Wireless Encryption Protocols The Complete Guide IBM Blog

Wireless Security, Wireless Encryption Types, and WPA

Wireless networks are a boon to businesses of every kind.

It enables the broadcasting of data in every direction to every device that happens to be listening within range.

However, this presents security challenges.

Passwords alone won’t ensure safe communications. And so a variety of wireless security protocols have been developed to protect wireless networks.

As well as preventing uninvited guests connecting to the network, these also encrypt any data being sent or received, with the aim of frustrating anyone attempting to steal information.

Over 5 billion mobile devices are currently in use around the world – and the coming 5G revolution is only going to substantially add to that number.


Wireless encryption types

Every device relying on a wireless network needs a safe, fast and secure connection.

Fortunately, As quickly as wireless network technologies evolve, the wireless security protocols for securing them evolve along with them.

Your Local Area Network (LAN) is connected to the Internet by a wireless router. This router encrypts any transmitted data, giving you a choice of three wireless encryption protocols: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), or WPA2.

Each has its own strengths — and weaknesses.

And so, although WPA2 has become the general default, your choice depends on your wireless network’s needs.


WEP: Wired Equivalent Privacy

Developed in the late 1990s, Wired Equivalent Privacy is the original encryption protocol based on the 802.11 wireless security standard.

(Developed by the Institute of Electrical and Electronics Engineers [IEEE], 802.11 is an evolving family of specifications for Wireless Local Area Networks [WLANs])

As its name implies, it was hoped that WEP could replicate the same level of security as a wired network sending data between two points and connected by a network cable.

Whereas the original 64-bit WEP protocol utilised a 40-bit key (WEP-40), this was later increased to a 128-bit WEP protocol using a 104-bit key size (WEP-104).

The network security key must be manually entered and updated by an administrator. And in an effort to strengthen the encryption, the key is combined with a 24-bit Initialisation Vector (IV) to form a Rivest Cipher 4 (RC4) key.

Unfortunately, such a small Initialisation Vector increases the likelihood that keys will be reused. This makes them easier to crack by potential hackers.

Even as early as 2001, it became obvious that the system was flawed. Its problematic authentication mechanisms led to industrywide recommendations to phase out WEP in both enterprise and consumer devices.

While the IEEE worked to develop a more advanced, long-term replacement for WEP, in the following years the Wi-Fi Alliance released Wi-Fi Protected Access (WPA) as an interim standard.

Then in 2009, after T.J. Maxx suffered a large-scale cyberattack, use of WEP by organisations processing credit card data was prohibited by the Payment Card Industry Data Security Standard.

In short, although many routers still include WEP, it’s flawed and too insecure to rely on when it comes to business.

It’s far better to place your trust in the wireless encryption protocols of the WPA family.


WPA: Wi-Fi Protected Access

While the IEEE worked on an enhanced 802.11i wireless security standard, WPA was introduced as an temporary security solution to combat the inherent flaws of WEP.

To encourage a quick, easy adoption, it was designed to be backward-compatible with WEP. With little more than a simple firmware update, network security professionals were able to support the new standard on many WEP-based devices.

Like the WEP, WPA is based on the RC4 cipher. But wireless security was enhanced using 256-bit keys and a 48-bit Initialisation Vector.

Moreover, this new Temporal Key Integrity Protocol (TKIP) introduced per-packet key mixing – with a unique key being generated for each packet — automatic broadcasting of updated keys, and message integrity checks.

WPA also comes with two modes, WPA Personal (or WPA-PSK) and WPA Enterprise (or WPA-EAP).

Intended for simpler implementation and management among consumers and small offices, the personal mode uses Pre-Shared Keys (PSK).

The enterprise mode requires the use of a more stringent 802.1x authentication server to generate keys or certificates, working in combination with an Extensible Authentication Protocol (EAP).

Intended only as a stop-gap solution that could be used to easily replace WEP, WPA is an undoubted improvement on its predecessor.

However, the compatible framework allowing this ease of adoption has left it less robust and secure than it could be.

WPA2 fulfils the full implementation of the 802.11i standard for securing wireless networks.


WPA2: Wi-Fi Protected Access version 2

The 802.11i wireless security standard was finalised in 2004, the same year that WPA2 was launched.

WPA2 replaces the encryption and authentication systems of WEP and WPA with superior mechanisms.

TKIP has been superseded by the much-improved Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). (As a fallback, if a device cannot support CCMP, WPA2 is backward-compatible and supports TKIP.)

CCMP only allows authorised network users to receive data. It also ensures message integrity through Cipher Block Chaining (CBC), in which decryption of a ciphertext block is dependent upon other blocks of securely linked ciphertext.

Similarly, the RC4 cipher has been replaced with the Advanced Encryption Standard (AES), developed by the U.S. government to protect information classified as top secret.

Believed to be uncrackable by even the most skilled hacker, AES is composed of three symmetric block ciphers.

Each encrypts and decrypts data in blocks of 128 bits using 128-bit, 192-bit, and 256-bit keys.

Added to all this, WPA2 uses Pairwise Master Key caching (or pre-authentication) to enable seamless roaming from one access point (AP) to another on the same network, without having to reauthenticate.

It also comes with enterprise and personal modes.


WPA2-PSK (Pre-Shared Key) and WPA2-ENT (Enterprise)

WPA2-PSK is intended for home and very small office networks.

It requires the setting of an encryption passphrase that must be entered by each user when connecting to the network. Each wireless device is authenticated by the same 256-bit key.

No additional security applications are required, whereas the enterprise intended WPA2-ENT utilises a RADIUS (Remote Authentication Dial In User Service) authentication server.

Although RADIUS is effectively an enterprise-grade server, other options are available to smaller companies who don’t wish to be faced with the complexity of installation.

If you already have Windows Server installed, there’s the Network Proxy Server (NPS) in Windows 2008. Otherwise, it’s now perfectly simple to outsource the RADIUS server to a hosted service.

Once it’s up and running, WPA2-ENT is more easily managed than WPA2-PSK as it enables centralised control over users’ access to the wireless network.

And as the passphrase to the network isn’t stored locally, it also provides greater security against attacks.

Each time users log onto the network with their unique passwords, WPA2-ENT creates new encryption keys.

WPA2, then, is currently the most secure wireless security standard available.


Looking beyond the network security key

A router’s security doesn’t begin and end with the encryption protocol.

Even a small company’s router should also support firewalls, Intrusion Prevention Systems (IPSes), and Virtual Private Networks (VPNs).

The introduction of 5G is also leading to evermore ‘smart’ devices connected via wireless technology, and all this new technology demands an increasingly more secure connection.



Back to top