This post is a small survey of existing Wi-Fi security protocols pertaining to home and small offices as of Oct. 25th, 2010
WEP – Wired Equivalent Privacy – WEAK
Anyone with the slightest knowledge of wireless security protocols knows that WEP is very insecure. A very inexperienced individual can get the tools and watch a tutorial on how to crack a WEP key in a few hours. WEP seriously has so many problems from a cryptographic point of view.
- The master key is used within the encryption instead of deriving a key from the master key.
- Keys can be derived from datagrams.
- The hashing algorithm it uses for integrity is weak (CRC32)
Do not secure your network with WEP. WEP will be completely out of production by 2014.
WPA – Wi-Fi Protected Access – MODERATE-STRONG
WPA was the interm solution to WEP’s serious weaknesses while WPA2 was developed. One of the important points of WPA is that it derives encryption keys from the master key instead of utilizing the master key in the encryption.
WPA has held it’s ground for some time but it still vulnerable to brute-forcing weak passwords by capturing an authentication handshake. Weaknesses in WPA implementations have been discovered as early as 2008 and are continuing to be discovered into early 2010.
The current vulnerabilities exist in the Temporal Key Integrity Protocol (TKIP) (the enhanced protocol to address WEP vulnerabilities). They allow an attacker to inject a small amount of valid encrypted packets of their choice. When the original vulnerability was discovered, Quality of Service (QoS) needed to be enabled on the access point in order to successfully take advantage of the vulnerabilities. Specifically, having QoS enabled,
allowed one to bypass WPAs replay protection. However, as of early 2010, the QoS requirement for the attack is not required. Because this vulnerability doesn’t expose the key, people are not as concerned about it and it hasn’t warranted much concern. Although the attacks aren’t much of a concerned, I’d suggest if you’re going to use WPA, use WPA-AES, NOT WPA-TKIP. TKIP was officially deprecated from the 802.11 spec as of early 2009. The take home message of WPA as quoted from the Wi-Fi alliance:
Q: Is WPA still secure?
Yes, WPA remains secure. WPA is the major upgrade to Wi-Fi security, applicable to
enterprise and home users. WPA was independently verified to address all of WEP’s
known weaknesses. WPA2 is not being released to address any flaws in WPA.
WPA2 – Wi-Fi Protected Access 2 – STRONG
WPA2 was the final spec that the Wi-Fi Alliance had been working on when WEP vulnerabilities were discovered. Instead of utilizing TKIP for encryption, WPA2 utilizes AES. WPA2 is very similar to WPA-AES with a few minor differences that are negligible to security protection.
Like WPA, WPA2 passwords can also be brute-forced, thus strong and random passwords should be used. Other weaknesses in WPA2 do exist but they can generally be avoid by implementing basic security practices. Due to the deprecation of TKIP and the inherently stronger AES encryption, WPA2 is the recommended wireless security protocol