Wi-Fi encryption standards || Which is good for you?
Configuring the options available for setting up a network for either personal or enterprise use is most important to have a secured and private network environment. Choosing wrong security levels and encryption standards may effect your experience, network security , exposes data being transmitted if hackers take advantage of flaws in network. So without going into deep technical details to have basic knowledge of these standards and make a choice for your network read on….
Various security flavorus available at present are
Open security standard is employed by not setting any passphrase to your Wi-Fi network and allowing people to connect to the network for free. But this type of option must not be opted though you use your network for good purposes, because you cannot be sure if the person accessing your network has good intention and you will be responsible for any illegal acts done by others connecting to your network.Also the local network services and file shares can be monitored if the network is open or configured to be public network. The bandwidth limits and connection slowdowns are other drawbacks of this option.
WEP ( Wired Equivalent Privacy )
WEP is security algorithm for wireless network created to provide privacy that is almost equal to that given by wired connection (hence the name) like ethernet cable. WEP is the basic mode and presently NOT suggested to use as it’s been proved to be vulnerable, easily after the deployment. WEP was superseded by WPA in 2003, announced by Wi-Fi Alliance.
WEP uses a user defined key(passphrase) with variable lengths( 40-bit, 104-bit, 128-bit, 232-bit) concatenated with a 24-bit initialization vector(IV) and fed to RC4 stream cipher to generate cipher text for transmission over the network. RC4 is used to maintain confidentiality and CRC-32 checksum for integrity on the network.
The short length of IV leaves less possible IV values and the repeated use of IV for multiple times on network packets with the static password , process of cracking the WEP key is easy using related key attacks.
WPA ( Wi-Fi Protected Access )
WPA is far better than WEP as it employs better encryption and authentication protocols. WPA has application for personal and enterprise use.
WPA for enterprise uses a central database on 802.1x RADIUS server, an authentication server for keys and certificate generation to provide greater security for sensitive data handled by organisations.
WPA for personal use has Temporary Key Integrity Protocol ( TKIP ) that is powerful than CRC used in WEP, but not robust as algorithms in WPA2.
Features of TKIP:
- Key mixing function
- Per-packet key hashing with unique key( Temporal Key )
- Packet sequencing
- Automatic broadcast of updated keys
Key mixing function will combine the key and IV ( 48 -bit) using few logics unlike simply concatenating like WEP and then passes to RC4. This narrows the occurrence of related key attacks made in WEP. Implementation of sequencing will eliminate packets that arrive out of order in network, shielding from replay attacks. Also TKIP uses Message Integrity Check ( MIC ) which prohibits an intruder to alter and resend data packets.
Network routers takes help of WPS ( Wi-Fi Protected Setup ) -an auxiliary system to simplify the linkage of devices to modern access points, but there are vulnerabilities exploited because of WPS and also access to MIC code of sessions in network make ARP poisoning , DoS, NOMORE, decryption and packet spoofing possible.
As WPA uses few technical standards of WEP ,WPA is also unable to be robust secure encryption. Because of unique key encryption , the devices outside of WPA network cannot attack devices inside the network, unless key is found to implement advanced attacks using the compromised network, i.e., attack on others in the same network which reduces the power of security.
WPA2 ( Wi-Fi Protected Access II )
The main advancement of WPA2 over WPA is that this uses group cipher – Advanced Encryption Standard ( AES ) along with Counter Mode Cipher Block Chaining Message Authentication Code Protocol ( CCMP ) , the most secure solution before WPA3. Though in early time of AES introduction, AES is not as widely spread as TKIP due to the usage of legacy routers , with AES as optional in WPA but in WPA2 AES is default encryption. WPA2 is too available in personal and enterprise modes, both employ PSK anyway.
WPA2 is vulnerable to brute force and dictionary attacks because the Pre-Shared Key ( PSK ) outputs static WPA2 encrypted key which can be decrypted to crack the actual key, also the 4-way handshake used for user authentication paves path for KRACK Attack. WPA2 needs more processing power to compute the algorithms for privacy.
WPA3 ( Wi-Fi Protected Access III )
WPA3 is the youngest in the list and has features that have overcome the vulnerabilities posed in WPA2. WPA3 is still in early stages of adoption.
You can know more about WPA3 and the drawbacks of WPA2 here.
Which is good for your router?
- Open – risky
- WEP – risky
- WPA-PSK ( TKIP )
- WPA2-PSK ( AES )
- WPA/WPA2-PSK ( TKIP/AES )
The 3 secure encryption types you can choose is as follows
- WPA3 – It is expected to be opted widely at present as it provides robust security and privacy.
- WPA2 with AES – Probably the best choice among the options with devices not supporting WPA3. This can be implemented on newer routers and no need to worry about the performance as the hardware supports the requirement of software.
- WPA/WPA2 with TKIP/AES – This option is to be chosen if the legacy devices doesn’t support AES completely. But if you choose this option there will be transmission latency.
WPA with TKIP – (not suggested for today’s time) This is the default good option for old routers and can be implemented on devices that supported WEP as the TKIP is designed to work on WEP devices for wider implementation of WPA . With the firmware updates, WEP routers can switch to WPA.
WEP – not suggested for today’s times as it much easy for intrusions
Open ( no security at all !!! )
Coming to the authentication types
Pre-Shared Key (PSK) and Enterprise version(802.1x with EAP), the latter is seen in business purposes- harder implementation though provides good security for more confidential data at organisation level needs. The former one is good for home and personal use when combined with good encryption.
In a nutshell !
Just setting passphrase alone cannot protect your network. Yes, stronger passphrase are important in securing the network but the encryption and security modes impact the privacy of your network. Choose the proper combination of Certification ( WPA or WPA2 ) , Authentication ( PSK mode or Enterprise mode ) , Encryption ( TKIP with RC4 or AES with CCMP ) to have firm network.
The old devices can be updated to use WPA ( no longer safe ) through firmware. But if they don’t , switching to new devices released after 2006 is a right choice which are equipped with WPA2 and also are backward compatible, incase the client devices are not supportive to latest standards. However, if WAP3 is adopted new devices need to purchased. WPA3 devices will also be backward compatible to communicate with client devices that still doesn’t work with WPA3.
Anything created will definitely have pros and cons, hence does these standards. But the patches that are designed have mastered those vulnerabilities and will have improvements in future too..like WPA2’s setbacks had been solved in WPA3.
Technology is ever-changing and we need to keep us updated and be secure.