[plug] Working group for WiFi passkey authentication

Christopher Caston chris at caston.id.au
Tue Aug 13 21:30:42 AWST 2024 

Hello PLUG,

I got the dreaded "my Wifi was hacked!" call from a small business
yesterday I was quite stern with them saying that I needed a police report
number before I would assist them and that the WiFi goes off and they run
everything from ethernet from now on. In reality I'm sure we all know what
happened because their WPA password was leaked. It's always the weakest
link.

It got me thinking that it's about time WiFi supported passkeys. I am not
aware of any current implementations of this or anyone working in this. For
anyone that has been really bolting down the security on their online
accounts recently it boggles the mind that we don't yet have passkeys for
WiFi. They would be stored in the users device such as phone or laptop.

We start on the Rasp Pi with a minimum viable protype with a CLI
CLI-Based Minimal Viable Prototype: Device Discovery and Pairing

A CLI-based prototype will allow us to focus on the core functionalities
without the complexities of a user interface.
Device Discovery and Pairing

Core Components:

    Bluetooth or Wi-Fi Direct library: To detect nearby devices.
    Key agreement protocol: To establish a shared secret.

Basic Flow:

    Device initialization: Both devices start in a discovery mode.
    Device discovery: One device broadcasts a discovery request.
    Device response: The other device responds with its device information.
    Pairing initiation: One device initiates a pairing request.
    Key agreement: Both devices perform a key agreement protocol (e.g.,
Diffie-Hellman) to establish a shared secret.

CLI Commands:

    discover: Initiates device discovery.
    pair <device_id>: Initiates pairing with a specific device.

Example Output:

Device discovered: Device1 (address: XX:XX:XX:XX:XX:XX)
Pairing initiated with Device1
Pairing successful. Shared secret generated.

Code Structure (Python Example):
Python

import bluetooth
import secrets

def discover_devices():
    print("Discovering devices...")
    nearby_devices = bluetooth.discover_devices(lookup_names=True)
    for addr, name in nearby_devices:
        print(f"Device: {name} ({addr})")

def pair_device(address):
    # Implement pairing logic using Bluetooth or Wi-Fi Direct
    # Generate a shared secret using a key agreement protocol
    shared_secret = secrets.token_bytes(32)
    print(f"Paired with {address}. Shared secret generated.")
    return shared_secret

if __name__ == "__main__":
    while True:
        command = input("Enter command (discover, pair <address>): ")
        if command == "discover":
            discover_devices()
        elif command.startswith("pair"):
            address = command.split(" ")[1]
            pair_device(address)
        else:
            print("Invalid command")

Any further suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20240813/d158339a/attachment.html>

More information about the plug mailing list