mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'docs/add_Chinese_translation_for_api-guides/wifi-security.rst' into 'master'
docs: provide CN translation for api-guides/wifi-security.rst Closes DOC-5459 See merge request espressif/esp-idf!24211
This commit is contained in:
Cai Xin Ying
commit
b642987ff6
@ -1,13 +1,16 @@
|
||||
Wi-Fi Security
|
||||
==============
|
||||
|
||||
:link_to_translation:`zh_CN:[中文]`
|
||||
|
||||
{IDF_TARGET_NAME} Wi-Fi Security Features
|
||||
-----------------------------------------
|
||||
|
||||
- Support for Protected Management Frames (PMF)
|
||||
- Support for WPA3-Personal
|
||||
- Support for Opportunistic Wireless Encryption
|
||||
- Support for Opportunistic Wireless Encryption (OWE)
|
||||
|
||||
In addition to traditional security methods (WEP/WPA-TKIP/WPA2-CCMP), {IDF_TARGET_NAME} Wi-Fi supports state-of-the-art security protocols, namely Protected Management, Wi-Fi Protected Access 3 and Enhanced Open based on Opportunistic Wireless Encryption. WPA3 provides better privacy and robustness against known attacks on traditional modes. Enhanced Open enhances security and privacy of users connecting to open (public) Wireless Network without authentication.
|
||||
In addition to traditional security methods (WEP/WPA-TKIP/WPA2-CCMP), {IDF_TARGET_NAME} Wi-Fi supports state-of-the-art security protocols, namely Protected Management Frames (PMF), Wi-Fi Protected Access 3 and Enhanced Open™ based on Opportunistic Wireless Encryption. WPA3 provides better privacy and robustness against known attacks on traditional modes. Enhanced Open™ enhances the security and privacy of users connecting to open (public) Wireless Networks without authentication.
|
||||
|
||||
Protected Management Frames (PMF)
|
||||
---------------------------------
|
||||
@ -15,12 +18,14 @@ Protected Management Frames (PMF)
|
||||
Introduction
|
||||
++++++++++++
|
||||
|
||||
In Wi-Fi, management frames such as beacons, probes, (de)authentication, (dis)association are used by non-AP stations to scan and connect to an AP. Unlike data frames, these frames are sent unencrypted.
|
||||
An attacker can use eavesdropping and packet injection to send spoofed (de)authentication/(dis)association frames at the right time, leading to attacks such as Denial-of-Service (DOS) and man-in-the-middle
|
||||
In Wi-Fi, management frames such as beacons, probes, (de)authentication, and (dis)association are used by non-AP stations to scan and connect to an AP. Unlike data frames, these frames are sent unencrypted.
|
||||
|
||||
PMF provides protection against these attacks by encrypting unicast management frames and providing integrity checks for broadcast management frames. These include deauthentication, disassociation and robust management frames. It also provides Secure Association (SA) teardown mechanism to prevent spoofed association/authentication frames from disconnecting already connected clients.
|
||||
An attacker can use eavesdropping and packet injection to send spoofed (de)authentication/(dis)association frames at the right time, leading to attacks such as Denial-of-Service (DOS) and man-in-the-middle.
|
||||
|
||||
PMF provides protection against these attacks by encrypting unicast management frames and providing integrity checks for broadcast management frames. These include deauthentication, disassociation, and robust management frames. It also provides a Secure Association (SA) teardown mechanism to prevent spoofed association/authentication frames from disconnecting already connected clients.
|
||||
|
||||
There are three types of PMF configuration modes on both the station and AP sides:
|
||||
|
||||
There are 3 types of PMF configuration modes on both station and AP side -
|
||||
- PMF Optional
|
||||
- PMF Required
|
||||
- PMF Disabled
|
||||
@ -28,34 +33,36 @@ There are 3 types of PMF configuration modes on both station and AP side -
|
||||
API & Usage
|
||||
+++++++++++
|
||||
|
||||
{IDF_TARGET_NAME} supports PMF in both Station and SoftAP mode. For both, the default mode is PMF Optional. For even higher security, PMF required mode can be enabled by setting the ``required`` flag in `pmf_cfg` while using the :cpp:func:`esp_wifi_set_config` API. This will result in the device only connecting to a PMF enabled device and rejecting others. PMF optional can be disabled using :cpp:func:`esp_wifi_disable_pmf_config` API. If softAP is started in WPA3 or WPA2/WPA3 mixed mode trying to disable PMF will result in error.
|
||||
{IDF_TARGET_NAME} supports PMF in both the station and SoftAP mode. For both, the default mode is PMF Optional. For even higher security, PMF Required mode can be enabled by setting the ``required`` flag in ``pmf_cfg`` while using the :cpp:func:`esp_wifi_set_config` API. This results in the device only connecting to a PMF-enabled device and rejecting others. PMF Optional can be disabled using :cpp:func:`esp_wifi_disable_pmf_config` API. If SoftAP is started in WPA3 or WPA2/WPA3 mixed mode, trying to disable PMF results in an error.
|
||||
|
||||
.. attention::
|
||||
|
||||
``capable`` flag in `pmf_cfg` is deprecated and set to true internally. This is to take the additional security benefit of PMF whenever possible.
|
||||
``capable`` flag in ``pmf_cfg`` is deprecated and set to ``true`` internally. This is to take the additional security benefit of PMF whenever possible.
|
||||
|
||||
WiFi Enterprise
|
||||
Wi-Fi Enterprise
|
||||
---------------------------------
|
||||
|
||||
Introduction
|
||||
++++++++++++
|
||||
|
||||
Enterprise security is the secure authentication mechanism for enterprise wireless networks. It uses RADIUS server for authentication of network users before connecting to the Access Point. The authentication process is based on 802.1X policy and comes with different Extended Authentication Protocol (EAP) methods such as TLS, TTLS, PEAP and EAP-FAST. RADIUS server authenticates the users based on their credentials (username and password), digital certificates or both.
|
||||
Enterprise security is the secure authentication mechanism for enterprise wireless networks. It uses the RADIUS server for authentication of network users before connecting to the Access Point (AP). The authentication process is based on 802.1X policy and comes with different Extended Authentication Protocol (EAP) methods such as TLS, TTLS, PEAP, and EAP-FAST. RADIUS server authenticates the users based on their credentials (username and password), digital certificates, or both.
|
||||
|
||||
**{IDF_TARGET_NAME} supports WiFi Enterprise only in station mode.**
|
||||
.. note::
|
||||
|
||||
{IDF_TARGET_NAME} Supports **WPA2-Enterprise** and **WPA3-Enterprise**. WPA3-Enterprise builds upon the foundation of WPA2-Enterprise with the additional requirement of using Protected Management Frames (PMF) and server certificate validation on all WPA3 connections. **WPA3-Enterprise also offers an addition secure mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data.** The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network. WPA3-Enterprise 192-bit mode is only supported by modules having :c:macro:`SOC_WIFI_GCMP_SUPPORT` support. Enable :ref:`CONFIG_ESP_WIFI_SUITE_B_192` flag to support WPA3-Enterprise with 192-bit mode.
|
||||
{IDF_TARGET_NAME} supports Wi-Fi Enterprise only in station mode.
|
||||
|
||||
{IDF_TARGET_NAME} supports **WPA2-Enterprise** and **WPA3-Enterprise**. WPA3-Enterprise builds upon the foundation of WPA2-Enterprise with the additional requirement of using Protected Management Frames (PMF) and server certificate validation on all WPA3 connections. **WPA3-Enterprise also offers an additional secure mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data.** The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools is used and sets a consistent baseline of security within a WPA3 network. WPA3-Enterprise 192-bit mode is only supported by modules having :c:macro:`SOC_WIFI_GCMP_SUPPORT` support. Enable :ref:`CONFIG_ESP_WIFI_SUITE_B_192` flag to support WPA3-Enterprise with 192-bit mode.
|
||||
|
||||
{IDF_TARGET_NAME} supports the following EAP methods:
|
||||
- EAP-TLS: This is a certificate-based method and only requires SSID and EAP-IDF.
|
||||
- PEAP: This is a Protected EAP method. Username and password are mandatory.
|
||||
- PEAP: This is a Protected EAP method. Usernames and passwords are mandatory.
|
||||
- EAP-TTLS: This is a credential-based method. Only server authentication is mandatory while user authentication is optional. Username and Password are mandatory. It supports different Phase2 methods, such as:
|
||||
- PAP: Password Authentication Protocol.
|
||||
- CHAP: Challenge Handshake Authentication Protocol.
|
||||
- MSCHAP and MSCHAP-V2.
|
||||
- EAP-FAST: This is an authentication method based on Protected Access Credentials (PAC) which also uses identity and password. Currently, :ref:`CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT` flag should be disabled to use this feature.
|
||||
|
||||
Example :example:`wifi/wifi_enterprise` demonstrates all the supported WiFi Enterprise methods except EAP-FAST. Please refer :example:`wifi/wifi_eap_fast` for EAP-FAST example. EAP method can be selected from the Example Configuration menu in ``idf.py menuconfig``. Refer to :idf_file:`examples/wifi/wifi_enterprise/README.md` for information on how to generate certificates and run the example.
|
||||
Example :example:`wifi/wifi_enterprise` demonstrates all the supported Wi-Fi Enterprise methods except EAP-FAST. Please refer :example:`wifi/wifi_eap_fast` for the EAP-FAST example. EAP method can be selected from the Example Configuration menu in ``idf.py menuconfig``. Refer to :idf_file:`examples/wifi/wifi_enterprise/README.md` for information on how to generate certificates and run the example.
|
||||
|
||||
WPA3-Personal
|
||||
-------------
|
||||
@ -63,35 +70,35 @@ WPA3-Personal
|
||||
Introduction
|
||||
++++++++++++
|
||||
|
||||
Wi-Fi Protected Access-3 (WPA3) is a set of enhancements to Wi-Fi access security intended to replace the current WPA2 standard. It includes new features and capabilities that offer significantly better protection against different types of attacks. It improves upon WPA2-Personal in following ways:
|
||||
Wi-Fi Protected Access-3 (WPA3) is a set of enhancements to Wi-Fi access security intended to replace the current WPA2 standard. It includes new features and capabilities that offer significantly better protection against different types of attacks. It improves upon WPA2-Personal in the following ways:
|
||||
|
||||
- WPA3 uses Simultaneous Authentication of Equals (SAE), which is password-authenticated key agreement method based on Diffie-Hellman key exchange. Unlike WPA2, the technology is resistant to offline-dictionary attack, where the attacker attempts to determine shared password based on captured 4-way handshake without any further network interaction.
|
||||
- Disallows outdated protocols such as TKIP, which is susceptible to simple attacks like MIC key recovery attack.
|
||||
- Mandates Protected Management Frames (PMF), which provides protection for unicast and multicast robust management frames which include Disassoc and Deauth frames. This means that the attacker cannot disrupt an established WPA3 session by sending forged Assoc frames to the AP or Deauth/Disassoc frames to the Station.
|
||||
- Provides forward secrecy, which means the captured data cannot be decrypted even if password is compromised after data transmission.
|
||||
- WPA3 uses Simultaneous Authentication of Equals (SAE), which is a password-authenticated key agreement method based on Diffie-Hellman key exchange. Unlike WPA2, the technology is resistant to offline-dictionary attacks, where the attacker attempts to determine a shared password based on a captured 4-way handshake without any further network interaction.
|
||||
- Disallows outdated protocols such as TKIP, which is susceptible to simple attacks like MIC key recovery attacks.
|
||||
- Mandates Protected Management Frames (PMF), which provides protection for unicast and multicast robust management frames which include Disassoc and Deauth frames. This means that the attacker cannot disrupt an established WPA3 session by sending forged Assoc frames to the AP or Deauth/Disassoc frames to the station.
|
||||
- Provides forward secrecy, which means the captured data cannot be decrypted even if the password is compromised after data transmission.
|
||||
|
||||
**{IDF_TARGET_NAME} station also supports following additional Wi-Fi CERTIFIED WPA3™ features.**
|
||||
{IDF_TARGET_NAME} station also supports following additional Wi-Fi CERTIFIED WPA3™ features:
|
||||
|
||||
- **Transition Disable** : WPA3 defines transition modes for client devices so that they can connect to a network even when some of the APs in that network do not support the strongest security mode. Client device implementations typically configure network profiles in a transition mode by default. However, such a client device could be subject to an active downgrade attack in which the attacker causes the client device to use a lower security mode in order to exploit a vulnerability with that mode. WPA3 has introduced the Transition Disable feature to mitigate such attacks, by enabling client devices to change from a transition mode to an “only” mode when connecting to a network, once that network indicates it fully supports the higher security mode. Enable :cpp:type:`transition_disable` in :cpp:type:`wifi_sta_config_t` to enable this feature for {IDF_TARGET_NAME} station.
|
||||
|
||||
- **SAE PUBLIC-KEY (PK)** : As the password at small public networks is shared with multiple users it may be relatively easy for an attacker to find out the password, which is sufficient to launch an evil twin attack. Such attacks are prevented by an extension to WPA3-Personal called SAE-PK. The SAE-PK authentication exchange is very similar to the regular SAE exchange, with the addition of a digital signature sent by the AP to the client device. The client device validates the public key asserted by the AP based on the password fingerprint, and verifies the signature using the public key. So even if the attacker knows the password, it does not know the private key to generate a valid signature, and therefore the client device is protected against an evil twin attack. Enable :ref:`CONFIG_ESP_WIFI_ENABLE_SAE_PK` and :cpp:type:`sae_pk_mode` in :cpp:type:`wifi_sta_config_t` to add support of SAE PK for {IDF_TARGET_NAME} station.
|
||||
- **SAE PUBLIC-KEY (PK)** : As the password at small public networks is shared with multiple users, it may be relatively easy for an attacker to find out the password, which is sufficient to launch an evil twin attack. Such attacks are prevented by an extension to WPA3-Personal called SAE-PK. The SAE-PK authentication exchange is very similar to the regular SAE exchange, with the addition of a digital signature sent by the AP to the client device. The client device validates the public key asserted by the AP based on the password fingerprint and verifies the signature using the public key. So even if the attacker knows the password, it does not know the private key to generate a valid signature, and therefore the client device is protected against an evil twin attack. Enable :ref:`CONFIG_ESP_WIFI_ENABLE_SAE_PK` and :cpp:type:`sae_pk_mode` in :cpp:type:`wifi_sta_config_t` to add support of SAE PK for {IDF_TARGET_NAME} station.
|
||||
|
||||
- **SAE PWE Methods**: {IDF_TARGET_NAME} station as well as softAP supports SAE Password Element derivation method `Hunting And Pecking` and `Hash to Element (H2E)`. H2E is computationally efficient as it uses less iterations than Hunt and Peck, also it mitigates side channel attacks. These can be configured using parameter :cpp:type:`sae_pwe_h2e` from :cpp:type:`wifi_sta_config_t` and :cpp:type:`wifi_ap_config_t` for station and softAP respectively. Hunt and peck, H2E both can be enabled by using :cpp:enumerator:`WPA3_SAE_PWE_BOTH` configuration.
|
||||
- **SAE PWE Methods**: {IDF_TARGET_NAME} station as well as SoftAP supports SAE Password Element derivation method `Hunting And Pecking` and `Hash to Element (H2E)`. H2E is computationally efficient as it uses fewer iterations than Hunt and Peck, and also it mitigates side-channel attacks. These can be configured using the parameter :cpp:type:`sae_pwe_h2e` from :cpp:type:`wifi_sta_config_t` and :cpp:type:`wifi_ap_config_t` for station and SoftAP respectively. Hunt and peck, H2E both can be enabled by using :cpp:enumerator:`WPA3_SAE_PWE_BOTH` configuration.
|
||||
|
||||
Please refer to `Security <https://www.wi-fi.org/discover-wi-fi/security>`_ section of Wi-Fi Alliance's official website for further details.
|
||||
Please refer to the `Security <https://www.wi-fi.org/discover-wi-fi/security>`_ section of Wi-Fi Alliance's official website for further details.
|
||||
|
||||
Setting up WPA3 Personal with {IDF_TARGET_NAME}
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
A config option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_SAE` is provided to Enable/Disable WPA3 for station. By default it is kept enabled, if disabled {IDF_TARGET_NAME} will not be able to establish a WPA3 connection. Also under WI-FI component a config option :ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT` is provided to Enable/Disable WPA3 for softAP. Additionally, since PMF is mandated by WPA3 protocol, PMF Mode Optional is set by default for station and softAP. PMF Required can be configured using WiFi config. For WPA3 softAP, PMF required is mandatory and will be configured and stored in NVS implicitly if not specified by user.
|
||||
A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_SAE` is provided to enable/disable WPA3 for the station. By default, it is kept enabled. If disabled, {IDF_TARGET_NAME} will not be able to establish a WPA3 connection. Also under the Wi-Fi component, a configuration option :ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT` is provided to enable/disable WPA3 for SoftAP. Additionally, since PMF is mandated by WPA3 protocol, PMF Optional is set by default for station and SoftAP. PMF Required can be configured using Wi-Fi configuration. For WPA3 SoftAP, PMF Required is mandatory and will be configured and stored in NVS implicitly if not specified by the user.
|
||||
|
||||
Refer to `Protected Management Frames (PMF)`_ on how to set this mode.
|
||||
|
||||
After configuring all required settings for WPA3-Personal station, application developers need not worry about the underlying security mode of the AP. WPA3-Personal is now the highest supported protocol in terms of security, so it will be automatically selected for the connection whenever available. For example, if an AP is configured to be in WPA3 Transition Mode, where it will advertise as both WPA2 and WPA3 capable, Station will choose WPA3 for the connection with above settings.
|
||||
Note that Wi-Fi stack size requirement will increase 3kB when "Enable WPA3-Personal" is used.
|
||||
After configuring all required settings for the WPA3-Personal station, application developers need not worry about the underlying security mode of the AP. WPA3-Personal is now the highest supported protocol in terms of security, so it is automatically selected for the connection whenever available. For example, if an AP is configured to be in WPA3 Transition Mode, where it advertises as both WPA2 and WPA3 capable, the station chooses WPA3 for the connection with the above settings.
|
||||
|
||||
After configuring all required setting for WPA3-Personal softAP, application developers have to set ``WIFI_AUTH_WPA3_PSK`` for `authmode` in :cpp:type:`wifi_ap_config_t` to start AP in WPA3 security. SoftAP can be also configured to use ``WIFI_AUTH_WPA2_WPA3_PSK`` mixed mode.
|
||||
Note that binary size will be increased by ~6.5 kilobytes after enabling ":ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT`.
|
||||
After configuring all required setting for WPA3-Personal SoftAP, application developers have to set ``WIFI_AUTH_WPA3_PSK`` for `authmode` in :cpp:type:`wifi_ap_config_t` to start AP in WPA3 security. SoftAP can be also configured to use ``WIFI_AUTH_WPA2_WPA3_PSK`` mixed mode.
|
||||
|
||||
Note that binary size will be increased by about 6.5 kilobytes after enabling :ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT`.
|
||||
|
||||
Wi-Fi Enhanced Open™
|
||||
--------------------
|
||||
@ -99,11 +106,14 @@ Wi-Fi Enhanced Open™
|
||||
Introduction
|
||||
++++++++++++
|
||||
|
||||
Enhanced open is used for providing security and privacy to users connecting to open (public) wireless networks, particularly in scenarios where user authentication is not desired or distribution of credentials impractical. Each user is provided with unique individual encryption keys that protect data exchange between a user device and the Wi-Fi network. Protected Management Frames further protects management traffic between the access point and user device. Enhanced Open is based on Opportunistic Wireless Encryption (OWE) standard. OWE Transition Mode enables a seamless transition from Open unencrypted WLANs to OWE WLANs without adversely impacting the end user experience.
|
||||
Enhanced Open™ is used for providing security and privacy to users connecting to open (public) wireless networks, particularly in scenarios where user authentication is not desired or distribution of credentials impractical. Each user is provided with unique individual encryption keys that protect data exchange between a user device and the Wi-Fi network. Protected Management Frames further protect management traffic between the access point and the user device. Enhanced Open™ is based on the Opportunistic Wireless Encryption (OWE) standard. OWE Transition Mode enables a seamless transition from Open unencrypted WLANs to OWE WLANs without adversely impacting the end-user experience.
|
||||
|
||||
.. note::
|
||||
|
||||
{IDF_TARGET_NAME} supports Wi-Fi Enhanced Open™ only in station mode.
|
||||
|
||||
**{IDF_TARGET_NAME} supports Wi‑Fi Enhanced Open™ only in station mode.**
|
||||
|
||||
Setting up OWE with {IDF_TARGET_NAME}
|
||||
++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
A config option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA` and configuration parameter :cpp:type:`owe_enabled` in :cpp:type:`wifi_sta_config_t` is provided to enable OWE support for station. To use OWE transition mode, along with the config provided above, `authmode` from :cpp:type:`wifi_scan_threshold_t` should be set to `WIFI_AUTH_OPEN`.
|
||||
A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA` and configuration parameter :cpp:type:`owe_enabled` in :cpp:type:`wifi_sta_config_t` is provided to enable OWE support for the station. To use OWE transition mode, along with the configuration provided above, `authmode` from :cpp:type:`wifi_scan_threshold_t` should be set to ``WIFI_AUTH_OPEN``.
|
||||
|
||||
@ -1 +1,119 @@
|
||||
.. include:: ../../en/api-guides/wifi-security.rst
|
||||
Wi-Fi 安全性
|
||||
==============
|
||||
|
||||
:link_to_translation:`en:[English]`
|
||||
|
||||
{IDF_TARGET_NAME} Wi-Fi 安全功能
|
||||
-----------------------------------------
|
||||
|
||||
- 支持受保护的管理帧 (PMF)
|
||||
- 支持第三代 Wi-Fi 访问保护 (WPA3-Personal)
|
||||
- 支持机会性无线加密 (OWE)
|
||||
|
||||
除传统安全方法 (WEP/WPA-TKIP/WPA2-CCMP) 外,{IDF_TARGET_NAME} Wi-Fi 还支持最先进的安全协议,即受保护的管理帧 (PMF)、第三代 Wi-Fi 访问保护和基于机会性无线加密技术的增强型开放式™ Wi-Fi 安全协议。WPA3 能更好地保护隐私,并在已知针对传统模式的攻击下具有更强的鲁棒性。增强型开放式™ Wi-Fi 安全协议可以在用户连接到无需认证的开放(公共)Wi-Fi 时,确保用户设备安全,并保护隐私。
|
||||
|
||||
受保护的管理帧 (PMF)
|
||||
---------------------------------
|
||||
|
||||
简介
|
||||
++++++++++++
|
||||
|
||||
Wi-Fi 网络中,非 AP 设备使用如信标、探测、(解)身份验证和(断)关联等管理帧,扫描并连接到 AP。不同于数据帧,管理帧在传输时不会加密。
|
||||
|
||||
由此,攻击者可以利用窃听和数据包注入,在适当时机发送伪造的(解)身份验证或(断)关联管理帧,发起拒绝服务 (DoS) 和中间人攻击等攻击。
|
||||
|
||||
PMF 通过加密单播管理帧以及为广播管理帧提供完整性检查,来应对上述解身份验证、解关联和鲁棒管理帧等攻击。此外,PMF 还提供了安全关联 (SA) 拆除机制,防止伪造的关联或验证帧使已连接的客户端断开连接。
|
||||
|
||||
station 和 AP 支持三类 PMF 配置模式:
|
||||
|
||||
- 可选 PMF
|
||||
- 强制 PMF
|
||||
- 禁用 PMF
|
||||
|
||||
API 及用法
|
||||
++++++++++++
|
||||
|
||||
在 station 模式和 SoftAP 模式下,{IDF_TARGET_NAME} 都支持 PMF,两者均默认配置为可选 PMF。为了更高的安全性,可以在使用 :cpp:func:`esp_wifi_set_config` API 时设置 ``pmf_cfg`` 中的 ``required`` 标志,启用强制 PMF 模式。启用后,设备将仅连接到启用了 PMF 的设备,并拒绝其他设备发起的连接。使用 :cpp:func:`esp_wifi_disable_pmf_config` API 可以禁用可选 PMF 配置模式。如果在 WPA3 或 WPA2/WPA3 混合模式下启动了 SoftAP 模式,尝试禁用 PMF 会导致错误。
|
||||
|
||||
.. attention::
|
||||
|
||||
为最大限度地利用 PMF 的额外安全性优势,已弃用 ``pmf_cfg`` 中的 ``capable`` 标志,并在内部设置为 ``true``。
|
||||
|
||||
企业级 Wi-Fi
|
||||
---------------------------------
|
||||
|
||||
简介
|
||||
++++++++++++
|
||||
|
||||
企业级安全是企业无线网的安全认证机制,采用 RADIUS 服务器在设备接入到接入点 (AP) 前认证网络用户。该机制基于 802.1X 标准完成认证,并采用多种扩展认证协议 (EAP) 方法,如 TLS、TTLS、PEAP 和 EAP-FAST。RADIUS 服务器根据用户凭证(用户名和密码)、数字证书或两者的组合进行用户认证。
|
||||
|
||||
.. note::
|
||||
|
||||
{IDF_TARGET_NAME} 仅在 station 模式下支持企业级 Wi-Fi。
|
||||
|
||||
{IDF_TARGET_NAME} 支持 **企业级 WPA2** 和 **企业级 WPA3**。企业级 WPA3 构建在企业级 WPA2 的基础之上,并额外要求在所有 WPA3 连接中使用受保护的管理帧 (PMF) 和服务器证书验证。此外,**企业级 WPA3 还提供了一种更安全的模式,使用 192 位最低强度的安全协议和加密工具,更好地保护敏感数据**。企业级 WPA3 的 192 位模式可以确保用户正确使用密码工具组合,并在 WPA3 网络中设立了一致的安全基准。需要注意的是,只有支持 :c:macro:`SOC_WIFI_GCMP_SUPPORT` 的模组才支持企业级 WPA3 的 192 位模式。如需使用该模式,请启用 :ref:`CONFIG_ESP_WIFI_SUITE_B_192` 标志。
|
||||
|
||||
{IDF_TARGET_NAME} 支持以下 EAP 方法:
|
||||
- EAP-TLS:该认证方法基于证书实现,仅需提供 SSID 和 EAP-IDF。
|
||||
- PEAP:该认证方法为受保护的 EAP 方法,必须提供用户名和密码。
|
||||
- EAP-TTLS:该认证方法基于凭证实现,必须提供服务器证书,用户证书为可选项。该方法支持多种第二阶段方法,如:
|
||||
- PAP:密码认证协议
|
||||
- CHAP:挑战握手认证协议
|
||||
- MSCHAP 和 MSCHAP-V2
|
||||
- EAP-FAST:该认证方法基于受保护访问凭证 (PAC) 实现,同时也使用身份和密码。目前,需禁用 :ref:`CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT` 标志以使用此功能。
|
||||
|
||||
示例 :example:`wifi/wifi_enterprise` 展示了除 EAP-FAST 之外的所有支持的企业级 Wi-Fi 方法。有关 ESP-FAST 的示例,请参阅 :example:`wifi/wifi_eap_fast`。可以在 ``idf.py menuconfig`` 的示例配置菜单中选择 EAP 方法。请参阅 :idf_file:`examples/wifi/wifi_enterprise/README.md` 了解如何生成证书及如何运行示例。
|
||||
|
||||
个人级 WPA3
|
||||
-------------
|
||||
|
||||
简介
|
||||
++++++++++++
|
||||
|
||||
第三代 Wi-Fi 访问保护 (WPA3) 是一组强化的 Wi-Fi 接入安全性标准,旨在取代当前的 WPA2 标准。WPA3 包含了新的功能和属性,可以提供更显著的保护效果,应对不同类型的攻击。相比 WPA2-Personal,WPA 3-Personal 有以下改进:
|
||||
|
||||
- WPA3 使用对等实体同时验证 (SAE) 技术,这是一种基于 Diffie-Hellman 密钥交换的密码验证密钥协商方法。与 WPA2 不同,SAE 技术能够抵抗离线字典攻击,即攻击者在无需进一步网络交互的情况下,尝试通过窃听的四次握手确定共享密钥。
|
||||
- 禁用过时协议,如 TKIP 协议,该协议容易受到如 MIC 密钥恢复攻击等简单攻击。
|
||||
- 强制使用受保护的管理帧 (PMF) 保护单播和组播鲁棒管理帧,包括 Disassoc 和 Deauth 帧。这意味着攻击者无法通过向 AP 发送伪造的 Assoc 帧或向 station 发送 Deauth/Disassoc 帧来中断已建立的 WPA3 会话。
|
||||
- 提供前向保密功能,即使攻击者在数据传输后成功破解密码,也无法解密捕获的数据。
|
||||
|
||||
{IDF_TARGET_NAME} 的 station 模式还支持以下额外的 Wi-Fi CERTIFIED WPA3™ 功能:
|
||||
|
||||
- **禁用过渡**:WPA3 为客户端定义了过渡模式。该模式下,即使网络中的某些 AP 不支持最强的安全模式,客户端也能正常接入网络。客户端通常会默认将网络配置文件配置为过渡模式。然而,这类客户端可能会遭受主动降级攻击,即攻击者会引导客户端使用强度较低的安全模式,以利用该模式的漏洞。为减轻这种攻击的影响,WPA3 引入了禁用过渡功能。当连接到某个网络时,若该网络已全面支持更高级的安全模式,则支持客户端从过渡模式切换到“纯粹”模式。请在 :cpp:type:`wifi_sta_config_t` 中启用 :cpp:type:`transition_disable`,为 {IDF_TARGET_NAME} 的 station 模式启用此功能。
|
||||
|
||||
- **SAE 公钥 (PK)**:由于小型公共网络中的密码与多个用户共享,攻击者可能更容易破解密码,发动伪装双子攻击。为阻止这类攻击,个人级 WPA3 引入了 SAE-PK 扩展认证机制。SAE-PK 认证交换与常规 SAE 交换非常相似,唯一区别在于 AP 会向客户端发送数字签名。客户端基于密码指纹验证 AP 断言的公钥,并使用公钥验证签名。因此,即使攻击者知道密码,也不知道生成有效签名所需的私钥,避免客户端遭受伪装双子攻击。请启用 :ref:`CONFIG_ESP_WIFI_ENABLE_SAE_PK`,并在 :cpp:type:`wifi_sta_config_t` 中使用 :cpp:type:`sae_pk_mode` 进行相应配置,为 {IDF_TARGET_NAME} 的 station 模式添加 SAE PK 支持。
|
||||
|
||||
- **SAE PWE Methods**: {IDF_TARGET_NAME} 的 station 和 SoftAP 模式都支持 SAE 密码元素的推导方法 `Hunting And Pecking` 和 `Hash to Element (H2E)`。H2E 所需迭代次数较少,因此计算效率更高,还可以减轻侧通道攻击的风险。这些方法可以分别在 station 模式和 SoftAP 中通过参数 :cpp:type:`sae_pwe_h2e` 配置,其中 :cpp:type:`wifi_sta_config_t` 用于 station 模式,:cpp:type:`wifi_ap_config_t` 用于 SoftAP 模式。请使用配置选项 :cpp:enumerator:`WPA3_SAE_PWE_BOTH` 启用 `Hunting And Pecking` 和 `H2E` 方法。
|
||||
|
||||
请参阅 Wi-Fi 联盟官网的 `安全性 <https://www.wi-fi.org/discover-wi-fi/security>`_ 部分,了解更多详情。
|
||||
|
||||
在 {IDF_TARGET_NAME} 上设置 WPA3
|
||||
++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
配置选项 :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_SAE` 用于在 station 上启用或禁用 WPA3,该选项默认启用,如果禁用,则 {IDF_TARGET_NAME} 无法建立 WPA3 连接。Wi-Fi 组件中还提供了配置选项 :ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT`,用于在 SoftAP 上启用或禁用 WPA3。此外,由于 WPA3 协议强制使用 PMF,因此,station 和 SoftAP 的 PMF 模式均默认为可选 PMF。可以使用 Wi-Fi 配置选项将 PMF 模式配置为强制 PMF。WPA3 SoftAP 仅支持使用强制 PMF 模式,如无特别指定,则将在 NVS 中隐式配置并存储该模式。
|
||||
|
||||
要了解如何设置 PMF 模式,请参阅 `受保护的管理帧 (PMF)`_。
|
||||
|
||||
在为 WPA3-Personal station 配置完所需设置后,应用程序开发人员无需再对 AP 的底层安全模式进行操作。从安全性来看,WPA3-Personal 是目前支持的最高级别协议,因此只要该协议可用,设备就会自动选择将该协议用于连接。例如,如果将 AP 配置为 WPA3 过渡模式,即同时支持 WPA2 和 WPA3,station 将根据以上设置连接 WPA3。
|
||||
|
||||
在为 WPA3-Personal 的 SoftAP 模式配置完所需设置后,应用程序开发人员必须在 :cpp:type:`wifi_ap_config_t` 中的 `authmode` 设置 ``WIFI_AUTH_WPA3_PSK``,启动以 WPA3 安全模式运行的 AP。也可将 SoftAP 配置为使用 ``WIFI_AUTH_WPA2_WPA3_PSK`` 的混合模式。
|
||||
|
||||
注意,启用 :ref:`CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT` 时,二进制文件大小将增加约 6.5 千字节。
|
||||
|
||||
增强型开放式™ Wi-Fi 安全协议
|
||||
------------------------------
|
||||
|
||||
简介
|
||||
++++++++++++
|
||||
|
||||
增强型开放式™ Wi-Fi 安全协议为连接到开放(公共)Wi-Fi 的用户提供更高的安全性和隐私保护,尤其适用于无需验证用户身份或无法分发凭证的场景。在此协议下,每位用户都可以获得独特的个人加密密钥,保障用户设备与 Wi-Fi 网络间的数据交换安全。同时,受保护的管理帧还进一步增强了接入点与用户设备之间管理流量的安全性。增强型开放式™ Wi-Fi 安全协议基于机会性无线加密 (OWE) 实现,OWE 过渡模式可以从开放的未加密 WLAN 完美过渡到 OWE WLAN,不会对终端用户体验造成不良影响。
|
||||
|
||||
.. note::
|
||||
|
||||
{IDF_TARGET_NAME} 仅在 station 模式下支持增强型开放式™ Wi-Fi 安全协议。
|
||||
|
||||
|
||||
在 {IDF_TARGET_NAME} 上设置 OWE
|
||||
++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
配置选项 :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA` 和 :cpp:type:`wifi_sta_config_t` 中的配置参数 :cpp:type:`owe_enabled` 可以为 station 模式启用 OWE 支持。除上述配置外,请将 :cpp:type:`wifi_scan_threshold_t` 中的 `authmode` 设置为 ``WIFI_AUTH_OPEN`` 以使用 OWE 过渡模式。
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user