What Is WPA2 (Wireless Protected Access 2)?
WPA2 (Wi-FI Protected Access 2) is a English Tech used on Wi-Fi wireless networks. WPA2 replaced the original WPA technology on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption.
WPA2 vs. WPA and WEP
Wireless Protected Access was designed as a replacement for the older and much less secure Wireless Encryption Protocol (WEP).
WPA2 should be used instead of WEP on home computer networks.
WPA2 also improves the security of Wi-Fi connections by requiring use of stronger wireless encryption methods than what the original WPA required.
AES vs. TKIP for Wireless Encryption
When setting up your network with WPA2, you will see several options to choose from, typically including a choice between two encryption methods – AES (Advanced Encryption Standard) and TKIP (Temporal Key Integrity Protocol). WPA2 added support for AES to provide stronger encryption than TKIP.
Many home routers allow administrators to choose from among the possible combinations:
WPA with TKIP (WPA-TKIP): This is the default choice for old routers that did not yet support WPA2.
WPA with AES (WPA-AES): AES was first introduced before the WPA2 standard was completed, although very few clients ever supported this mode.
WPA2 with AES (WPA2-AES): This is the default choice for newer routers and the recommended option for networks where all clients support AES.
WPA2 with AES and TKIP (WPA2-AES/TKIP): Routers need to enable both modes if any of their clients do not support AES. All WPA2 capable clients support AES, most WPA clients do not.
Any of these options are certainly preferred over WEP or using no encryption at all.
WPA2 Keys
Several different forms of WPA2 security keys exist.
WPA2 Pre-Shared Key (PSK) utilizes keys that are 64 hexadecimal digits long and is the method most commonly used on home networks. Many home routers call WPA2 PSK as "WPA2 Personal" mode; these refer to the same underlying technology.
Limitations of WPA2
Most home routers support both WPA2 and a separate feature called Wi-Fi Protected Setup (WPS). While WPS is designed to simplify the process of setting up home network security, flaws in how it was implemented greatly limit its usefulness. With WPA2 and WPS disabled, an attacker needs to somehow determine the WPA2 PSK clients are using, a very time consuming process. With both features enabled, an attacker only needs to find the WPS PIN to then in turn reveal the WPA2 key, a much simpler process. Security advocates recommend keeping WPS disabled for this reason.
WPA and WPA2 sometimes interfere with each other if both are enabled on a router at the same time. This can cause client connection failures.
Using WPA2 decrease the performance of network connections due to the extra processing load of encryption and decryption. That said, the performance impact of WPA2 is usually neglible. (WPA and especially WEP impacted performance much more.)
Even if you know you need to secure your Wi-Fi network (and have already done so), you probably find all the encryption acronyms a little bit puzzling. Read on as we highlight the differences between encryption standards like WEP, WPA, and WPA2–and why it matters which acronym you slap on your home Wi-Fi network.
What Does It Matter?
You did what you were told to do, you logged into your router after you purchased it and plugged it in for the first time, and set a password. What does it matter what the little acronym next to the security encryption standard you chose was? As it turns out, it matters a whole lot: as is the case with all encryption standards, increasing computer power and exposed vulnerabilities have rendered older standards at risk. It’s your network, it’s your data, and if someone hijacks your network for their illegal hijinks, it’ll be the police knocking on your door. Understanding the differences between encryption protocols and implementing the most advanced one your router can support (or upgrading it if it can’t support current gen secure standards) is the difference between offering someone easy access to your home network and sitting secure.
WEP, WPA, and WPA2: Wi-Fi Security Through the Ages
Since the late 1990s, Wi-Fi security algorithms have undergone multiple upgrades with outright depreciation of older algorithms and significant revision to newer algorithms. A stroll through the history of Wi-Fi security serves to highlight both what’s out there right now and why you should avoid older standards.
Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) is the most widely used Wi-Fi security algorithm in the world. This is a function of age, backwards compatibility, and the fact that it appears first in the encryption type selection menus in many router control panels.
WEP was ratified as a Wi-Fi security standard in September of 1999. The first versions of WEP weren’t particularly strong, even for the time they were released, because U.S. restrictions on the export of various cryptographic technology led to manufacturers restricting their devices to only 64-bit encryption. When the restrictions were lifted, it was increased to 128-bit. Despite the introduction of 256-bit WEP encryption, 128-bit remains one of the most common implementations.
Despite revisions to the algorithm and an increased key size, over time numerous security flaws were discovered in the WEP standard and, as computing power increased, it became easier and easier to exploit them. As early as 2001 proof-of-concept exploits were floating around and by 2005 the FBI gave a public demonstration (in an effort to increase awareness of WEP’s weaknesses) where they cracked WEP passwords in minutes using freely available software.
Despite various improvements, work-arounds, and other attempts to shore up the WEP system, it remains highly vulnerable and systems that rely on WEP should be upgraded or, if security upgrades are not an option, replaced. The Wi-Fi Alliance officially retired WEP in 2004.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP standard. It was formally adopted in 2003, a year before WEP was officially retired. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.
Some of the significant changes implemented with WPA included message integrity checks (to determine if an attacker had captured or altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than fixed key used in the WEP system. TKIP was later superseded by Advanced Encryption Standard (AES).
Despite what a significant improvement WPA was over WEP, the ghost of WEP haunted WPA. TKIP, a core component of WPA, was designed to be easily rolled out via firmware upgrades onto existing WEP-enabled devices. As such it had to recycle certain elements used in the WEP system which, ultimately, were also exploited.
WPA, like its predecessor WEP, has been shown via both proof-of-concept and applied public demonstrations to be vulnerable to intrusion. Interestingly the process by which WPA is usually breached is not a direct attack on the WPA algorithm (although such attacks have been successfully demonstrated) but by attacks on a supplementary system that was rolled out with WPA, Wi-Fi Protected Setup (WPS), designed to make it easy to link devices to modern access points.
Wi-Fi Protected Access II (WPA2)
WPA has, as of 2006, been officially superseded by WPA2. One of the most significant changes between WPA and WPA2 was the mandatory use of AES algorithms and the introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP (still preserved in WPA2 as a fallback system and for interoperability with WPA).
Currently, the primary security vulnerability to the actual WPA2 system is an obscure one (and requires the attacker to already have access to the secured Wi-Fi network in order to gain access to certain keys and then perpetuate an attack against other devices on the network). As such, the security implications of the known WPA2 vulnerabilities are limited almost entirely to enterprise level networks and deserve little to no practical consideration in regard to home network security.
Unfortunately, the same vulnerability that is the biggest hole in the WPA armor, the attack vector through the Wi-Fi Protected Setup (WPS), remains in modern WPA2-capable access points. Although breaking into a WPA/WPA2 secured network using this vulnerability requires anywhere from 2-14 hours of sustained effort with a modern computer, it is still a legitimate security concern and WPS should be disabled (and, if possible, the firmware of the access point should be flashed to a distribution that doesn’t even support WPS so the attack vector is entirely removed).
Wi-Fi Security History Acquired; Now What?
At this point, you’re either feeling a little smug (because you’re confidently using the best encryption scheme available for your Wi-Fi access point) or a little nervous because you picked WEP since it was at the top of the list. If you’re in the latter camp, don’t fret; we have you covered.
Before we hit you with a further-reading list of our top Wi-Fi security articles, here’s the crash course. This is a basic list ranking the current Wi-Fi security methods available on any modern (post-2006) router, ordered from best to worst:
WPA2 + AES
WPA + AES
WPA + TKIP/AES (TKIP is there as a fallback method)
WPA + TKIP
WEP
Open Network (no security at all)
Ideally, you’ll disable Wi-Fi Protected Setup (WPS) and set your router to WPA2 +AES. Everything else on the list is a less than ideal step down from that. Once you get to WEP, your security level is so low it’s about as effective as a chain link fence–the fence exists simply to say “hey, this is my property” but anyone who actually wanted in would just climb right over it.
If all this thinking about Wi-Fi security and encryption has you curious about other tricks and techniques you can easily deploy to further secure your Wi-Fi network, your next stop should be browsing the following How-To Geek articles:
How To Secure Your Wi-Fi Network Against Intrusion
Don’t Have a False Sense of Security: 5 Insecure Ways to Secure Your Wi-Fi
How to Enable a Guest Access Point on Your Wireless Network
The Best Wi-Fi Articles for Securing Your Network and Optimizing Your Router
Armed with a basic understanding of how Wi-Fi security works and how you can further enhance and upgrade your home network access point, you’ll be sitting pretty with a secure Wi-Fi network in short order.
How to set up WPA2 on your wireless network
If you are like most people, your home or small office wireless router probably is running without any encryption whatsoever, and you are a sitting duck for someone to easily view your network traffic.
Some of you have put encryption on your wireless networks but aren't using the best wireless security methods. This means that you are running your networks with inferior protocols that offer a false sense of protection because these protocols are very easily broken into. It is the difference between using a deadbolt and a simple lock on your front door. For instance, Tom's Networking has a three-part series that shows you how easy it is to crack Wired Equivalent Privacy.
If you want to keep your neighbors out of your business, then you need to use Wi-Fi Protected Access version 2 (WPA2) encryption. This is now showing up on a number of routers and is worth the extra few steps involved to make sure your communications are secure. It is currently the best encryption method but getting it going isn't so simple. This recipe will show you how to make it work.
How does WPA2 differ from earlier versions? First, it supports the 802.11i encryption standards that have been ratified by the IEEE. These are the commercial-grade encryption products that are available on enterprise-class products.
Second, there are two encryption methods that WPA2 adds: one called Advanced Encryption Standard (AES) and one called Temporal Key Integrity Protocol (TKIP). Both of these allow for stronger encryption, and while the differences between the two aren't that important for our purposes, you should pick one method when you set up your network as you'll see in a moment.
Finally, the protocol creates a new encryption key for each session, while the older encryption standards used the same key for everybody -- which is why they were a lot easier to crack.
Also part of the new standard is Pairwise Master Key caching, where faster connections occur when a client goes back to a wireless access point to which the client already is authenticated. There is one more acronym I'll mention, and that is Pre-Shared Key or PSK. The WPA2 standard supports two different authentication mechanisms: one using standard RADIUS servers and the other with a shared key, similar to how WEP works. We'll get back to this in a moment, but let's show you how to get this train going.
Step 1: Windows OS: First make sure your operating system is up to date. If you are running Windows XP, you'll need service pack 2 and you'll need to download the WPA2 patch that's located here.
Easily Know Your True Costs: Public and Private Cloud
BrandPost Sponsored by HPE
Easily Know Your True Costs: Public and Private Cloud
According to 451 Research’s Voice of the Enterprise service, 33% of IT end users don’t understand their cloud costs or know if costs are under control. And 25% are not conducting any cost analysis whatsoever on their use...
If you're using a Mac, you need to be running OS X 10.4.2 or better. Apple calls its version WPA2 Personal. While Linux is outside the scope of this article, you can get more information here.
Step 2: Wireless Adapter: While you are updating your Windows OS, you might want to make sure that the wireless adapter in your laptop is also up to the task of supporting WPA2. The Wi-Fi Alliance maintains an online database of products that is somewhat difficult to use. Go to their Web site, check the WPA2 box and then select which vendor you are interested in.
If you have a built-in Intel wireless adapter, it needs to be running Intel's ProSet version 7.1.4 or better, excluding versions 8.x. You can get more information on this page on Intel's Web site.
Step 3: Wireless access point/router: Next, make sure your router/gateway can support WPA2. If you have purchased it in the last year, chances are good that it does, but you might need to update your firmware as well. For the Belkin Pre-N router model 2000, I needed to update the firmware to version 2.01. An older model 1000 didn't support WPA2 and couldn't be upgraded. How can you tell the difference when you are buying one? You can't, other than opening the box and looking at the label on the bottom of the unit.
Here is how you set up the wireless security section of your router to support WPA2. In our examples here, we chose WPA2-AES. Here's a screenshot for the Belkin router:
wpa4.jpg
You'll notice that you can obscure the key from being shown on the screen, which is a nice feature. That is the PSK that we mentioned earlier. Keep track of this; you'll need it later.
With this recipe, I also tried a Netgear WNR854T router, which didn't need any firmware update to support WPA2. Here is the screenshot from the Netgear router, where you can see the shared passphrase on the screen in the clear:
wpa2.jpg
If you are using Apple's Airport router, you need to download the patch for Airport 4.2 here.
Step 4. Finishing the configuration: Now comes the fun part. Once you have your routers set up, you need to get the clients working properly. I'll show you the screens for Windows, but the Mac is similar.
The biggest issue is that you have to remember the PSK that you used to set up the router and enter it when prompted by the OS. You can enter any phrase from 8 to 63 characters, and obviously the longer the better. Don't forget to match the right combination of acronyms that you chose when you set up your router to match what is required in Windows' Wireless Properties Association dialog box, as shown in this screenshot:
wpa3.jpg
Do this for all of the client computers on your network. Once you get everything working, if you take a look at your wireless connections screen, you should see something like this, where the wireless3 access point is showing that it has WPA2 security enabled:
wpa1.jpg
OK, now you should be done. If you aren't getting a connection, chances are there is a mismatch between your router and your client. Check all the steps and make sure that the WPA2 choices are showing up in the right places and that you have chosen the appropriate encryption method (AES or TKIP) for both router and client pairs. You might also have to use the wireless management software from your adapter vendor, rather than Microsoft's, to set up your connection. Once you have a working connection, you don't have to go through all these steps and should be connected securely automatically.
Removable battery No
Flash Yes
Number of SIMs 2
3G Yes
