Wi |
您所在的位置:网站首页 › wifi config performance wifi › Wi |
Protected Management Frames (PMF)¶
Introduction¶
In Wi-Fi, management frames such as beacons, probes, (de)authentication, (dis)association are used by non-AP stations to scan and connect to an AP. Unlike data frames, these frames are sent unencrypted. An attacker can use eavesdropping and packet injection to send spoofed (de)authentication/(dis)association frames at the right time, leading to the following attacks in case of unprotected management frame exchanges. DOS attack on one or all clients in the range of the attacker. Tearing down existing association on AP side by sending association request. Forcing a client to perform 4-way handshake again in case PSK is compromised in order to get PTK. Getting SSID of hidden network from association request. Launching man-in-the-middle attack by forcing clients to deauth from legitimate AP and associating to a rogue one. PMF provides protection against these attacks by encrypting unicast management frames and providing integrity checks for broadcast management frames. These include deauthentication, disassociation and robust management frames. It also provides Secure Association (SA) teardown mechanism to prevent spoofed association/authentication frames from disconnecting already connected clients. API & Usage¶esp_wifi_set_config() can be used to configure PMF mode by setting appropriate flags in pmf_cfg parameter. Currently, PMF is supported only in Station mode. While setting up a Station, configure PMF using two flags capable and required like below. wifi_config_t wifi_config = { .sta = { .ssid = EXAMPLE_WIFI_SSID, .password = EXAMPLE_WIFI_PASSWORD, .pmf_cfg = { .capable = true, .required = false } } }; ESP32 supports three modes of PMF by combination of these two flags -PMF Optional : .capable = true, .required = false PMF Required : .capable = true, .required = true PMF Disabled : .capable = false, .required = false Depending on what AP side PMF Mode is, the resulting connnection will behave differently. The table below summarises all possible outcomes - STA Setting AP Setting Outcome PMF Optional PMF Optional/Required Mgmt Frames Protected PMF Optional PMF Disabled Mgmt Frames Not Protected PMF Required PMF Optional/Required Mgmt Frames Protected PMF Required PMF Disabled STA refuses Connection PMF Disabled PMF Optional/Disabled Mgmt Frames Not Protected PMF Disabled PMF Required AP refuses Connection PMF Optional Mode, which is shown in the example of wifi_confit_t, is suggested to be used in all Station configurations. This is to take the additional security benefit of PMF whenever possible without breaking connections with legacy AP’s. |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |