WPA3-SAE 身份验证WPA3-SAE authentication
02/21/2019
本文内容
WPA3 SAE (也称为 WPA3)在具有 WDI 版本1.1.8 和更高版本的 Windows 中受支持。WPA3-SAE, also known as WPA3-Personal, is supported in Windows with WDI version 1.1.8 and later. SAE 的帧内容生成和分析 (在 Windows 中执行等于) 身份验证的安全身份验证,但操作系统需要驱动程序支持来发送和接收 WPA3 身份验证帧。Frame content generation and parsing for SAE (Secure Authentication of Equals) authentication is done within Windows, but the OS requires driver support for sending and receiving WPA3-SAE authentication frames.
WPA3-SAE 功能WPA3-SAE capabilities
微型端口驱动程序通过执行以下操作来指示 SAE 支持:Miniport drivers indicate SAE support by doing the following:
设置 SAE 支持的功能。Set SAE supported capability.
The driver sets the SAEAuthenticationSupported capability in WDI_TLV_INTERFACE_ATTRIBUTES during the call to OID_WDI_GET_ADAPTER_CAPABILITIES.
设置 MFP 功能。Set MFP capability.
The driver sets the MFPCapable capability in WDI_TLV_STATION_ATTRIBUTES during the call to OID_WDI_GET_ADAPTER_CAPABILITIES.
WPA3-SAE authentication flowWPA3-SAE authentication flow
连接启动Connection initiation
SAE connections are initiated with OID_WDI_TASK_CONNECT or OID_WDI_TASK_ROAM. 当驱动程序需要执行 SAE authentication 时,WDI 将 WDI_AUTH_ALGO_WPA3_SAE 指定为身份验证方法。WDI specifies WDI_AUTH_ALGO_WPA3_SAE as the auth method when the driver is required to do SAE authentication. 如果 WDI 在 "连接/漫游" 任务的 BSS 列表中提供 PMKID,则驱动程序将跳过 SAE 身份验证,并执行打开身份验证,然后执行 "打开身份验证" 和 "PMKID" 重新关联请求。If WDI provides the PMKID in the BSS list in the Connect/Roam task, then the driver skips SAE authentication and performs Open Authentication instead, followed by a reassociation request with the PMKID.
身份验证流Authentication flow
SAE 参数的初始请求Initial request for SAE parameters
驱动程序首先选择要连接或漫游的 BSS,如果 WDI 未提供该 BSS 的 PMKID,则驱动程序将从 WDI 请求提交参数,并 NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED。The driver first selects a BSS to which to connect or roam and, if WDI did not provide the PMKID for that BSS, the driver requests Commit parameters from WDI with NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED. 在此初始指示中,驱动程序将指示类型设置为 WDI_SAE_INDICATION_TYPE_COMMIT_REQUEST_PARAMS_NEEDED。In this initial indication, the driver sets the indication type to WDI_SAE_INDICATION_TYPE_COMMIT_REQUEST_PARAMS_NEEDED. 作为响应,WDI 会将 OID_WDI_SET_SAE_AUTH_PARAMS 发送到带有以下选项之一的驱动程序。In response, WDI sends OID_WDI_SET_SAE_AUTH_PARAMS to the driver with one of the following options.
(WDI_SAE_REQUEST_TYPE_COMMIT_REQUEST 发送提交请求)Send Commit request (WDI_SAE_REQUEST_TYPE_COMMIT_REQUEST)
SAE authentication (WDI_SAE_REQUEST_TYPE_FAILURE 失败)Fail SAE authentication (WDI_SAE_REQUEST_TYPE_FAILURE)
收到提交响应时Upon receiving a Commit response
收到提交响应时,驱动程序将发送类型设置为 WDI_SAE_INDICATION_TYPE_COMMIT_RESPONSE NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED 。On receiving a Commit response, the driver sends NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED with the type set to WDI_SAE_INDICATION_TYPE_COMMIT_RESPONSE. In response, WDI sends OID_WDI_SET_SAE_AUTH_PARAMS with one of the following requests:
(WDI_SAE_REQUEST_TYPE_COMMIT_REQUEST 发送提交请求)Send Commit request (WDI_SAE_REQUEST_TYPE_COMMIT_REQUEST)
(WDI_SAE_REQUEST_TYPE_CONFIRM_REQUEST 发送确认请求)Send Confirm request (WDI_SAE_REQUEST_TYPE_CONFIRM_REQUEST)
SAE authentication (WDI_SAE_REQUEST_TYPE_FAILURE 失败)Fail SAE authentication (WDI_SAE_REQUEST_TYPE_FAILURE)
收到确认响应后Upon receiving a Confirm response
收到确认响应时,驱动程序将发送类型设置为 WDI_SAE_INDICATION_TYPE_CONFIRM_RESPONSE NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED 。On receiving a Confirm response, the driver sends NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED with the type set to WDI_SAE_INDICATION_TYPE_CONFIRM_RESPONSE. 然后,WDI 将发送 OID_WDI_SET_SAE_AUTH_PARAMS ,并将 SAE 状态字段设置为成功或失败。WDI then sends OID_WDI_SET_SAE_AUTH_PARAMS with the SAE status field set to success or failure. 如果由于超时或其他原因导致驱动程序中的 SAE authentication 失败,则驱动程序将向类型为 se 的 NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED 指示发送 WDI_SAE_INDICATION_TYPE_ERROR 和 WDI_TLV_SAE_STATUS中指定的失败原因。If SAE authentication fails in the driver due to timeouts or other reasons, the driver sends an NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED indication with the type se to WDI_SAE_INDICATION_TYPE_ERROR and the failure reason specified in WDI_TLV_SAE_STATUS.
超时和重传Timeouts and retransmissions
这些是由驱动程序处理的。These are handled by the driver.
WPA3-SAE 关联WPA3-SAE association
设备使用以下选项之一连接到 SAE 网络。The device connects to an SAE network using one of the following options.
(在 SAE exchange 后重新) 关联(Re)Association following SAE exchange
这通常是第一次与 SAE 网络的关联尝试。This is normally the first association attempt to an SAE network. 驱动程序在关联请求框架的 RSN IE 中设置 SAE AKM。The driver sets the SAE AKM in the RSN IE in the Association Request frame.
使用 PMKID 重新) 关联 ((Re)Association using PMKID
如果 WDI 为 "连接/漫游" 任务中的 BSS 条目提供 PMKID,则驱动程序将执行以下操作:If WDI provided a PMKID for the BSS entry in the connect/roam task, then the driver does the following:
该驱动程序将执行开放式身份验证,然后在 (重新) 关联请求中包含 PMKID。The driver performs an Open authentication followed by inclusion of the PMKID in the (Re)association request.
如果设备在短时间内未收到来自 AP 的响应,或者当 AP 在响应中返回关联错误,则驱动程序将跳过使用此 AP 的 SE 身份验证,或者移到另一个 AP,或回退以便使用此 AP 进行完全 SAE 的身份验证。If the device does not receive a response from the AP within a short time, or if the AP returns an association error in the response, the driver skips SE authentication with this AP and either moves to another AP, or falls back to doing full SAE authentication with this AP.
SAE authentication/association 完成后,SAE 连接完成。SAE connection completes once the SAE authentication/association is complete. 与之前一样,驱动程序会在 "连接" 或 "漫游" 任务结束时发送以下指示:As before, the driver sends the following indications on conclusion of the connect or roam task:
错误处理Error handling
重新发送 SAE 提交请求帧Resending the SAE Commit request frame
如果驱动程序由于超时而需要重新发送提交帧,则它可以重新发送由 WDI 提供的原始标量/元素值,或者从 WDI 请求一组新的标量/元素值并 NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED 指示。If the driver needs to resend a Commit frame due to a timeout, it can either resend the original Scalar/Element values that were provided by WDI, or request a new set of Scalar/Element values from WDI with an NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED indication.
重新发送 SAE 确认响应帧Resending the SAE Confirm response frame
如果驱动程序由于超时而需要重新发送确认帧,则它应请求一组新的 SendConfirm ,并使用 NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED指示来 确认 WDI 中的值,并将类型设置为 WDI_SAE_INDICATION_TYPE_CONFIRM_REQUEST_RESEND_REQUEST。If the driver needs to resend a Confirm frame due to a timeout, it should request a new set of SendConfirm and Confirm values from WDI with an NDIS_STATUS_WDI_INDICATION_SAE_AUTH_PARAMS_NEEDED indication, setting the type to WDI_SAE_INDICATION_TYPE_CONFIRM_REQUEST_RESEND_REQUEST.