Pavel Ignatov - Fotolia
In wireless security, passwords are only half the battle. Choosing the proper level of encryption is just as vital, and the right choice will determine whether your wireless LAN is a house of straw or a shielded fortress.
Most wireless access points come with the ability to enable one of three wireless encryption standards: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) or WPA2. Explore the chart below to get a basic understanding of the differences between WPA, WEP and WPA2, as well as the uses and mechanisms of each one of these wireless security protocols, and to find out whether WPA, WEP or WPA2 is the best choice for your environment.
WPA vs. WPA2 vs. WEP
Looking for a slightly deeper dive on wireless security protocols? No need to crack open a textbook -- we've got you covered here, too.
Wired Equivalency Privacy (WEP)
Developed in the late 1990s as the first encryption algorithm for the 802.11 standard, WEP was designed with one main goal in mind: to prevent hackers from snooping on wireless data as it was transmitted between clients and access points (APs). From the start, however, WEP lacked the strength necessary to accomplish this.
Cybersecurity experts identified several severe flaws in WEP in 2001, eventually leading to industrywide recommendations to phase out the use of WEP in both enterprise and consumer devices. After a large-scale cyberattack executed against T.J. Maxx in 2009 was traced back to vulnerabilities exposed by WEP, the Payment Card Industry Data Security Standard prohibited retailers and other entities that processed credit card data from using WEP.
WEP uses the RC4 stream cipher for authentication and encryption. The standard originally specified a 40-bit, preshared encryption key -- a 104-bit key was later made available after a set of restrictions from the U.S. government was lifted. The key must be manually entered and updated by an administrator.
The key is combined with a 24-bit initialization vector (IV) in an effort to strengthen the encryption. However, the small size of the IV increases the likelihood that keys will be reused, which, in turn, makes them easier to crack. This characteristic, along with several other vulnerabilities -- including problematic authentication mechanisms -- makes WEP a risky choice for wireless security.
Wi-Fi Protected Access (WPA)
The numerous flaws in WEP revealed the urgent need for an alternative, but the deliberately slow and careful processes required to write a new security specification posed a conflict. In response, in 2003, the Wi-Fi Alliance released WPA as an interim standard, while the Institute of Electrical and Electronics Engineers (IEEE) worked to develop a more advanced, long-term replacement for WEP.
WPA has discrete modes for enterprise users and for personal use. The enterprise mode, WPA-EAP, uses more stringent 802.1x authentication with the Extensible Authentication Protocol, or EAP. The personal mode, WPA-PSK, uses preshared keys for simpler implementation and management among consumers and small offices. Enterprise mode requires the use of an authentication server.
Although WPA is also based on the RC4 cipher, it introduced several enhancements to encryption -- namely, the use of the Temporal Key Integrity Protocol (TKIP). The protocol contains a set of functions to improve wireless LAN security: the use of 256-bit keys, per-packet key mixing -- the generation of a unique key for each packet -- automatic broadcast of updated keys, a message integrity check, a larger IV size (48 bits) and mechanisms to reduce IV reuse.
WPA was designed to be backward-compatible with WEP to encourage quick, easy adoption. Network security professionals were able to support the new standard on many WEP-based devices with a simple firmware update. This framework, however, also meant the security it provided was not as robust as it could be.
Wi-Fi Protected Access 2 (WPA2)
As the successor to WPA, the WPA2 standard was ratified by the IEEE in 2004 as 802.11i. Like its predecessor, WPA2 also offers enterprise and personal modes. Although WPA2 still has vulnerabilities, it is considered the most secure wireless security standard available.
WPA2 replaces the RC4 cipher and TKIP with two stronger encryption and authentication mechanisms: the Advanced Encryption Standard (AES) and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), respectively. Also meant to be backward-compatible, WPA2 supports TKIP as a fallback if a device cannot support CCMP.
Developed by the U.S. government to protect classified data, AES is composed of three symmetric block ciphers. Each encrypts and decrypts data in blocks of 128 bits using 128-, 192- and 256-bit keys. Although the use of AES requires more computing power from APs and clients, ongoing improvements in computer and network hardware have mitigated performance concerns.
CCMP protects data confidentiality by allowing only authorized network users to receive data, and it uses cipher block chaining message authentication code to ensure message integrity.
WPA2 also introduced more seamless roaming, allowing clients to move from one AP to another on the same network without having to reauthenticate, through the use of Pairwise Master Key caching or preauthentication.
Advice on optimizing your WLAN performance and reliability