Wireless Security Protocols

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. In this post, we’ll take a look at wireless security protocols to help you understand the different aspects of these protocols.

Source: en.wikipedia.org

There are several types of wireless security Protocol that you’ll come across – here’s a quick rundown on the details.

WEP (Wired Equivalent Privacy)

WEP was developed for wireless networks and approved as a Wi-Fi security standard in September 1999. There are a lot of well-known security issues in WEP, which is also easy to break and hard to configure. WEP is not the correct choice for securing your network, and in light of this, other types of wireless security were created. WEP was officially abandoned by the Wi-Fi Alliance in 2004.

WPA (Wi-Fi Protected Access)

For the time the 802.11i wireless security standard was in development, WPA was used as a temporary security enhancement for WEP.

Most modern WPA applications use a pre-shared key (PSK), most often referred to as WPA Personal, and the TKIP (Temporal Key Integrity Protocol) for encryption. For an encrypted data transfer to work, both systems on the beginning and end of a data transfer must use the same encryption/decryption key. WPA uses the TKIP which dynamically changes the key that the systems use. This prevents intruders from creating their own encryption key to match the one used by the secure network. Of course, WPA also to be pretty vulnerable to intrusion.

Source: netspotapp.com

WPA2 (Wi-Fi Protected Access version 2)

Today’s default algorithm isWPA2 which is also known as WPA2-Personal. This protocol was introduced in 2004. The most important improvement of WPA2 over WPA was the usage of the AES (Advanced Encryption Standard). AES is approved by the U.S. government for encrypting the information classified as top secret. So, within WPA2 by default, most configurations out of the box come with the AES. Based on the IEEE 802.11i standard, WPA2 provides government grade security by implementing the NIST (National Institute of Standards and Technology) FIPS 140-2 compliant AES encryption algorithm and 802.1x-based authentication.

Now, the main vulnerability to a WPA2 system is when the attacker already has access to a secured WiFi network and can gain access to certain keys to perform an attack on other devices on the network.

The primary issue with WPA2-AES apart from the encryption mode is that an attacker, if suitably positioned, can cause a client to deauthenticate from the wireless network. Once deauthenticated, the attacker would capture the reconnection. Within the captured data, the encrypted preshared key would be obtained.

Source: packetlabs.net

Of course, even this protocol is vulnerable also. In 2016, it became clear that the proof-of-concept exploit, called KRACK (Key Reinstallation Attacks) affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices.

There are two versions of WPA2:

WPA2- Pre shared Key (WPA2- PSK)
WPA2-Enterprise

Source: webopedia.com

WPA2- PSK

This method is also called WPA2-Personal and it protects unauthorized network access by utilizing a set-up password. This method designed for home users without an enterprise authentication server. To encrypt a network with WPA2-PSK you must provide your router with a plain-English passphrase between 8 and 63 characters long.

There are three forms of this method, which are:

WPA2- PSK (AES)
WPA2- PSK (TKIP)
PA2-PSK (TKIP/AES)

TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP is similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. It’s recommended that you don’t using it. AES is a common worldwide encryption standard and it is generally considered quite secure. Of course, AES also has its vulnerabilities.

WPA2-Enterprise

WPA2-Enterprise was introduced (around since 2004) to add additional security to WPA2 to allow for user auditing and eliminates the risk of shared passwords while using enhanced security methods. Deploying enterprise requires a Radius server. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.

WPA2-Enterprise is delivering over-the-air encryption and a high level of security. WPA2-Enterprise uses some authentication protocols. These protocols include:

EAP-TLS: It is a certificate-based protocol that is widely considered one of the most secure EAP standards because it eliminates the risk of over-the-air credential theft. It’s also the protocol that provides the best user experience.
EAP-TTLS/PAP: It is a credential-based protocol that only requires the server to be authenticated, while user authentication is optional. This protocol includes many vulnerabilities. Especially this protocol allows credentials to be sent over the air in Clear-text, which can be vulnerable to cyber-attacks like Man-In-The-Middle and easily repurposed to accomplish the hacker’s goals.
PEAP-MSCHAPv2: It is a credential-based protocol that was designed by Microsoft for Active Directory environments. This protocol does not require the configuration of server-certificate validation, leaving devices vulnerable to Over-the-Air credential theft.

Source: packetlabs.net

WPA2-Enterprise network has some problems:

Device variation: Support for 802.1X is inconsistent across devices, even between devices of the same OS (like Android). Each device has unique characteristics that can make them behave unpredictably. This problem is made worse by unique drivers and software installed on the device.
MITM and delivering certificates: Organizations usually sweep for and detect rogue access points, including Man-in-the-Middle attacks, but users can still be vulnerable off-site. Even if the server has a certificate properly configured, there’s no guarantee that users won’t connect to a rogue SSID and accept any certificates presented to them. The best practice is to install the public key on the user’s device to automatically verify the certificates presented by the server.
The Password change problem: Networks with passwords that expire on a regular basis face an additional burden with WPA2-Enterprise. Each device will lose connectivity until reconfigured. It’s even worse on networks that have unexpected password changes due to data breaches or security vulnerabilities.
Changing user expectation: Users today have incredibly high expectations for ease of use. If the network is too hard to use, they’ll use data. If the certificate is bad, they will ignore it. If they can’t access something they want, they will use a proxy. So, a good Security Protocol should as easy as possible for network users to navigate without sacrificing security.

Source: securew2.com

Learn more about WPA2

WPA3 (Wi-Fi Protected Access version 3)

WPA3, released in June 2018 and it is next-generation wireless security protocol. WAP3 comes in Personal and Enterprise editions, but this version improves on WPA2 with more robust authentication and encryption features. It also includes functionality to simplify, and better secure, the connection of IoT wifi devices.

A fundamental weakness of WPA2 is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network. WPA3 will protect against dictionary attacks by implementing a new key exchange protocol.

One of the most important features of WPA3 is that it simplifies the connection of devices belonging to the Internet of Things. Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you’re set — they’re securely connected.

Source: networkworld.com

New WPA3 Features

Four new features in WPA3 are designed to improve on WPA2:

More secure handshake: SAE (Simultaneous Authentication of Equals) protocol requires a new interaction with the network every time a device requests an encryption key, slowing down the rate of an attempted attack and making a password more resistant to dictionary and brute force attacks. This protocol also prevents offline decryption of data.
Replacement of wifi protected setup (WPS): A simpler way to securely add new devices to a network using the Wi-Fi Device Provisioning Protocol (DPP), which allows you to securely add new devices to a network using a QR code or a password.
Unauthenticated encryption: Better protection when using public hotspots using Wi-Fi Enhanced Open which provides unauthenticated encryption.
Bigger session key sizes: WPA3-Enterprise will support key sizes the equivalent of 192-bit security during the authentication stage, which will be harder to crack.

Source: wi-fi.org

WPA3-Personal

This version provides password-based authentication with good security even when users choose short or weak passwords. It doesn’t require an authentication server and is the basic protocol home users and small businesses use. Other features of this version:

Uses 128-bit encryption
Makes use of a SAE handshake
A new set of encryption keys are generated every time a WPA3 connection is made, so if the initial password is compromised, it won’t matter
Bolsters security on public networks
Easily manages connected devices

WPA3-Enterprise

This version provides extra protection for enterprise networks transmitting sensitive data. Includes optional 192-bit minimum strength security mode, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems.