WPA, short for WiFi protected access, is defined as a network security standard that is now mandatory for wireless networks to protect them via authentication and encryption, replacing the older Wired Equivalent Privacy (WEP) system. This article explains how WPA works and its three versions – WPA, WPA2, and WPA3.
Table of Contents
What Is WPA?
WPA, short for WiFi-protected access, is a network security standard now mandatory for wireless networks to protect them via authentication and encryption, replacing the older Wired Equivalent Privacy (WEP) system.
WPA is a WiFi Alliance-developed security certification standard to safeguard wireless computer networks. It was formally adopted in 2003 and was designed to replace the wired equivalent privacy (WEP), which had many known security vulnerabilities. The WiFi Alliance intended to use WPA as an interim protocol before developing the more secure WiFi-protected access 2 (WPA2). The WiFi Alliance further developed more generations of WPA, namely WPA, WPA2, and WPA3.
WPA requires that users input a password for authentication to ensure that the WiFi networks are protected. It supports authentication servers or remote authentication dial-in (RADIUS) servers. Additionally, it also encrypts data better than WEP.
WPA was designed to be backward-compatible and doesn’t require upgrading the hardware. Users can add WPA to the hardware through firmware upgrades. Wireless computer networks that WPA protects have a pre-shared key and use the TKIP protocol. TKIP uses the RC4 cipher for encryption purposes.
WEP and its vulnerabilities
The Institute of Electrical and Electronics Engineers (IEEE) developed the wired equivalent privacy (WEP) encryption technology to offer 802.11 users wireless security. 11 wireless networks. The wireless data was transmitted over radio waves. WEP was used to prevent eavesdropping, prevent unauthorized access and protect data integrity. It used the RC4 stream cipher to encrypt data.
However, this encryption protocol was found to have serious security vulnerabilities. Experienced hackers could crack the WEP keys of a busy network within 15 minutes. Due to these vulnerabilities, this protocol was retired in 2004 and is no longer supported. The vulnerabilities of WEP could be attributed to:
- Poor key management: In WEP, users were required to input the key into a wireless device associated with a wireless network to enable it. There were no mechanisms to renew these keys. If this key got compromised, changing it for every device would be tedious, and, in an enterprise environment, it would be almost impossible.
- Unauthorized decryption and violation of data integrity: Once the hackers had the WEP key, they could decrypt data even after it was sent. Additionally, they could modify the data even in transit.
- No access point authentication: In WEP, the network interface cards (NICs) can only authenticate access points, but there is no way for access points to authenticate the NICs. This enables hackers to reroute data to access points through alternate, unauthorized paths.
See More: What Is Wifi 6? Meaning, Speed, Features, and BenefitsÂ
How WPA works
Organizations can apply the WPA standard in one of two modes, and they can use these modes in all three generations of WPA:
- WPA personal: It is also referred to as WPA pre-shared key (WPA-PSK). It is designed for use on small or home networks. Its system is simple to configure, and all users might want to use a passphrase. However, if a device gets compromised, all devices on the network should change their passwords.
- WPA enterprise: This mode is designed for medium or large networks and is also known as WPA-802.1x. Its system is more challenging to configure. Users must employ their personal identities to join the network through a RADIUS server. If a device is hacked, administrators may cancel its access independently of other devices. WPA users may also face the following limitations.
- Firmware manufactured before 2003 cannot be upgraded to support WPA.
- It is incompatible with older operating systems such as Windows 95.
- It is susceptible to security threats, including denial of service attacks.
- WPA enterprise is relatively more challenging to set up and may require typical users to consult an expert, which may lead them to incur additional costs.
See More: GSM vs. CDMA: Understanding the 10 Key DifferencesÂ
Features of WPA
The essential elements of WPA include the following:
1. Temporal Key Integrity Protocol (TKIP)
TKIP is a protocol for encryption created via the WiFi Alliance and IEEE 802.11i Task Group to replace WEP without the need to replace legacy hardware. It uses Rivet Cipher 4 (RC4), just like WEP, to encrypt data and was designed to overcome vulnerabilities in WEP.Â
TKIP employs a 128-bit shared temporary key between the wireless user and access points (AP). It distributes new temporary keys every 10,000 packets, enhancing the network’s security. It ensures that the same key is not re-used to encrypt data by frequently processing changes in the encryption keys.
2. Advanced Encryption Standard (AES)
AES encryption security protocol was introduced with WPA2. AES is a standard for symmetric key encryption that employs three block ciphers: AES-128, AES-192, and AES-256. In WiFi, it leverages 802.1X or pre-shared keys (PSK) to generate station keys for all devices.
In contrast to WEP and TKIP, AES is only compatible with the hardware that implements the AES standard. It provides a high level of security to clients, such as internet protocol security (IPSec). It is the preferred mode of encryption in wireless networks that contains confidential data.
3. Built-in authentication
Built-in authentication allows users access without the need for a password. In this mode, computers are authenticated against the RADIUS. The RADIUS IP and RADIUS keys are provided automatically. The RADIUS IP is the IP address of the RADIUS server, and the RADIUS key is the PSK for the RADIUS server. It is also referred to as machine authentication.Â
Users can achieve this by using an extensible authentication protocol – transport layer security (EAP-TLS). Additionally, some RADIUS server options achieve machine authentication by using the protected extensible authentication protocol – Microsoft Challenge Handshake Authentication Protocol Version 2 (PEAP-MSCHAP v2), including the Windows network policy server (NPS).
4. Four-way handshake
A wireless client and an access point exchange messages during a four-way handshake to produce encryption keys. It offers a secure authentication technique for network-based data delivery. It was designed so that an AP and a wireless client can individually prove that they each know the PSK or the pairwise master key (PMK) without sending the key. It employs a PMK to encrypt data, but the PMK is not transported over the network.Â
5. Message Integrity Check (MIC)
The message integrity check is a security improvement for WEP encryption found on wireless networks. In WPA, it is used to prevent man-in-the-middle attacks. TKIP is employed to confirm the authenticity of packets in WPA. Additionally, a frame counter is used in WPA to avoid these attacks.Â
MIC prevents attacks known as bit-flip attacks on encrypted packets. In bit-flip attacks, data is intercepted, altered slightly, and retransmitted. The receiver then accepts the re-transmitted message as a legitimate one. MIC adds a few bytes to each packet to make them tamper-proof and uses a hashing algorithm to prevent transit data modification.Â
See More: WiFi 5 vs. WiFi 6: Understanding the 10 Key Differences
WPA Versions
Since WPA emerged and evolved, there have been three versions of the technology. Let us look at these versions individually in more detail.Â
1. WiFi Protected Access (WPA)
WPA is the first-generation security certification program. It is based on parts of the 802.11i standard. It was developed as an interim standard by the WiFi Alliance to replace the older WEP, which had many security vulnerabilities. It was adopted officially in 2003.
WPA is backward-compatible and was designed to be used with existing legacy hardware that used WEP. WPA-PSK employs 256-bit keys, which are significantly more secure than the 64-bit and 128-bit keys used by WEP. It safeguards information by securing it via encryption and requires authentication from the user. It dynamically allocates encryption keys, hence enhancing the security of the data encryption process.Â
Some of the features and improvements introduced in WPA 1 are:
- It employs a MIC to secure the header and the payload to guarantee that data is not altered during transit, enhancing integrity check value (ICV).
- It guarantees centralized authentication mechanisms and dynamic key management by forcing users to log in using the 802.1X EAP framework.
- A frame counter is included to deter replay threats.
It is nonetheless susceptible to assaults like denial-of-service (DoS) attacks, Ohigashi-Morii, and Chopchop.
2. WiFi Protected Access 2 (WPA2)
WPA2 is the second-generation security certification program. It is based on the ratified IEEE 802.11i standard. Although certification of WPA2 started in 2004, the protocol was officially accepted in 2006 to replace WPA.
It is backward compatible with WPA-enabled wireless clients. WPA and WPA2 can be used interoperably on a router to enhance security. WPA2 uses AES encryption and introduces CCMP and TKIP encryption mechanisms.
Personal WPA uses a pre-shared key to check the initial credentials of users. WiFi-protected access 2 pre-shared key (WPA-PSK) networks have one passphrase that is shared among all users. Enterprise WPA2 uses IEEE 802.1X and EAP as encryption protocols.
It is susceptible to specific cyber threats, including dictionary attacks and brute force attacks, although it has fewer vulnerabilities than its predecessor. Vendors frequently provide security patches for WPA2 to minimize vulnerabilities.
Non-tech-savvy users can easily connect to a WiFi network by pushing a button or entering a PIN code by taking advantage of the WiFi-protected setup (WPS) that comes with WPA2. The wireless client configures the service set identifier (SSID) and PSK automatically. An attack against WPS can brute-force the WPS pin within a few hours and expose the PSK.
Some of the features and improvements introduced in WPA2 are:
- Unlike WEP and WPA, which used RC4 encryption, WPA2 uses AES-CCMP encryption protocols.
- WPA2 resolves the penetration troubles its predecessor, WPA, had by using counter mode with cipher block chaining message authentication code protocol (CCMP) alongside TKIP.
- It has improved authentication encryption with more robust default settings that promote solidity and adaptability.
3. WiFi Protected Access 3 (WPA3)
WPA3 is the 3rd certification scheme for network security. The WiFi Alliance announced it in June 2018 and was set to become mandatory for WiFi-certified implementations in July 2020.
It offers improved security in comparison to its predecessors. While WPA3 also uses AES, it replaced CCMP with the Galois/counter mode protocol (GCMP). The key length for AES has increased. WPA3 personal uses 128- or 192-bit keys, whereas WPA3 enterprise uses 192-bit keys.
When sending cryptographic keys between routers and devices, it utilizes a 384-bit hashed message authentication mechanism. In addition, it contains additional features that improve WiFi security, provide higher cryptographic strength, and permit more rigorous authentication.
Some of the features and improvements introduced in WPA3 are:
- It replaces WPS, which can easily be exploited with the WiFi device provisioning protocol (DPP). With DPP, users can join a network without inputting passwords using near-field communication (NFC) tags or QR codes to authenticate themselves.
- Unlike WPA and WPA2, which use a handshake encryption protocol that is more vulnerable to offline attacks, WPA3 uses simultaneous authentication of equals (SAE) which is resistant to offline attacks.
- It offers forward secrecy, which ensures that wireless traffic cannot be decrypted afterward, even with a PSK. In WPA and WPA2, wireless traffic can be captured and decrypted later with a PSK.
- WPA3 makes protected management frames (PMF) mandatory, unlike WPA2, where it is optional. PMF covers multicast management frames against forging and unicast management frames against eavesdropping and forging.
- It replaces open authentication with opportunistic wireless encryption (OWE). OWE ensures that traffic is encrypted between the wireless client and AP using a Diffie-Hellman exchange. Each wireless client uses different keys, thus ensuring that other clients can’t decrypt your traffic.
See More: Modem vs. Router: Understanding the Key Differences
Importance of WPA
WPA’s most significant advantage is the high level of security that it enables for networks. There are five reasons why the technology is so important:
1. Improves wireless security
WPA provides users with solid and improved wireless security. WPA requires that users authenticate themselves before accessing wireless local area networks (WLANs). The TKIP algorithm in WPA performs MIC on payloads and headers on messages to ensure that data packets are authentic. Unlike its predecessor, WEP, it does not use a static key. WPA uses TKIP, which changes temporal keys after every 10,000 packets and distributes the keys, thus improving security.Â
Additionally, WPA uses a four-way handshake encryption protocol that ensures that the wireless client and access point can identify each other without sending a key. This ensures that the received data doesn’t come from unauthorized paths. WPA implements a frame counter to discourage replay attacks. Large and small organizations can securely leverage WPA to send and receive sensitive data. They can use the AES encryption protocol on WPA2 to secure their networks.
2. Boosts productivity
Small business owners or home offices can leverage WPA personnel to increase productivity. The WPA personal mode system is relatively easy to set up for a typical user. They can secure their networks using WPA protocols to ensure that their data traffic is not susceptible to attacks by intruders. Securely working remotely can ensure that users can keep up to date with their organizations, even at home.Â
It also creates a secure environment in which people like virtual assistants and freelancers can work remotely without fear of having their wireless traffic data compromised. If their passwords get compromised, they can change them easily. Large organizations can leverage WPA enterprise mode to secure their networks safely. With a secure wireless network, employees can work from any place within the organization and minimize crowding. They can securely send and receive confidential data.Â
Additionally, they can use secure data to improve productivity by conducting webinars and making conference calls. If a machine is hacked, administrators may cancel its access without affecting the productivity of other devices.
3. Drives cost savings
It is essential for users only to access secure wireless networks. This ensures that their data, such as credit cards, remains private and secure. Hackers can steal user data from unsecured networks to make unauthorized purchases or commit crimes. Therefore, using a wireless network secured by WPA or its subsequent generations can enable users to realize cost savings on the amount they would have lost had their details been stolen.Â
Large organizations can also achieve cost savings by using the WPA enterprise mode. This mode allows organizations to revoke access to a team member once they leave instead of changing the passphrase for all users, as in the WEP protocol. New employees can also be granted access and given their identification passphrase. This enables large organizations that use wireless networks to save on the cost they would have spent on an IT infrastructure expert and on the time and energy it would have taken to change passwords.
4. Supports marketing and brand improvement
WPA requires that users authenticate themselves before accessing WiFi networks. Businesses such as banks and other small companies can use this in their marketing strategies. Businesses that provide WiFi to their consumers can create an on-site authentication page that advertises their products. Customers must enter the pre-shared passcode on this page to access the WiFi network.Â
This leads to increased sales and brand improvement as more consumers are aware of their products. Enterprises can also use this page to offer advertising services to other companies, leading to an additional income stream.
5. Attracts new customers
Businesses such as hotels and retail shops that depend on foot traffic for their sales can increase their competitive edge by offering their customers secure WiFi networks. Customers who use WiFi stay longer in hotels and restaurants and spend more money, boosting sales. Therefore, it may lead to improved customer engagement and customer retention rates.
Often, public WiFi systems are susceptible to sniffing attacks, and hackers can intercept sensitive data such as passwords and credit card details. Hotels and restaurants can offer a better alternative to open networks that require no authentication to increase their competitive edge by leveraging WPA protocols to secure their WiFi networks. Their customers can, therefore, feel more secure while accessing their data through their WiFi networks.
See More: What Is Network Topology? Definition, Types With Diagrams, and Selection Best Practices for 2022
Takeaway
WiFi protected access or WPA is an essential technology in personal and enterprise network operations. All advanced connectivity systems today, including WiFi 6 mesh routers, embed the WPA standard as a must-have. Organizations must know how to leverage the technology, gain from its security benefits, and address any gaps through other cyber defenses.Â
Did this article help you understand the importance of WPA in an enterprise? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!