Theory Networking

Wireless Encryption

Evolution from WEP through WPA2/WPA3 encryption methods for securing wireless networks

  • Wireless networks are inherently insecure because radio signals can be intercepted by anyone within range
  • Encryption protects data in transit by scrambling it so only authorized devices with the correct key can decrypt it
  • All wireless networks should use encryption - open networks expose all traffic to eavesdropping
  • Modern wireless encryption operates at Layer 2 (Data Link) and encrypts frames between client and access point

Evolution of Wireless Security Standards

  • WEP (Wired Equivalent Privacy) - Original 802.11 security, now completely broken
  • WPA (Wi-Fi Protected Access) - Interim solution to replace WEP, uses TKIP encryption
  • WPA2 - Current standard using AES encryption, mandatory for Wi-Fi certification since 2006
  • WPA3 - Latest standard (2018) with enhanced security features and forward secrecy
Protocol Encryption Key Length Authentication Status
WEP RC4 64/128-bit Pre-shared key Broken - avoid
WPA TKIP/RC4 128-bit PSK or 802.1X Deprecated
WPA2 AES-CCMP 128-bit PSK or 802.1X Current standard
WPA3 AES-GCMP 128/192-bit SAE or 802.1X Latest standard

WEP (Wired Equivalent Privacy)

  • Uses RC4 stream cipher with static keys that never change
  • Fundamentally flawed - can be cracked in minutes with freely available tools
  • Initialization Vector (IV) is only 24 bits, causing frequent reuse and predictable patterns
  • No message integrity checking, allowing packet injection attacks
  • For example, a busy network generates enough traffic to crack WEP in under 5 minutes

WPA/WPA2 Personal (Pre-Shared Key)

  • Uses a passphrase (8-63 characters) that’s converted into a 256-bit Pre-Shared Key (PSK)
  • PSK is combined with network SSID using PBKDF2 function to create unique encryption keys
  • WPA uses TKIP (Temporal Key Integrity Protocol) - still uses RC4 but with rotating keys
  • WPA2 uses AES-CCMP (Counter Mode with CBC-MAC Protocol) - much stronger encryption
  • Each client gets unique encryption keys derived from the PSK (prevents client-to-client decryption)

WPA/WPA2 Enterprise (802.1X)

  • Uses RADIUS server for centralized authentication instead of shared passphrase
  • Each user has individual credentials (username/password or certificates)
  • EAP (Extensible Authentication Protocol) handles the authentication process
  • Common EAP methods: EAP-TLS (certificates), PEAP-MSCHAPv2 (username/password)
  • Provides per-user and per-session encryption keys for maximum security
  • Used for corporate networks where individual user accountability is required

WPA3 Enhancements

  • SAE (Simultaneous Authentication of Equals) replaces PSK authentication
  • Provides forward secrecy - past traffic can’t be decrypted even if password is compromised
  • Protects against offline dictionary attacks on captured handshakes
  • WPA3-Personal: Enhanced Open for public networks, stronger password-based authentication
  • WPA3-Enterprise: 192-bit security suite for high-security environments

Key Management and Four-Way Handshake

  • WPA/WPA2 uses four-way handshake to establish encryption keys without transmitting them
  • Process derives session keys from master key without revealing the master key
  • PTK (Pairwise Transient Key) - unique encryption key for each client
  • GTK (Group Temporal Key) - shared key for broadcast/multicast traffic
  • Handshake also provides mutual authentication between client and access point

Vocabulary

TKIP - Temporal Key Integrity Protocol; WPA encryption that adds key rotation to RC4
CCMP - Counter Mode with CBC-MAC Protocol; WPA2’s AES-based encryption method
PSK - Pre-Shared Key; 256-bit key derived from WPA/WPA2 passphrase
SAE - Simultaneous Authentication of Equals; WPA3’s password-based authentication
Forward Secrecy - Property where compromising current keys doesn’t expose past communications
PBKDF2 - Password-Based Key Derivation Function; converts passphrase into encryption key

Notes

  • Never use WEP - it provides no real security and gives false sense of protection
  • WPA2-Personal is adequate for home/small business if using strong passphrase (20+ characters)
  • WPA2-Enterprise is recommended for corporate environments requiring user accountability
  • When configuring WPA2, ensure all devices support AES - mixed TKIP/AES modes are weaker
  • WPA3 is still being adopted - ensure client device compatibility before deployment
  • For guest networks, consider WPA3 Enhanced Open or captive portal with WPA2
  • Regular passphrase changes aren’t necessary with WPA2/WPA3 unless compromise is suspected
  • Monitor for deauthentication attacks which can force clients to reconnect and expose handshakes