Episode 109: Wireless Protocols — WPA2, WPA3, TKIP, AES
Wireless encryption protocols form the foundation of modern Wi-Fi security. These protocols are responsible for ensuring that only authorized users can access the network and that the data transmitted across that network remains confidential and protected from eavesdropping. Without encryption, wireless traffic is vulnerable to interception by anyone within range of the signal. The A Plus certification includes these topics within both the wireless networking and security domains, with a focus on the protocols known as W P A Two, W P A Three, T K I P, and A E S.
W P A Two, short for Wi-Fi Protected Access version two, became the industry standard after replacing W P A. It introduced more robust encryption and is still the most widely deployed wireless security protocol in both home and business networks. W P A Two uses Advanced Encryption Standard, or A E S, which provides high-level protection for data in transit. It also allows for both pre-shared key and enterprise authentication models, making it versatile for different environments. Despite being introduced more than a decade ago, W P A Two remains relevant and is still seen on most access points today.
W P A Three is the next evolution of wireless security. It builds upon the strengths of W P A Two but introduces significant enhancements that make it more secure against modern attacks. One of the key technologies used in W P A Three is Simultaneous Authentication of Equals, or S A E. This method replaces the traditional four-way handshake used in W P A Two and makes it much more difficult for attackers to capture authentication traffic and attempt offline brute-force attacks. As of the year twenty twenty, W P A Three has been a required feature on new certified Wi-Fi devices.
When comparing W P A Two and W P A Three, there are several important distinctions. W P A Three supports forward secrecy, which ensures that even if a future session key is compromised, past communications cannot be decrypted. It also provides stronger protections for weaker passwords by using more secure key exchange processes. Although W P A Three is technically superior, W P A Two is still more commonly used, especially on older equipment. However, W P A Three is better suited for public networks and internet of things devices, where lightweight and secure communication is essential.
T K I P, or Temporal Key Integrity Protocol, is an older encryption standard introduced with the original W P A specification. It was developed as a temporary solution to improve upon the weak W E P protocol while maintaining compatibility with existing hardware. T K I P still uses the R C Four cipher, which has known vulnerabilities. Although it improved key management compared to W E P, T K I P lacks the security and efficiency of A E S. It is considered deprecated by modern standards and should not be used if more secure options are available.
A E S, or Advanced Encryption Standard, is the preferred encryption method used in W P A Two and W P A Three. It is a symmetric block cipher that encrypts data using a secure key that is shared between the client and the access point. A E S replaced T K I P to deliver stronger encryption, better performance, and compliance with security standards such as those required in government and enterprise settings. Most modern wireless routers default to A E S, and it is considered a best practice to use it exclusively unless compatibility issues require otherwise.
There are several reasons why T K I P is no longer recommended. First, it is susceptible to certain cryptographic attacks that can compromise the integrity of the data stream. Second, it delivers lower performance compared to A E S, especially on modern networks with high throughput. Lastly, some routers and client devices may fall back to T K I P if mixed-mode security is enabled, reducing overall network security. Disabling T K I P entirely is often the best way to enforce A E S-only operation and prevent accidental downgrades.
Encryption settings are typically configured in a router’s wireless security menu. Administrators can choose W P A Two, W P A Three, or a mixed mode that supports both. Within these modes, they can also select the encryption algorithm, such as A E S or T K I P. For the best combination of performance and security, W P A Two or W P A Three with A E S should be selected. Mixed modes should only be used if legacy devices require backward compatibility, and administrators must still ensure that secure passphrases are used.
Pre-shared key authentication, also known as P S K, is a model where all clients use the same wireless password to access the network. This method is simple and effective for home users or small offices where user accounts and RADIUS servers are not used. W P A Two P S K and W P A Three P S K are the terms used to describe these authentication models with their respective encryption protocols. While easy to set up, shared passwords should be long, random, and periodically updated to reduce risk.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prep casts on Cybersecurity and more at Bare Metal Cyber dot com.
W P A Three is available in two main configurations: W P A Three Personal and W P A Three Enterprise. W P A Three Personal uses a pre-shared key model, similar to W P A Two P S K, but with more secure handshake protocols. W P A Three Enterprise, on the other hand, uses centralized authentication through a RADIUS server. This setup allows for per-user credentials, centralized logging, and advanced security features like certificate-based authentication. Enterprise mode is ideal for business environments, while Personal mode remains common for home and small office use.
Open wireless networks, which do not require a password to join, are inherently insecure. Any user within signal range can join and monitor unencrypted traffic. This leaves users vulnerable to data theft, session hijacking, and malicious content injection. A new improvement called W P A Three Enhanced Open provides encryption for open networks without requiring a password. However, it must be supported by both the router and the client device. If Enhanced Open is not available, it’s best to avoid open networks unless a virtual private network is being used to secure traffic.
Some administrators attempt to restrict access using M A C address filtering. This method allows only devices with approved M A C addresses to connect to the network. However, M A C addresses can be easily spoofed with basic tools. Because of this, M A C filtering is considered a weak form of access control and should not be relied on as a primary security mechanism. It may add a minor layer of control but does little to stop a determined attacker who can impersonate a valid device.
Another technique often discussed is disabling the S S I D broadcast. When the S S I D is hidden, it does not appear in the list of available networks on most devices. However, this does not actually protect the network from being found. Attackers can still discover hidden networks using packet capture tools. Furthermore, disabling the S S I D broadcast can make it harder for legitimate users to connect, leading to frustration and misconfiguration. It’s better to use strong encryption than to rely on obscurity.
W P S, or Wi-Fi Protected Setup, was designed to make connecting to Wi-Fi easier by using a simple P I N code or push-button method. Unfortunately, W P S has known vulnerabilities that can be exploited to gain access to the network without knowing the Wi-Fi password. These exploits affect the P I N authentication mechanism and can bypass normal encryption. Best practice is to disable W P S on all routers and access points to eliminate this unnecessary attack surface.
Here’s a scenario. A user is trying to connect a smartphone to a wireless network secured with W P A Three but cannot establish a connection. Upon inspection, the technician discovers that the smartphone only supports W P A Two. To solve the issue, the router is changed to a mixed mode that allows both W P A Two and W P A Three connections. The device connects successfully. However, the technician also notes that newer devices should be prioritized and older hardware replaced when security is a concern.
There are tools available to test the encryption level used on a Wi-Fi connection. On a smartphone or laptop, you can check the Wi-Fi details to see if the network is using W P A Two, W P A Three, T K I P, or A E S. Third-party utilities and mobile apps can also provide detailed analysis, including channel usage, signal strength, and encryption types. These tools are helpful in verifying router configurations and ensuring that weak protocols like T K I P are not accidentally enabled.
Encryption does affect network performance. While A E S is much more efficient than T K I P, W P A Three can place a heavier load on older routers, especially if multiple clients are connected simultaneously. Some legacy routers may throttle throughput or crash under W P A Three traffic. It's important to select encryption settings that match both your router’s capabilities and the needs of your users. In many environments, choosing W P A Two with A E S offers the best balance of security and stability.
Firmware updates are often required to enable W P A Three on routers that originally shipped with only W P A Two support. Many vendors released updates in the early twenty-twenties that added W P A Three functionality to consumer and business-grade hardware. Before enabling W P A Three, you should visit the router manufacturer's website to confirm compatibility and download the latest firmware. Keeping firmware current also addresses known vulnerabilities and improves overall router security.
To summarize, wireless encryption protocols are critical for protecting modern networks. W P A Three with A E S provides the highest level of wireless security currently available. W P A Two is still widely used and acceptable when configured with A E S. Legacy protocols like T K I P and insecure features like W P S should be avoided. For the A Plus exam, you’ll be expected to choose the most secure and compatible settings based on scenario requirements, device support, and network use cases.
