WPA and WPA2 (Wi-Fi security tutorial - part 2)
WPA and WPA2 (Wi-Fi security tutorial - part 2)
WPA (or Wi-Fi Protected Access) is today the security standard in wireless networking that is rapidly replacing the older WEP (Wired Equivalency Privacy) standard. WPA and its younger sibling WPA2 are newer standards based on the IEEE 802.11i ratified amendment set out to improve some of the disadvantages of WEP.
This wireless security standard is playing today a vital role in the security of wireless networks.
This tutorial is a continuation from the first page: Wireless Wi-Fi network security tutorial 101 (part 1)
WPA Wi-Fi Protected Access (WPA & WPA2)
WPA builds upon WEP, making it more secure by adding extra security algorithms and mechanisms to fight intrusion. Perhaps the most important improvement over WEP is a dynamic security key exchange mechanism and much more improved authentication and encryption mechanisms.
WPA-802.1x and WPA-PSK
WPA comes in two flavors, that is WPA-802.1x and WPA-PSK. WPA-802.1x is a good choice for large businesses because it combines access point authentication with another layer of authentication through external authentication services. This means that after the authenticating user associates with the wireless access point, his or her credentials are also checked against a locally stored database or even external sources (for example RADIUS or Kerberos). Authentication servers also distribute security keys to individual users dynamically. WPA-PSK on the other hand is a solution for small businesses and homes which utilizes so-called Pre-Shared Key (PSK) which is technically (from the user perspective) similar to how security keys with WEP are implemented but in a more secure way (more about this in the TKIP section below).
The following table compares WPA-802.1x, WPA-PSK, and WEP in their suitability for large corporations or home and small business use:
Now let's take a look at the difference between WPA and WPA2.
WPA and WPA2
WAP is also better than WEP in its data encryption abilities. While WEP uses the same static security key for both encryption and decryption of all communication (the key never expires), WPA implements a mechanism involving a number of security keys. This is done through so-called Temporal Key Integrity Protocol (TKIP). This is a revolutionary improvement because even if the intrusor obtains one security key, he will not be able to use it for long. This system changes the security key used for data transmission every specified amount of time to prevent cracking attempts.
When we talk about security keys, we implicitly talk about a working mechanism of security keys. The TKIP mechanism shares a starting key between devices, but each device then changes its encryption key for the ongoing communication.
First, initial authentication is done using the Pre-Shared Key set in the wireless configuration (the key that is set at the access point and then distributed by the admin to clients). So far, the concept of WPA is the same like in WEP. However, once the initial authentication is completed, then another so-called Master Key is generated which is bound to the particular session between the access point and the client.
The Master Key is then further split into so-called Group Transient Key which secures multicast and broadcast messages sent by the access point to the clients, and to another security key called Pairwise Transient Key which secures the unicast messages sent from wireless clients to the access point.
Some wireless routers provide a function allowing the administrator to control how often the Group Transient Key is changed by the access point.
As you can see, this mechanism is principially quite hard to crack because even if the attacker captures some security key from the data flow, it is limited to a single session and can even expire within that session as well.
Encryption algorithm and security fundamentals
WPA employs the RC4 encryption mechanism which is the same like WEP, but WPA uses a longer security key, 128 bit in length (compared to 104 bit in WEP) and longer initialization vector, 48 bit in length (compared to 24 bit in WEP). This gives WPA more strength compared to WEP because a hacker would need to capture significantly more data packets in case of WPA when trying to perform so-called statistical attack.
Data integrity control
WPA also provides better data integrity control when compared to WEP. This prevents hackers from capturing existing data packets, modifying them, and then re-sending to the access point. In simple words, WPA includes a mechanism to determine whether a received packet has already been sent or not.
Encryption algorithms in WPA2
WPA2 compliments TKIP and the improved data integrity control algorithm with more secured encryption mechanism called Advanced Encryption Standard (AES) - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). In other words, this means an improved encryption algorithm. Experts say that AES-CCMP is robust enough to be used for government data security purposes.
What are the disadvantages of WPA?
The disadvantage of WPA is that older wireless access points may need to have their firmware updated. Wireless clients' software also may need to be upgraded. For example, clients based on Windows XP effectively require either Service Pack 2 and some patches or the addition of the WPA client to their wireless configuration.
If the AES algorithm is your choice, then know that it requires special hardware support, so a firmware/driver update on an older router does not get AES to work. AES requires AES-enabled hardware. Even with simple WPA, encryption and decryption is slower for devices using software rather than dedicated WPA hardware support.
WPA-802.1x together with RADIUS is more complicated to set up than an average home user is willing to do.
WPA2 is known to cause significant CPU overhead because the AES cryptographic algorithm is simply more resources demanding than the RC4 algorithm.
In any case, since WPA adds to the packet size, transmission takes longer.
How can I implement WPA in my network?
You can find more about this on the next page: How to set up and configure WPA-PSK in Windows?
How else can I improve my security?
Wireless network security does not stop with the selection of the best standard. There are many other security steps that can be taken to further improve your network. See the third part of this tutorial: IPSec, VPN, architecture (wireless security tutorial - part 3)
Is WPA backwards compatible with WEP?
Yes, a wireless access point that is set up to use primarily WPA still can authenticate WEP clients at the same time. During the association, the access point determines which clients use WEP and which clients use WPA and behaves accordingly. However, supporting a mixture of WEP and WPA clients is problematic; therefore, it is suggested all clients are upgraded to WPA once it is determined that WPA security should be implemented at the access point.
Where can I find more details about WPA and WPA?
We suggest visiting the following link:
I have questions about WPA
In case you have any questions about WPA or WPA2, or wireless security in general, you are welcome to post your questions in our security discussion forum.
Link to the first page of this tutorial: Wireless Wi-Fi network security tutorial 101 (part 1)
Link to the third page of this tutorial: IPSec, VPN, architecture (wireless security tutorial - part 3)
Link to the fourth page of this tutorial: Secure your WLAN (wireless security tutorial - part 4)