ComPass: Proximity Aware Common Passphrase Agreement Protocol for Wi-Fi devices Using Physical Layer Security

TL;DR

ComPass is a novel Wi-Fi device provisioning protocol that uses physical layer security, specifically phase information, to generate high-entropy, proximity-aware passphrases automatically, enhancing security over traditional user-chosen passwords.

Contribution

It introduces a proximity-aware, phase-based physical layer security protocol for Wi-Fi device provisioning that automatically generates high-entropy passphrases, improving security and scalability.

Findings

Generated passphrases have 3 times more entropy than human passwords.

ComPass binds devices within 3 meters, providing in-built proximity authentication.

The protocol is available as a kernel module or firmware.

Abstract

Secure and scalable device provisioning is a notorious challenge in Wi-Fi. WPA2/WPA3 solutions take user interaction and a strong passphrase for granted. However, the often weak passphrases are subject to guessing attacks. Notably, there has been a significant rise of cyberattacks on Wi-Fi home or small office networks during the COVID-19 pandemic. This paper addresses the device provisioning problem in Wi-Fi (personal mode) and proposes ComPass protocol to supplement WPA2/WPA3. ComPass replaces the pre-installed or user-selected passphrases with automatically generated ones. For this, ComPass employs Physical Layer Security and extracts credentials from common random physical layer parameters between devices. Two major features make ComPass unique and superior compared to previous proposals: First, it employs phase information (rather than amplitude or signal strength) to generate the passphrase so that it is robust, scaleable, and impossible to guess. Our analysis showed that ComPass generated passphrases have 3 times more entropy than human generated passphrases (113-bits vs. 34-bits). Second, ComPass selects parameters such that two devices bind only within a certain proximity (less than 3m), hence providing practically useful in-build PLS-based authentiation. ComPass is available as a kernel module or as full firmware.