WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network. Show The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm. Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA. Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format. The WPA/WPA2 security policy involves four steps:
Link AuthenticationLink authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access. Access AuthenticationWPA and WPA2 have an enterprise edition and a personal edition.
802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users. PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails. Key Negotiation802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs. During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.
Key negotiation consists of unicast key negotiation and multicast key negotiation.
Data EncryptionWPA and WPA2 support the TKIP and CCMP encryption algorithms.
Does WPA2 Enterprise need a RADIUS server?The WPA2 security method uses the more secure Advanced Encryption Standard (AES) cipher, instead of the RC4 cipher used by WPA. Both WPA-Enterprise and WPA2 require configuring a RADIUS server.
What is WPA WPA2 encryption?WPA2 ensures that data sent or received over your wireless network is encrypted, and only people with your network password have access to it. A benefit of the WPA2 system was that it introduced the Advanced Encryption System (AES) to replace the more vulnerable TKIP system used in the original WPA protocol.
What does WPA use for authentication?WPA works using discrete modes for enterprise and personal use. The most recent enterprise mode, WPA-EAP, uses a stringent 802.1X authentication. The latest personal mode, WPA-PSK, uses Simultaneous Authentication of Equals (SAE) to create a secure handshake.
What is WPA2 AES or WPA3?WPA2/WPA3 Transitional is a mixed mode that uses WPA3 Personal with devices that support that protocol, while allowing older devices to use WPA2 Personal (AES) instead. WPA2 Personal (AES) is appropriate when you can't use one of the more secure modes.
|