Welcome to RUCKUS Networks, part of CommScope's world-leading portfolio of networking solutions. Learn more.
In the previous posts, I covered securing wired networks. While wired networks may not be as “fun” as wireless, they are critical to think address when we look at securing the ENTIRE network, not just the piece or two that people see and interact with. Therefore, we are going to switch to talking about securing wireless networks.
Long before the Wi-Fi Alliance created the marketing terms of Wi-Fi 5, Wi-Fi 6, and Wi-Fi 6E, they introduced another marketing term to us, even if most didn’t realize it at the time. This marketing term is WPA, or Wi-Fi Protected Access. WPA isn’t an official IEEE standard; it is a Wi-Fi Alliance certification. While WPA is the cornerstone of wireless security, it isn’t an IEEE standard or amendment, but it relies heavily on the IEEE to work.
The original encryption used in Wi-Fi was Wired Equivalent Privacy (WEP) and hopefully everyone knows and understands that WEP was compromised back in the early 2000’s with tools like aircrack.ng and John the Ripper. WEP contains a couple of fatal flaws that allow it to be brute-forced hacked in a matter of seconds, which led it to be “officially retired” in 2004. I say “officially retired” because while the problems with WEP still exist, there are networks that can be found in the wild that still use WEP thanks to client devices that don’t support any newer encryption.
In 2003, after WEP had been compromised but before the IEEE was able to officially introduce the 802.11i amendment, the Wi-Fi Alliance released WPA as a stop-gap solution for networks that needed to migrate from WEP, but without 802.11i being officially ratified, it was always destined to be nothing more than a stop-gap solution.
Granted, it was a critical stop-gap, but nonetheless, when 802.11i was ratified in 2004 it was “replaced” by Wi-Fi Protected Access 2, or the WPA2 protocol based on the 802.11i amendment that all of us are familiar with. This is when WEP was officially retired. WPA2 introduced a couple of enhancements that allowed it to serve the Wi-Fi world admirably for 14 years before its replacement was introduced in 2018 by WPA3.
In later posts we will get a little deeper into the nuts and bolts of how these protocols work and what is required to get them functional, but for now, in this introduction, I want to cover some basic information so we can refer back to it in the future.
Limitations with previous generations
WEP crackable because it only ever used one key during the encryption process, and if that key were captured, it was a simple process to just reuse that same key. It also was very limited in the number of bits used in the encryption.
Remember! Less bits = less complexity to crack = faster times to crack the encryption.
WPA introduced a concept known as Temporal Key Integrity Protocol (TKIP) which prevented attackers from simply copying the key they saw transmitted over the air. There is a downside to TKIP which didn’t really come into play until 802.11n was introduced in 2007. You see, TKIP has a limitation which caps Wi-Fi speeds at 54 Mbps. Prior to 802.11n, 54 Mbps was the fastest you could go, so the TKIP limitation matched the PHY rate limitation. No problems.
Luckily for 802.11n, which easily exceeded 54 Mbps, WPA2 with AES-CCMP encryption was already out. AES-CCMP removed this speed limitation as well as improved the overall encryption algorithm.
Why are we covering older security encryption, you ask? Too many times in the Wi-Fi world we are asked to support devices that are well past their prime from a technology standpoint but from a functional standpoint still perform their job as expected.
A perfect example of this are bar code scanners used in warehouse environments. These devices are required to be rugged, have long lasting batteries, and scan barcodes and enter a relatively simple number, and then transmit that information to a server. Even if the human being could scan 1 tag per second, the throughput requirement for this device isn’t even measured in Megabits per second; even 802.11b is fine from a speed perspective.
Network designers and administrators are driven crazy trying to maintain support for these legacy clients while also supporting managers and their latest tablets and application requirements. One device prizes ruggedness and stability while the other looks for speed and flexibility. And, more importantly for this discussion, one uses very old security while another is more likely near the latest encryption capabilities.
Tried and Tested WPA2
WPA2 has been our trusted friend since 2004 and, for the most part, has served us well. Sure, there has been a hiccup here and there (remember KRACK?) but when deployed and managed in a responsible manner, it was and still is very secure. This is especially true when we compare the two versions of WPA2 – Personal and Enterprise – and look at WPA2-Enterprise. WPA2-Enterprise, using a robust EAP type (EAP being Extensible Authentication Protocol), is still a very sound method for securing wireless networks. Built upon the 802.1X protocols, WPA2-Enterprise with EAP-TLS is very secure, even today.
When we look at WPA2-Personal using Pre-Shared Keys (PSK), we start to see some issues that led to the introduction of WPA3-SAE. WPA2-Personal is the usual type of network seen in residential deployments and in public areas like coffee shops where they post the Wi-Fi password on a sign in a public area. The issues inherent in how WAP2-Personal builds the encryption keys have necessitated moving to a standard like WPA3-SAE, which we will cover in greater detail in a later post.
If WPA2 is good, why did we need WPA3?
Just like with all things in technology, progress assists the attackers of a network just as much, if not more than, the legitimate network operators and users. As processor speeds and ability increased to help people do more on their mobile devices, it also made it faster for attackers to brute force passwords and credentials captured in the wild. Cloud computing and ubiquitous internet connections made it faster and easier for organizations to spread out their workload, as it did for attackers.
What used to take months to brute force crack can now be done in days; what used to take weeks can now be cracked in hours, if not minutes. With the ability of the attackers to collect encryption keys in the wild and then send them either to a Cloud computing instance or back to a central cracking server to work on, the cost to cracking an encryption key is much cheaper than it used to be.
WPA3-SAE (Simultaneous Authentication of Equals) introduced new encryption methods more similar to 802.1X standards, making it much harder to crack either in the wild or offline using a brute force encryption cracker server custom-built for the task at hand.
In subsequent posts I will cover more of this to help people understand what the exact vulnerabilities are, risks that you might be facing, and any obstacles that might stand in your way of upgrading to the newer standards.
In a world where we seem to feel pressured to always have the “latest and greatest,” some of the details can get lost in the shuffle. While WPA3-Enterprise is where we should be aiming, it’s ok if not every device ends up on that network. While WPA2-Personal might not be the “best”, remember that with some best practices thrown in, it can suffice. While WEP can be cracked by a competent attacker in a matter of seconds, it might be sufficient if that is all the device will support. I would STRONGLY recommend upgrading to almost anything to eliminate WEP, but that is a conversation for a different day.
Stay tuned for the next couple of installments where I will go into a little more detail on the two main methods of securing wireless networks today – Personal/SAE and Enterprise.