User Tools

Site Tools


device_provisioning

Introduction

The Device Provisioning Protocol (DPP) is the underlying protocol for the WiFi Alliance EasyConnect specification. Its intended as a more secure replacement for WPS while also allowing non-AP's to share the network credentials. The credential sharing is secured and encrypted by ECDH and relies on the peers public key being shared using some out-of-band mechanism (QR Code, BLE, or NFC). As of release 1.21 IWD only supports DPP using QR codes (URI).

QR Codes

Saying IWD supports DPP with 'QR codes' is a bit of a misnomer as IWD itself has no camera library or the ability to make use of an image containing a QR code (though it can display one using iwctl). What IWD can do is generate a “URI” which can be represented by a QR code. The URI contains IWD's public bootstrapping key as well as some optional information for finding the IWD client over the wireless medium.

Roles

DPP has two roles: Configurator and Enrollee. As you might have guessed a Configurator has network credentials and is able to configure a device. An Enrollee needs credentials and a Configurator must configure it to connect to a network.

Limitations

The main limitation isn't with IWD itself, but with finding other devices that support DPP. Currently Android supports being an Enrollee, which IWD can configure, but this is about the only all-in-one solution. IWD also supports being an Enrollee, but to configure it requires using wpa_supplicant/IWD directly. In addition figuring out how to 'share' the QR codes becomes problematic since there is no end-to-end solution on Linux. You would be on your own taking a picture, decoding the image into a URI, and providing that to IWD/wpa_supplicant.

Dependencies

For actually displaying QR codes iwctl has an optional dependency, qrencode. This utility will generate QR codes based on an URI/URL and can save/display them in a few ways. One way is using UTF-8 characters. The benefit of this is they can be displayed from a terminal, and the results are quite good. The generated QR codes can be read in just fine by cameras and decoded.

Sharing Credentials

Now for the fun part, using DPP to securely share network credentials. As noted prior this can only be done using an Android device with at least Android version 10.

We start by using iwctl. First IWD must be connected to a network:

[iwd]# station <iface> connect <network>

Once connected a configurator can be started:

[iwd]# dpp <iface> start-configurator

If qrencode is installed you should see a QR code displayed after running start-configurator. Using your Android handset under the WiFi settings you should see a small button resembling a QR code. Clicking that opens up the camera where you can point it at the QR code IWD displayed. Within a few seconds the handset should take you back to the network list and you should be connected to your network.

device_provisioning.txt · Last modified: 2022/01/14 18:10 by James Prestwood