When you configure a new wireless network, what encryption and authentication protocols and algorithms should you select? Should you use RC4, TKIP, or AES? If you want to use 802.1X, should you use PEAP or EAP-TLS?
The Wi-Fi Alliance is a non-profit organization that promotes wireless networking and aims to help with these questions. They provide the Wi-Fi Protected Access (WPA) industry certifications.
Today, there are three WPA versions:
- WPA (version 1)
When a wireless vendor wants WPA certification, its wireless hardware has to go through a testing process in authorized testing labs. When their hardware meets the criteria, they receive WPA certification.
WPA supports two authentication modes:
With personal mode, we use a pre-shared key. The pre-shared key is not used directly over the air. Instead, wireless clients and the AP use a four-way handshake that uses the pre-shared key as input to generate encryption keys. When this process is finished, the wireless client and AP can send encrypted frames to each other.
Enterprise mode uses 802.1X and an authentication server, usually a RADIUS server. WPA doesn’t specify a specific EAP method so you can use what works best for your scenario. All standard EAP methods like PEAP and EAP-TLS are supported.
The first wireless devices were certified for WPA (version 1) in 2003. WPA is the Wi-Fi Alliance’s answer to replace WEP with all its vulnerabilities. WEP uses RC4, which is an insecure algorithm.
There are far more secure encryption algorithms like AES, but the problem is that you need hardware support. Back then, most wireless clients and APs only supported RC4 in hardware. We needed a more secure software algorithm, without replacing hardware.
WPA uses Temporal Key Integrity Protocol (TKIP), which recycled some items from WEP; it still uses the RC4 algorithm. Some things are improved; for example, TKIP uses 256-bit keys instead of the 64 and 128-bit keys in WEP. If you are interested, the WPA key hierarchy lesson explains the keys in detail.
Unfortunately, WPA was doomed from the start. It was based on parts of the 802.11i standard, which was still a draft. It was good enough to replace WEP and use existing hardware, but in the long run, something else was needed.
WPA2 is the replacement for WPA and is based on the IEEE 802.11i (ratified) standard. Certification began in 2004, and from March 13, 2006, it was mandatory for all devices if you wanted to use the Wi-Fi trademark. The most significant upgrade is that WPA2 uses AES-CCMP encryption instead of the old RC4 encryption that WEP and WPA use.
For backward compatibility reasons, you can still use TKIP as a fallback mechanism for WPA clients.
WPA2 also introduced Wi-Fi Protected Setup (WPS). If you want to connect to a network that uses a pre-shared key, then you need to know the SSID and the pre-shared key.
With WPS, you only have to push a button or enter a PIN code, and your wireless client automatically configures the SSID and pre-shared key. WPS makes it easier for non-tech savvy users to configure a wireless network, especially when you use long, complex pre-shared keys. However, researchers discovered a vulnerability for WPS in 2011. An attack against WPS can brute force the WPS PIN in a few hours, which results in an exposed pre-shared key.
The Wi-Fi Alliance introduced WPA3 the next-generation replacement for WPA2, in 2018. WPA3 still uses AES but replaced CCMP with the Galois/Counter Mode Protocol (GCMP).
The key length for AES has increased. WPA3-personal still uses 128-bit AES, but optionally can use 192-bit. For WPA3-enterprise, it’s a requirement to use 192-bit keys.
WPA2 introduced Protected Management Frames (PMF), but it was optional. WPA3 makes it a requirement. PMF protects:
- Unicast management frames against eavesdropping and forging.
- Multicast management frames against forging.
There are also new features:
- Simultaneous Authentication of Equals (SAE): WPA and WPA2 use a four-way handshake for authentication, which is vulnerable to an offline attack. An attacker can capture the four-way handshake, and then perform an offline dictionary or brute force attack. In WPA3, clients authenticate with SAE instead of the four-way handshake. SAE is resistant to offline attacks.
- Forward secrecy: With WPA or WPA2, it’s possible to capture wireless traffic and decrypt it later once you have the pre-shared key. With WPA3, this is impossible. Because of forward secrecy, you can’t decrypt wireless traffic afterward, even if you have the pre-shared key.
- Opportunistic Wireless Encryption (OWE): This is a replacement for open authentication. With open authentication, you don’t have any encryption. OWE adds encryption. The idea is to use a Diffie-Hellman exchange and encrypt traffic between the wireless client and AP. The keys are different for each wireless client, so other clients can’t decrypt your traffic. There is still no authentication, so there is no protection against rogue APs.
- Device Provisioning Protocol (DPP): This is a replacement for the insecure WPS solution. Many low-end devices (like IoT devices) don’t have an interface you can use to configure a pre-shared key. Instead, they rely on a PC or smartphone to do the configuration for them. DPP allows you to authenticate devices using a QR code or NFC.