<div dir="auto">Hello Christopher,<div dir="auto"><br></div><div dir="auto">Not to rain on your parade or anything, but I would strongly recommend 802.1x with either user or machine authentication (certificates). The latter requires more effort with respect to PKI and MDM (optional).</div><div dir="auto"><br></div><div dir="auto">I'm yet to come across WiFi hardware that doesn't support it. Even consumer-grade hardware seems to support it now days (although how well, YMMV).</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Kind Regards,</div><div dir="auto"><br></div><div dir="auto"><i>Dean Bergin</i>.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 13 Aug 2024, 21:38 Christopher Caston, <<a href="mailto:chris@caston.id.au">chris@caston.id.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello PLUG,</div><div><br></div><div>I got the dreaded "my Wifi was hacked!" call from a small business yesterday I was quite stern with them saying that I needed a police report number before I would assist them and that the WiFi goes off and they run everything from ethernet from now on. In reality I'm sure we all know what happened because their WPA password was leaked. It's always the weakest link.</div><div><br></div><div>It got me thinking that it's about time WiFi supported passkeys. I am not aware of any current implementations of this or anyone working in this. For anyone that has been really bolting down the security on their online accounts recently it boggles the mind that we don't yet have passkeys for WiFi. They would be stored in the users device such as phone or laptop. <br><br>We start on the Rasp Pi with a minimum viable protype with a CLI<br>CLI-Based Minimal Viable Prototype: Device Discovery and Pairing<br><br>A CLI-based prototype will allow us to focus on the core functionalities without the complexities of a user interface.<br>Device Discovery and Pairing<br><br>Core Components:<br><br> Bluetooth or Wi-Fi Direct library: To detect nearby devices.<br> Key agreement protocol: To establish a shared secret.<br><br>Basic Flow:<br><br> Device initialization: Both devices start in a discovery mode.<br> Device discovery: One device broadcasts a discovery request.<br> Device response: The other device responds with its device information.<br> Pairing initiation: One device initiates a pairing request.<br> Key agreement: Both devices perform a key agreement protocol (e.g., Diffie-Hellman) to establish a shared secret.<br><br>CLI Commands:<br><br> discover: Initiates device discovery.<br> pair <device_id>: Initiates pairing with a specific device.<br><br>Example Output:<br><br>Device discovered: Device1 (address: XX:XX:XX:XX:XX:XX)<br>Pairing initiated with Device1<br>Pairing successful. Shared secret generated.<br><br>Code Structure (Python Example):<br>Python<br><br>import bluetooth<br>import secrets<br><br>def discover_devices():<br> print("Discovering devices...")<br> nearby_devices = bluetooth.discover_devices(lookup_names=True)<br> for addr, name in nearby_devices:<br> print(f"Device: {name} ({addr})")<br><br>def pair_device(address):<br> # Implement pairing logic using Bluetooth or Wi-Fi Direct<br> # Generate a shared secret using a key agreement protocol<br> shared_secret = secrets.token_bytes(32)<br> print(f"Paired with {address}. Shared secret generated.")<br> return shared_secret<br><br>if __name__ == "__main__":<br> while True:<br> command = input("Enter command (discover, pair <address>): ")<br> if command == "discover":<br> discover_devices()<br> elif command.startswith("pair"):<br> address = command.split(" ")[1]<br> pair_device(address)<br> else:<br> print("Invalid command")</div><div><br></div><div>Any further suggestions?<br></div></div>
_______________________________________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank" rel="noreferrer">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank" rel="noreferrer">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote></div>