Basic Understanding About Wireless Encryption WEP, WPA and WPA2

Posted by Suraj Singh on July 23, 2017 · 8 mins read

As We Already Know, In Today's World, Wireless Technologies are continuously evolving their capabilities and also increasing trying to maximise their Speed. So, too make WLAN more secure, WLAN security features are also evolving.

Here, In This Post I Am going To Provide you Quick Over View Of Three WLAN Security Encryption's WEP, WPA And WPA2.

In Wireless Connections, To Make A Connection Secure and Private, Passwords And WLAN Encryption Algorithm Both Plays A Very Important Role In WLAN Security. That's Why Here, I will also provide you information about the difference between WEP, WPA And WPA2. To Understand WLAN Security First You need to Understand How WLAN Security Works?

Wireless Access Point or Router

During the initial setup, most wireless access points and routers today let you select the security protocol to use. While this is of course a good thing, some people don't care to change it.

The problem with that is that the device may be set up with WEP by default, which we now know isn't secure. Or, even worse, the router may be completely open with no encryption and password at all.

If you are setting up your own network, make sure to use WPA2 or, at the bare minimum, WPA.

Client Side

The client side is your laptop, desktop computer, smartphone, etc.

When you try to establish a connection to a security-enabled wireless network for the first time, you'll be prompted to enter the security key or passphrase in order to successfully connect to the network.

That key or passphrase is the WEP/WPA/WPA2 code that you entered into your router when you configured the security.

If you're connecting to a business network, it's most likely provided by the network administrator.

WEP (Wired Equivalency Privacy)

Wired Equivalent Privacy (WEP) is the most widely used Wi-Fi security algorithm in the world. WEP was developed in the late 1990s as the first encryption algorithm for the 802.11 standard, WEP was designed with one main goal in mind: to prevent hackers from snooping on wireless data as it was transmitted between clients and access points (APs). The first versions of WEP weren’t particularly strong, even for the time they were released, because U.S. restrictions on the export of various cryptographic technology led to manufacturers restricting their devices to only 64-bit encryption and that's why WEP lacked the strength necessary to accomplish this. Cyber security experts identified several severe flaws in WEP in 2001, eventually leading to industry wide recommendations to phase out the use of WEP in both enterprise and consumer devices. After a large-scale cyber attacks executed against T.J. Maxx in 2009 was traced back to vulnerabilities exposed by WEP, the Payment Card Industry Data Security Standard prohibited retailers and other entities that processed credit card data from using WEP.

WEP uses the RC4 stream cipher for authentication and encryption. The standard originally specified a 40-bit, preshared encryption key -- a 104-bit key was later made available after a set of restrictions from the U.S. government was lifted. The key must be manually entered and updated by an administrator.

The key is combined with a 24-bit initialisation vector (IV) in an effort to strengthen the encryption. However, the small size of the IV increases the likelihood that keys will be reused, which, in turn, makes them easier to crack. This characteristic, along with several other vulnerabilities -- including problematic authentication mechanisms -- makes WEP a risky choice for wireless security.

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP standard. It was formally adopted in 2003, a year before WEP was officially retired. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.

WPA has discrete modes for enterprise users and for personal use. The enterprise mode, WPA-EAP, uses more stringent 802.1x authentication with the Extensible Authentication Protocol, or EAP. The personal mode, WPA-PSK, uses preshared keys for simpler implementation and management among consumers and small offices. Enterprise mode requires the use of an authentication server. Some other features also included like message integrity checks (to determine if an attacker had captured or altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). The protocol contains a set of functions to improve wireless LAN security: the use of 256-bit keys, per-packet key mixing -- the generation of a unique key for each packet -- automatic broadcast of updated keys, a message integrity check, a larger IV size (48 bits) and mechanisms to reduce IV reuse. TKIP was later superseded by Advanced Encryption Standard (AES).

Despite what a significant improvement WPA was over WEP, the ghost of WEP haunted WPA. TKIP, a core component of WPA,  was designed to be easily rolled out via firmware upgrades onto existing WEP-enabled devices. As such it had to recycle certain elements used in the WEP system which, ultimately, were also exploited.

Wi-Fi Protected Access 2 (WPA2)

As the successor to WPA, the WPA2 standard was ratified by the IEEE in 2004 as 802.11i. Like its predecessor, WPA2 also offers enterprise and personal modes. Although WPA2 still has vulnerabilities, it is considered the most secure wireless security standard available.

WPA2 replaces the RC4 cipher and TKIP with two stronger encryption and authentication mechanisms: the Advanced Encryption Standard (AES) and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), respectively. Also meant to be backward-compatible, WPA2 supports TKIP as a fallback if a device cannot support CCMP.

Developed by the U.S. government to protect classified data, AES is composed of three symmetric block ciphers. Each encrypts and decrypts data in blocks of 128 bits using 128-, 192- and 256-bit keys. Although the use of AES requires more computing power from APs and clients, ongoing improvements in computer and network hardware have mitigated performance concerns.

CCMP protects data confidentiality by allowing only authorized network users to receive data, and it uses cipher block chaining message authentication code to ensure message integrity.

WPA2 also introduced more seamless roaming, allowing clients to move from one AP to another on the same network without having to reauthenticate, through the use of Pairwise Master Key caching or preauthentication.