Blog Articles, Sonar

Wi-Fi Security Standards and Protocols

Dec 8, 2021
New call-to-action

Recent Content

On your access points, are you using at a minimum WPA2-PSK with CCMP encryption? Is TKIP encryption enabled for backward compatibility? WPS enabled?

Most Wi-Fi routers/APs provide WPA2-PSK (TKIP), among other options for stable, secure wireless network access. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access II (WPA2) are the primary security protocols you will certainly encounter when setting up your wireless network.

Even with many encryption standards in the digital world today, some have shown to have exploitable flaws. Unfortunately, people still use some of the standards considered insecure today. A good example is WEP discussed below.

 

Phase Out Weak WEP, WPA-PSK, and TKIP

Wired Equivalent Privacy (WEP) and WPA-PSK authentication, and TKIP encryption have all been deprecated, and the Wi-Fi Alliance has recommended that they not be used anymore. With that said, these configurations are still out there, and we do see them.

Notably, WEP is the oldest security protocol but has proven to be vulnerable to numerous security flaws. WEP algorithm encrypts all traffic using a 64 or 128 bit key in hexadecimal. Since the algorithm provides a static key, it means that all traffic, regardless of the device, is encrypted using a single key. As the computing power in modern computers grew with improvements in processors’ clock speeds, the WEP standard became insecure and deprecated. Since the encryption key does not change with every packet transmitted, a hacker can listen in to gather necessary packets to decipher the encryption key.

WPA offers improved security. The Wi-Fi Alliance developed WPA to provide more sophisticated data encryption and better user authentication than WEP. However, just like WEP, the protocol is considered vulnerable to intrusion. Usually, a home WPA-secured Wi-Fi network is based on the Pre-Shared Key (PSK) authentication. Wireless network security is based on a shared secret known as a Wi-Fi network password known by network users and access points. In simple terms, WPA-PSK is a Wi-Fi network with a password shared by every single network client. Typically, WPA-PSK is the network configuration most widely applied by modern ISP’s cable or optic fiber Wi-Fi routers.

Also, with the arrival of WPA as a secure substitute for WEP, the Temporal Key Integrity Protocol (TKIP) encryption algorithm was established as the new encryption mechanism to protect wireless communication. However, the protocol is now considered obsolete after CCMP replaced it in 2009. Nevertheless, the protocol is still widely used as the WPA-TKIP protocol. Although not recommended by the network standard, people still use TKIP with WPA2 PSK for compatibility with older devices.

 

Enhance Wireless Security with WPA2 and CCMP

WPA2 replaced WPA, and CCMP replaced TKIP. WPA2 is among the latest security protocols developed by the Wi-Fi alliance. The protocol uses a strong encryption method known as Advanced Encryption Standard Counter Mode CBC-MAC Protocol (AES-CCMP). The minimum recommended configuration is WPA2-PSK with CCMP encryption. WPA2 is a more secure version of WPA. CCMP is an acronym for Counter Mode CBC-MAC Protocol. It is also known as AES CCMP, which is the security standard used with WPA2 wireless networks.

For enhanced security, it is necessary to disable WPA security on wireless networks and leave WPA2 enabled. Additionally, it is crucial to disable TKIP, leaving only the CCMP option. That way, Wi-Fi networks using only the WPA2-CCMP mechanism are highly secure.

 

Use WPA2-Enterprise for Enterprise-Grade Security

The best configuration is WPA2-Enterprise, which uses a RADIUS server and trusted CA certificates by device, or user, that provides an additional layer of authentication security not present in PSK. WPA2-Enterprise uses a strong encryption method that offers enterprise-grade authentication. In addition, the protocol eliminates the security risks of shared passwords and enables enhanced security methods. Besides, WAP2-Enterprise allows users to extend authentication methods to the wired network.

 

Upgrading to WPA3 for Modern APs

WPA-3 is out there, it sounds better, but we have yet to see anyone really use it to confirm it is in fact good, or just theoretically good. The Wi-Fi Alliance announced the release of WPA’s third and current version in 2018. The security standard tackles WPA2 shortcomings to better security personal, enterprise, and IoT wireless networks. Convincingly, hackers can still crack the WPA2 passphrase with brute-force attacks. What’s worse, cybercriminals can capture the right data from the airwaves and use it to perform password-guessing attempts off-site, making it practical for them. Once cracked, attackers could potentially decrypt any data they capture before or after the cracking.

WPA3’s most significant additions include greater protection for simple passwords, individualized encryption for personal and open networks, and more secure encryption for enterprise networks. WPA3 is a much-anticipated update that will benefit Wi-Fi networks. WPA3 leverages the Simultaneous Authentication of Equals (SAE), replacing the Pre-Shared Key (PSK) authentication method popular in prior WPA versions. This setup allows for better functionality, so WPA3 networks with simple paraphrases are not simple for hackers to crack using off-site, brute-force, dictionary-based cracking attempts.

 

Disable Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup (WPS) was created to make it foolproof to join a wireless network. Unfortunately, a lot of APs come with WPS configured by default. There are two main methods to join through WPS, the Push method and the Pin method. As the name suggests, the Push method means that you literally push the WPS button on the AP, and if you are close enough to the AP, you can join the network without requiring a password.

In contrast, the Pin method involves an 8-digit pin. At first glance, this method means the total number of pins available would be 100,000,000 (10^8). But the pin is actually two 4-pin iterations concatenated to form an 8-digit pin. The 8th number in the pin is essentially used for a checksum. Effectively, the approach means that instead of 100 million variances, there are only 11,000 ((10^4)+(10^3)) variances. As a result, it would take a short time to brute force.

The rationale behind the creation of WPS was to help non-technical folks quickly add devices onto wireless networks without complex configurations. Unfortunately, while WPS provides that convenience, the protocol is utterly insecure. An AP with WPS enabled is highly vulnerable. In fact, a successful attack on your router’s WPS function reveals your network password within no time, regardless of how strong the password is.

 

Enhancing Security with Sonar

Is your wireless router as secure as you think? Are you applying the recommended security standard in your wireless network? Are you operating an AP with WPS enabled? How can you find out which security protocol type your Wi-Fi router is?

As we have seen above, your Wi-Fi connection uses one of the different security types. Unquestionably, they are not all equal, and it is essential to learn the security type your AP is using.

Sonar can identify these types of configurations to ensure the AP hardware is hardened and there aren’t misconfigurations that would result in a possible security breach. Once we have discovered the Wi-Fi security standard in your Wi-Fi network, we help you reconfigure the network security to the best Wi-Fi protocols. For instance, if your network is either WEP or WPA, we notify you about the risks of an attack. We guide you in upgrading to a WPA2, WPA2-Enterprise, or WPA3-compatible router configuration to enhance your security posture.

 

Sonar is included with Pulsar Cyber Shield: a comprehensive package of services designed to bring maximum security benefits at minimal cost without sacrificing quality. Learn more here.
Tim Connell

Tim Connell

As Head of Enterprise Products for Pulsar Security, he guides the team in creating solutions which satisfy the needs of real-world customers, specializing in the areas of data management, storage network visibility, and enterprise security. Tim holds technical certifications as an Offensive Security Certified Professional (OSCP), CompTIA Network+, CompTIA Security+, GIAC Penetration Tester (GPEN), GIAC Web App Penetration Tester (GWAPT), and GIAC Python Coder (GPYC).