The Device Provisioning Protocol (DPP) is used to secure WiFi networks. It is the backbone of the WiFi Alliance's EasyConnect specification, designed to be a more secure alternative to the traditional WiFi Protected Setup (WPS).Â
But DPP goes beyond just being secure—it allows devices that aren't access points (APs) to share network credentials.
With DPP, credential sharing is both secured and encrypted using the Elliptic-Curve Diffie-Hellman (ECDH) key agreement protocol. But, while this makes it significantly more secure, there's a catch:Â
The peers' public keys need to be shared using an out-of-band mechanism. What does that mean? Well, typically, you'd use a QR Code, Bluetooth Low Energy (BLE), or Near-Field Communication (NFC) for this.
For instance, in the world of IWD (Intel Wireless Daemon), DPP is currently supported using QR codes. Your device generates a URI containing its public bootstrapping key. This URI can then be represented as a QR code.Â
You might not see IWD snapping a picture of a QR code directly because it lacks a camera library. Instead, it can display a QR code using a tool like iwctl.
So, why QR codes? The QR code includes the URI with IWD's public bootstrapping key along with some optional details. These details help in finding the IWD client over the wireless medium.Â
Here's a practical scenario: if you have an Android device running at least version 10, you can share your network credentials by scanning this QR code.
To give you a more vivid picture, suppose your IWD is connected to a network. You'd start the configurator on your IWD, which will then generate and display a QR code.Â
You'd pull out your Android phone, head to the WiFi settings, and tap the small QR code button to open the camera. Pointing it at the QR code on your IWD will connect you to the network within seconds. That’s DPP in action, making network credential sharing both easy and secure.
Let's get familiar with the key terms and concepts you'll encounter with the device provisioning protocol.
The Enrollee is simply the device that needs to be added to the network. Let’s say you just bought a new smart speaker. That smart speaker is your Enrollee. It's the device that's going to join your Wi-Fi.
The configurator is the device or service that already has access to the network and is responsible for onboarding other devices. This could be your smartphone or a dedicated network administrator tool.Â
This device helps authenticate and provision the enrollee with network credentials. It ensures that only trusted devices join the network.
This is a unique credential in the DPP world. Unlike traditional pre-shared keys (PSKs) or X.509 certificates, a connector is simpler but still offers robust security. It ties network access credentials to a specific physical device. So a connector is like a special handshake only your devices know how to perform.
These are alternative ways to share public keys between devices, essential for establishing secure communication. Often, this is done using QR codes, NFC tags, or Bluetooth Low Energy (BLE).Â
For example, your router might display a QR code that you scan with your smartphone to share the network credentials securely.
ECDH is a cryptographic algorithm used to establish a secure connection. In simple terms, it ensures that the data shared between the enrollee and configurator is safe from prying eyes.
This is a Uniform Resource Identifier (URI) containing important information like public bootstrapping keys. This URI can be turned into a QR code for easy scanning. If your smartphone displays a QR code containing the DPP URI, your new smart speaker can scan it and join the network without fuss.
One of the noteworthy attributes of DPP is its flexibility. For instance, an Android device running at least version 10 can use DPP to share Wi-Fi credentials by simply scanning a QR code.Â
So, you can generate a QR code on your IWD (Intel Wireless Daemon) connected to a network, then scan it with your Android phone. Just like that, you’re connected securely and quickly.
DPP is versatile. It works well for both small home networks with a single access point and large enterprise setups with multiple access points and centralized controllers. This flexibility means you can use DPP whether you’re just setting up a home network or managing a complex enterprise environment.
Understanding these terms and concepts will help you navigate the world of DPP with ease. It makes network authentication and provisioning secure, simple, and user-friendly.
The DPP procedure is designed to make getting devices onto your network as seamless and secure as possible. Let’s walk through it step-by-step, so you can see exactly how everything fits together.
We will use the example of a smart thermostat you just bought that needs to connect to your home Wi-Fi. The thermostat is the enrollee in this scenario.Â
Your smartphone, which is already connected to the Wi-Fi, takes on the role of the configurator. Your first task is to get these two devices talking to each other securely.
This tool will generate a unique DPP URI of your network. The URI includes your smartphone's public bootstrapping key. To make this easier, the URI is converted into a QR code. Your smartphone will display this QR code on its screen.
The smart thermostat, which is the enrollee, needs to get the URI. It could have a camera for scanning QR codes, an NFC reader, or even Bluetooth capabilities.Â
Let’s say the thermostat uses a QR code scanner. You navigate to the Wi-Fi settings on the thermostat and find the option to add a new network via a QR code. Point the thermostat's camera at the QR code on your smartphone so the thermostat can scan the code. That code contains the DPP URI and your smartphone's public bootstrapping key.
This is where ECDH, Elliptic-Curve Diffie-Hellman, comes into play. The thermostat and your smartphone use ECDH to establish a secure connection. Think of it as creating a private tunnel between the two devices. They use their public keys to generate a shared secret, making sure no one else can spy on the data being exchanged.
With the secure connection set up, your smartphone, acting as the Configurator, sends network credentials to the thermostat. But it doesn't just dump a plain password. Instead, it provides a Connector.Â
This credential ties the network access specifically to the thermostat. Only the thermostat will understand this special “handshake,” ensuring it’s the only device that can use these credentials.
Once the thermostat receives the connector, it can join the network. Your smartphone gets a notification that the provisioning process is complete. You check the thermostat, and voila—it’s connected to your Wi-Fi network, ready to give you precise control of your home’s temperature.
So, what is the practical implication of DPP on a corporate network?
Imagine you’re an IT admin at a large company. You have dozens of devices, like printers and laptops, needing network access. With DPP, this becomes manageable. You’d use a centralized tool to generate DPP URIs for the entire fleet.Â
Employees then scan these with their devices, secure connections get established via ECDH, and each device gets its unique connector.
This whole process eliminates the need for sharing raw passwords. It keeps your network secure while making it easy for authorized devices to get connected. No more sticky notes with Wi-Fi passwords lying around, and no more unsecured entry points into your network.
So, whether you're provisioning a single smart home gadget or deploying dozens of devices in an enterprise setting, the DPP process makes it straightforward and secure.
DPP is a great tool, but like any technology, it's not without its risks. Let’s tackle those head-on and see how we can mitigate them.
An attacker intercepting the DPP URI when it’s being transferred from the configurator to the enrollee could compromise your entire network.Â
The good news is that DPP uses Elliptic-Curve Diffie-Hellman (ECDH) to make this process secure. This means that even if someone gets hold of the public keys, they can’t create the shared secret required to infiltrate the network.
If someone unauthorized scans the QR code, they could gain access to your network. The solution? Ensure that QR codes are only displayed in secure environments.Â
For instance, don’t leave a QR code with your network credentials visible on a desk where anyone can see it. If you're an IT admin, consider using time-limited QR codes or display them only on secure devices that require authentication before showing the QR code.
What about the device you're using as the configurator? It needs to be secure. If your smartphone or the device you’re using to configure the network gets compromised, then so does your whole network.Â
Always keep your configurator devices updated with the latest security patches. For a business scenario, use dedicated, secure devices for network configuration, and limit their use to trusted personnel only.
Also think about the integrity of the devices you’re provisioning. Say you've got a new smart light bulb. If that bulb has some malware pre-installed, it doesn't matter how secure your DPP setup is—it’s a threat.Â
Always source your devices from reputable manufacturers and perform regular security audits. In an enterprise setting, have a procurement policy that includes security checks and pre-deployment scans.
Consider the physical security of your network setup, too. If someone can physically access your router or other networking equipment, they could potentially bypass all these security measures.Â
Make sure your equipment is stored in secure, access-controlled environments. In a corporate setting, this could mean a locked server room with access logs.
Bugs can be like unlocked doors that attackers can exploit. Always keep your device firmware and software up-to-date. Look out for patches and updates from the manufacturers and apply them as soon as they are available.
Lastly, do not overlook user education. Make sure everyone who has access to network configuration tools understands the importance of keeping the process secure. Train them to recognize potential threats and follow best practices.Â
For example, ensure that they know not to leave QR codes unattended and to double-check device integrity before provisioning.
By acknowledging these risks and putting the right safeguards in place, you can make the most of DPP without compromising your network's security.
Netmaker can significantly enhance the security and management of networks using the Device Provisioning Protocol (DPP) by providing a robust virtual overlay network infrastructure. With Netmaker, organizations can create secure, flat networks that facilitate seamless and encrypted communication between devices, leveraging WireGuard's fast and simple encrypted tunnels. This secure networking solution can complement DPP's secure credential sharing by ensuring that even once devices are provisioned into the network, their communication remains protected and efficient.
Additionally, Netmaker's support for remote access gateways and clients can streamline the process of connecting new devices to a network. By using Netmaker's Remote Access Client (RAC), devices that require secure and quick access to network resources can be easily integrated without physical intervention, reducing the need for manual provisioning and QR code scanning. This feature is particularly useful for large-scale deployments where numerous devices need simultaneous provisioning. To get started with setting up a secure and efficient network using Netmaker, visit the signup page.
GETÂ STARTED