6.9. Wireless Security Protocols
💡 First Principle: Wireless traffic travels through the air—anyone within range can capture it. Unlike wired networks where an attacker needs physical access, wireless attackers can sit in a parking lot with a laptop. That's why wireless encryption isn't optional; it's the only thing standing between your users and anyone with an antenna.
Consider this real-world attack: Someone parks outside your office with a laptop and a directional antenna. If your network uses WEP (still found in older deployments), they capture a few minutes of traffic and crack the key with free tools. Now they have full network access—browsing your file shares, accessing internal applications, pivoting to attack servers. They never set foot in your building.
What happens when you choose the wrong protocol: WEP can be cracked in under 10 minutes. WPA-TKIP has known vulnerabilities. Even WPA2-PSK is vulnerable to dictionary attacks if someone captures the four-way handshake—weak passwords like "CompanyWifi2024" fall quickly. Only WPA2 with strong passwords, or WPA3, provides real security.
The Evolution of Wireless Security:
| Protocol | Encryption | Status | The Problem |
|---|---|---|---|
| WEP | RC4 (broken) | ❌ Banned | Can be cracked in minutes with free tools |
| WPA | TKIP | ⚠️ Deprecated | Stopgap fix, still has vulnerabilities |
| WPA2 | AES-CCMP | âś… Standard | Strong encryption, but PSK mode has dictionary attack risk |
| WPA3 | AES-GCMP + SAE | âś… Recommended | Fixes WPA2's weaknesses, forward secrecy |
What makes WPA3 better?
- SAE (Simultaneous Authentication of Equals): Even if an attacker captures your handshake, they can't run an offline dictionary attack. WPA2-PSK allows this.
- Forward secrecy: Compromising today's key doesn't decrypt yesterday's captured traffic
- Protected management frames: Prevents deauthentication attacks
WPA2 Modes: Personal vs Enterprise
The choice between Personal and Enterprise modes is really about how you manage credentials:
| Mode | How Authentication Works | When to Use | The Trade-off |
|---|---|---|---|
| WPA2-Personal (PSK) | Everyone uses the same password | Home, small office | If one person shares the password, everyone's compromised |
| WPA2-Enterprise | Each user has unique credentials (802.1X/RADIUS) | Business | Requires RADIUS infrastructure, more complex |
The PSK problem: In Personal mode, everyone on the network uses the same pre-shared key. When an employee leaves, do you change the password and redistribute it to 500 people? In Enterprise mode, you just disable that one user's account.
⚠️ Exam Trap: WPA3 has two modes too—WPA3-Personal uses SAE (not PSK), while WPA3-Enterprise adds 192-bit security suite for sensitive environments. Don't confuse SAE with PSK.