First Impressions
The first time I was exposed to wireless internet was with my friend Paul. He was moving into a new house and showed me a Linksys router with 802.11b. At the time I didn’t have access to broadband internet as my family was out on 10 acres and did not have access to broadband, we were still using dial-up at a blazing 56kbps throughput. At the time, the concept to me that you could have megabytes per second of internet throughput floating through the air boggled my mind.
Open, over-the-air access to such a valuable resource as the internet opens the possibility of people jumping in and taking access and bandwidth. More insidiously, considering internet encryption was early days and most websites used it very sparingly – a shocking amount of information could be gleaned by bad actors attaching to open wifi networks.
WEP
Wired Equivalent Privacy or WEP was implemented on early wifi routers that attempted to secure your home internet that both safeguards your network and stops “Bob” who drives up and down the street from downloading questionable internet content using your beloved net connection.
WEP was ratified as an IEEE security standard in 1999 and quickly replaced in 2003 by WPA. WEP had a few things going against it.
- Low Encryption – The US government wasn’t (still isn’t but has eased a bit) a huge fan of strong encryption capabilities being in the hands of everyday consumers. WEP initially shipped with 40-bit key encryption as standard, eventually moving to 64 and then 128-bit keys as standard. The lower the bits for keys, the easier to break the encryption.
- Difficult to use – WEP requires a 10 or 26 hexadecimal key, and they had to be 10 or 26 – nothing in between, higher or lower. Due to the rigidity of this, most people turned this functionality off – if it wasn’t already off by default from the manufacturer.
- Inherent Design Flaw – There’s an inherent design flaw in WEP that could not be fixed. This was significantly exploited in 2005, allowing any WEP-secured network to be cracked in a couple of minutes.
WPA
Wi-fi Protected Access or WPA was a quick change to move away from WEP. While it had flaws and should not be used today due to those flaws, it was an improvement over the initial WEP standard. WPA came only 4 short years after WEP as the flaws of WEP became more apparent. WPA introduced TKIP (Temporary Key Integrity Protocol) which was a step up and covered flaws introduced by WEP, such as exposing one computer traffic to all computers on a wifi network.
Unfortunately, TKIP had its own issues, such as being vulnerable to man-in-the-middle attacks. This necessitated adjustment for TKIP and the WPA standard leading to WPA2 in 2004 – only one year after WPA was accepted by IEEE.
WPA2
WPA2 was accepted in 2004 as 802.11i by IEEE. This standard, which is widely in place today, addressed the known vulnerabilities with WPA and WEP and enabled a more secure wireless connection. TKIP was removed and Advanced Encryption Standard (AES – which was US government-developed), as well as Chaining Message Authentication Code Protocol (CCMP), was added.
WPA2 also had great usability enhancements such as improved roaming capabilities between wireless access points, enabling RADIUS authentication for enterprises to bridge authentication to larger enterprise domains.
While WEP-WPA2 lasted about 5 years (1999-2004) as standard revisions, WPA2 has lasted as the recommended standard from 2004 to 2018 which changed due to the acceptance of WPA3. Similar to the downfall of the previous standards, WPA2 has had security vulnerabilities identified in the base standard that can’t be ‘fixed’ – though patches have been released under the WPA2 standard by vendors to help minimize risks of the identified vulnerabilities.
WPA3
2018 saw the availability of WPA3. Though available in 2018, as of this writing in 2022 the standard is not prevalently supported in devices, at least not until wifi6 (which is 802.11ax). The move to WPA3 should match the natural adoption of the wifi6 standard over the next few years. Similar to WPA2 and WPA before it, the natural benefit to WPA3 is that it will resolve the design issues with the previous revision and create improvements and benefits for users adapting to current uses of wireless technology.
The key benefits of WPA3 are:
- Per Connection Privacy – WPA3 enables per connection separate encryption leveraging SAE (Separate Authentication of Equals). SAE requires that encryption keys are new, and established at a per-connection level to (hopefully) eliminate the possibility of connection snooping.
- Protection from Dictionary Attacks – Limits are set to authentication attempts to curb or eliminate the possibility of dictionary attacks to prevent unauthorized access to a wifi network.
- IoT ease of use – devices that have no screen will have a standardized way to easily connect to your network (think WPS push button enabling of devices) – called “WiFi easy connect”.
Future of Wireless Security
There’s not much to say here, at least as of this writing. The foreseeable future will be WPA3. Beyond the WPA3 rollout, there will hopefully be a new revision (WPA4?) around 2040, barring any kind of fundamental flaw being identified in WPA3!