5.3 Wireless Router

Wireless security is critical for protecting the data transmitted over Wi-Fi networks. There are several security modes that are commonly used to secure wireless networks. These modes mainly define how the communication between devices (e.g., laptops, phones) and the access point (AP) is encrypted and authenticated. Below is an explanation of the different security modes available for wireless networks:

1. WEP (Wired Equivalent Privacy)

• Overview: WEP is one of the earliest wireless security protocols and was designed to provide a level of security equivalent to wired networks. It uses a shared key for encryption, which is applied to the data before transmission.

• Encryption Method: WEP uses RC4 encryption with a key length of 64-bit or 128-bit. The 64-bit encryption uses a 40-bit key plus a 24-bit initialization vector (IV), while the 128-bit version uses a 104-bit key plus the same 24-bit IV.

• Security Issues:

  • WEP is considered insecure because of weak encryption (RC4) and vulnerabilities like poor IV generation, which leads to the possibility of key reuse.
  • The encryption keys in WEP are static and can be cracked within minutes using tools like Aircrack-ng, making it unsuitable for modern wireless networks.

• Current Status: WEP has been deprecated and is not recommended for use due to its vulnerability to attacks.

---

2. WPA (Wi-Fi Protected Access)

• Overview: WPA was introduced as a replacement for WEP, providing improved security. It was designed to address the weaknesses in WEP by implementing stronger encryption methods.

• Encryption Method: WPA uses TKIP (Temporal Key Integrity Protocol) for encryption. TKIP dynamically changes keys for every data packet sent, improving security compared to WEP.

• Security Features:

  • TKIP dynamically generates a unique key for each packet, reducing the chances of key reuse.
  • Message Integrity Check (MIC) ensures that the data has not been tampered with during transmission.

• Security Issues:

  • While more secure than WEP, WPA still has some weaknesses. TKIP is not as strong as newer encryption methods like AES, and it is vulnerable to certain types of attacks like dictionary-based attacks.

• Current Status: WPA is still used in some legacy devices but is largely considered insecure compared to WPA2 and WPA3.

---

3. WPA2 (Wi-Fi Protected Access II)

• Overview: WPA2 is an improvement over WPA and is currently the most widely used security protocol. It provides significantly stronger encryption and security mechanisms.

• Encryption Method: WPA2 uses AES (Advanced Encryption Standard) for encryption, which is much more robust than TKIP. AES supports 128-bit keys, offering strong encryption that is resistant to brute-force and dictionary attacks.

• Security Features:

  • AES Encryption: Provides strong encryption that is almost impossible to break with current technology.
  • CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): CCMP replaces TKIP and provides integrity and confidentiality for data transmission.

• Authentication: WPA2 can use either Pre-Shared Key (PSK) or 802.1X (Enterprise) for authentication. PSK is commonly used for home networks, while 802.1X is used for enterprise environments and offers greater security through centralized authentication (RADIUS servers).

• Security Issues:

  • WPA2 is generally secure but is vulnerable to attacks like the KRACK (Key Reinstallation Attack) discovered in 2017, which exploits a flaw in the WPA2 handshake.
  • Weak passphrases in PSK mode can still lead to vulnerabilities, so using complex passwords is critical.

• Current Status: WPA2 remains widely used and is recommended for most wireless networks today.

---

4. WPA3 (Wi-Fi Protected Access III)

• Overview: WPA3 is the most recent wireless security standard, introduced to address the shortcomings of WPA2 and provide enhanced security features, especially for modern devices.

• Encryption Method: WPA3 uses AES for encryption, but it adds new features to improve security further.

• Security Features:

  • Simultaneous Authentication of Equals (SAE): This is a new password-based authentication method that replaces WPA2’s Pre-Shared Key (PSK). SAE makes it much harder for attackers to guess the password, even if they have access to the encrypted data.
  • Forward Secrecy: Ensures that even if a hacker compromises a key in the future, past communications cannot be decrypted.
  • Enhanced Protection for Public Networks (OWE - Opportunistic Wireless Encryption): This feature provides encryption on open (non-password protected) networks, preventing eavesdropping.
  • Improved Brute-Force Resistance: The SAE protocol prevents attackers from conducting offline dictionary attacks by requiring each login attempt to interact with the AP.

• Security Improvements:

  • WPA3 is designed to be more resistant to offline dictionary attacks and provides improved encryption for devices on open networks.
  • The introduction of 256-bit security for enterprise networks enhances overall protection.

• Current Status: WPA3 is still being rolled out, but it is considered the future of Wi-Fi security, with increasing adoption in newer devices and routers.

---

5. WPA2-Enterprise vs. WPA2-Personal

• WPA2-Personal (Pre-Shared Key):

  • Used for: Home networks or small offices.
  • How it works: Uses a shared password (PSK) for all devices on the network. The same key is used for authentication, making it easier to set up but less secure if the key is weak or shared with too many people.

• WPA2-Enterprise (802.1X):

  • Used for: Larger businesses and enterprises.
  • How it works: Uses a RADIUS server for centralized authentication, meaning each device gets a unique key for access. This provides more granular control and better security, especially in environments with many users and devices.

---

Summary of Security Modes:

Security Mode	Encryption/Authentication	Main Use Case	Security Level
WEP	RC4, 40/104-bit keys	Legacy networks	Very Low
WPA	TKIP, Pre-Shared Key	Home networks	Low
WPA2	AES, CCMP, Pre-Shared Key	Home and small office	High
WPA3	AES, SAE, Forward Secrecy	Modern networks, public	Very High
WPA2-Enterprise	AES, 802.1X, RADIUS	Large enterprise networks	Very High

IMPORTANT

For most modern environments, WPA2 and WPA3 are the preferred security protocols, with WPA3 being the most secure option for new devices. WEP and WPA should be avoided, as they provide weak security. Always ensure to use strong passwords and consider upgrading to WPA3 for better protection.