Github Linkedin X Official Website Feedback

Summary of WPA and WPS Security in Wireless Networks

WPA: Wi-Fi Protected Access

WPA was introduced by the Wi-Fi Alliance as a temporary solution to replace WEP without requiring new hardware. It introduced stronger security mechanisms, most notably TKIP (Temporal Key Integrity Protocol), which made it more secure than WEP.

Key Features of WPA with TKIP:

  1. Improved Key Derivation: TKIP incorporates the initialization vector (IV) into the packet encryption key more securely, preventing key reuse.

  2. Sequence Counter: Protects against replay attacks by rejecting packets that arrive out of order.

  3. 64-bit Message Integrity Check (MIC): Detects packet tampering, preventing forgery or corruption.

Although WPA still used the RC4 cipher, TKIP enhanced the way keys were generated:

  • Key Mixing Function: Generated unique encryption keys for each packet, using a 256-bit key.

  • The Wi-Fi passphrase (pre-shared key) is not directly used to encrypt traffic but serves as a factor in deriving the encryption key using PBKDF2 with the SSID as a salt.

Brute-Force Resistance:

  • WPA increases the computational difficulty of brute-force attacks by running the pre-shared key through HMAC-SHA1 4,096 times, making it harder for attackers to crack the passphrase.

WPS: Wi-Fi Protected Setup

Introduced in 2006, WPS makes it easier for users to connect to Wi-Fi networks securely without directly entering the passphrase. It provides multiple methods for clients to join the network:

WPS Methods:

  • PIN Entry: Vulnerable to brute-force attacks due to weak PIN structure.

  • NFC or USB: Used for out-of-band transmission of network details.

  • Push Button Authentication: Requires pressing a button on both the AP (Access Point) and client side.

WPS Vulnerabilities:

  • The PIN Entry Method is particularly weak:

    • Uses an 8-digit PIN, but only 7 digits are used for verification, making the maximum possibilities 10^7 (10 million).

    • The PIN is verified in two halves, reducing the number of possible combinations to 11,000 (10,000 for the first half, and 1,000 for the second half).

    • Without rate limiting, this attack can reveal the PIN and pre-shared key in less than 4 hours.

Mitigation:

  • The Wi-Fi Alliance introduced a lockout period after three incorrect PIN attempts, increasing the time to crack the PIN from 4 hours to 3 days. However, determined attackers could still brute-force the PIN within that time frame.

Impact of WPS Breaches:

  • Reusing the PIN: Even if the Wi-Fi password is changed, the compromised WPS PIN can still be reused to gain access, making the attack persistent unless WPS is disabled.

PreviousWEP Encryption and Why It Shouldn't Be Used Anymore 🚫🔑NextWPA2: Advanced Security Protocol for Wi-Fi Networks

Last updated