Contents

• 7.22 Configure DPP for WFA Easy Connect
  • DPP capabilities
  • DPP device roles

7.22 Configure DPP for WFA Easy Connect

• The Device Provisioning Protocol (DPP) capability is introduced for WLAN APs, which improves user-experience in adding devices to a network and provisioning with higher security. This functionality supports the Wi-Fi Alliance Easy Connect program for APs.
• In DPP, public keys are used to identify and authenticate all devices. The private key associated with a public key must be generated within each device and protected from disclosure. Devices use public key cryptographic techniques to authenticate peer devices and establish shared keys for further secure communications. This architecture simplifies the establishment of secure connectivity between devices and provides a foundation for improved usability in provisioning and connecting devices.

DPP capabilities

DPP offers the following salient benefits:

1. Provides a standardized, consistent method for onboarding devices
2. Simplifies provisioning through use of QR codes and user-chosen device to manage network access
3. Works for any Wi-Fi Easy Connect device, including those with little or no user interface, such as smart home and IoT products
4. Uses public key cryptography for secure authentication
5. Supports provisioning for WPA2 and WPA3 networks
6. Enables the replacement of APs without the need to re-enroll all devices to the new AP

DPP device roles

• The DPP architecture defines the device roles during bootstrapping, authentication, provisioning (configuration) and connectivity (introduction). There are two types of roles, Configurator and Enrollee on the one hand and Initiator and Responder on the other.
• A Configurator supports the setup of Enrollees. The Configurator and the Enrollee engage in DPP bootstrapping, the DPP Authentication protocol and the DPP Configuration protocol. Either Configurator or Enrollee may perform the role of Initiator in the DPP Bootstrapping protocol (for example in PKEX) and in the DPP Authentication protocol. However, only Enrollees initiate the DPP Configuration protocol and the DPP Introduction protocol.
• The DPP Authentication protocol requires the Initiator to obtain the bootstrapping key of the Responder as part of a prior bootstrapping mechanism. Optionally, both devices in the DPP Authentication protocol may obtain each other’s bootstrapping keys in order to provide mutual authentication.
• After the authentication completes, the Configurator provisions the Enrollee for device-to-device communication or infrastructure communication. As part of this provisioning, the Configurator enables the Enrollee to establish secure associations with other peers in the network.
• Devices that have been configured by the Configurator are called Peers.