00:16:37,220 I know what your public key is. 249 00:16:37,220 --> 00:16:38,480 How do I know it? 250 00:16:38,480 --> 00:16:41,900 Because here's some data I encrypted with your public key. 251 00:16:41,900 --> 00:16:45,360 And the enrollee can decrypt that with his private key. 252 00:16:45,360 --> 00:16:48,840 So he says, okay, this clearly must be somebody who has scanned my QR 253 00:16:48,840 --> 00:16:53,560 code. So I will assume he is a trusted device I can listen to. 254 00:16:53,560 --> 00:16:59,420 So with the configurator's public key with his own public key, he's able 255 00:16:59,420 --> 00:17:02,480 to create a shared session key. 256 00:17:02,480 --> 00:17:07,520 And now he sends an DPP authentication response back to the configurator. 257 00:17:07,520 --> 00:17:11,780 He says, hey, here's my ephemeral public key that I created just right 258 00:17:11,780 --> 00:17:13,540 now, just for you. 259 00:17:13,540 --> 00:17:18,340 And then the configurator says a DPP authentication confirm. 260 00:17:18,340 --> 00:17:23,540 So now everything after this point can go across an encrypted tunnel that 261 00:17:23,540 --> 00:17:29,800 was created as a result of this DFI helman type key exchange with public 262 00:17:29,800 --> 00:17:31,920 and private keys on both sides. 263 00:17:31,920 --> 00:17:35,440 So now we're done with the DPP authentication stage. 264 00:17:35,440 --> 00:17:39,620 Now we can get to the fun part with a configuration where we go into the 265 00:17:39,620 --> 00:17:45,220 DPP configuration stage where simply the enrollee says, Hey, configurator, 266 00:17:45,220 --> 00:17:47,480 who should I be talking to? 267 00:17:47,480 --> 00:17:48,500 What's the SSID? 268 00:17:48,500 --> 00:17:51,780 What's the WPA3 credentials I need to have? 269 00:17:51,780 --> 00:17:55,300 So there it is. He sends a configuration request and the configuration, 270 00:17:55,300 --> 00:17:59,500 the configurator responds back with the information. 271 00:17:59,500 --> 00:18:05,580 Notice what's kind of interesting about this is that Wi-Fi easy connect 272 00:18:05,580 --> 00:18:11,200 technically, the configurator could actually send him 802.1x credentials. 273 00:18:11,200 --> 00:18:15,960 He could say, Hey, here's the, you know, we're doing 802.1x on this YOS 274 00:18:15,960 --> 00:18:19,000 LAN. And you know, it's using a certain username and password. 275 00:18:19,000 --> 00:18:24,220 So here you go, you can use that when you authenticate via 802.1x, or 276 00:18:24,220 --> 00:18:27,060 we're using a digital certificate on the wireless LAN. 277 00:18:27,060 --> 00:18:29,960 Here's one that you can use to connect to this wireless LAN. 278 00:18:29,960 --> 00:18:33,020 So the configurator is going to give everything the enrollee needs to 279 00:18:33,020 --> 00:18:37,160 connect. At that point, we're done with the device provisioning protocol. 280 00:18:37,160 --> 00:18:40,940 So that Wi-Fi direct connection can terminate. 281 00:18:40,940 --> 00:18:48,180 There it goes. And now the enrollee can securely join via WPA3 SAE, the 282 00:18:48,180 --> 00:18:50,140 wireless LAN that it wants to. 283 00:18:50,140 --> 00:18:54,240 So some final thoughts about this protocol. 284 00:18:54,240 --> 00:18:57,980 So once the provisioning completes, the enrollee just uses those delivered 285 00:18:57,980 --> 00:19:02,160 credentials to join the wireless LAN, like anybody else would using the 286 00:19:02,160 --> 00:19:07,960 SAE handshake. Like I said, this could also be used to deliver WPA3 enterprise 287 00:19:07,960 --> 00:19:10,240 connections to that enrollee. 288 00:19:10,240 --> 00:19:12,420 That's not widely implemented yet. 289 00:19:12,420 --> 00:19:18,020 You'll probably be hard pressed to find enrollee devices that support 290 00:19:18,020 --> 00:19:23,780 that. And this is a somewhat new technology. 291 00:19:23,780 --> 00:19:28,560 So a lot of devices out there don't support Wi-Fi easy connect yet. 292 00:19:28,560 --> 00:19:31,660 Now you might say, well, wait a second, I've got this Wi-Fi camera here 293 00:19:31,660 --> 00:19:36,720 that I bought like eight years ago that's got a QR code on it. 294 00:19:36,720 --> 00:19:39,480 And I can use that to connect to the Wi-Fi. 295 00:19:39,480 --> 00:19:44,580 I just open up my video camera's special app on my phone. 296 00:19:44,580 --> 00:19:45,820 I download this special app. 297 00:19:45,820 --> 00:19:47,300 I scan the QR code. 298 00:19:47,300 --> 00:19:48,760 Well, hold on a second. 299 00:19:48,760 --> 00:19:52,580 If you're using a special app on your smartphone, that you have to open 300 00:19:52,580 --> 00:19:56,720 up from the manufacturer of that camera so that you can scan that QR code, 301 00:19:56,720 --> 00:19:58,260 that is not this. 302 00:19:58,260 --> 00:19:59,960 That is not Wi-Fi easy connect. 303 00:19:59,960 --> 00:20:04,400 That's some special proprietary mechanism that that manufacturer is using 304 00:20:04,400 --> 00:20:06,560 to talk to their devices. 305 00:20:06,560 --> 00:20:10,780 That however they're doing it, that's not going to work with your thermostat 306 00:20:10,780 --> 00:20:12,200 or your light bulb. 307 00:20:12,200 --> 00:20:16,300 So this was developed by the Wi-Fi alliance to take away all those proprietary 308 00:20:16,300 --> 00:20:20,040 mechanisms and make it much more streamlined.