Javatpoint Logo
Javatpoint Logo

Wireless Security: WEP, WPA, WPA2 and WPA3 differences

As wireless networks continue to evolve, so do the security protocols designed to protect them. In this guide, you'll discover the various WLAN security standards and discern the disparities among WEP, WPA, WPA2, and WPA3. Securing wireless networks entails more than just setting passwords; it involves a range of other factors. Additionally, selecting the appropriate encryption level is paramount, as it can determine whether a wireless LAN operates with weak or robust security measures.

What is wireless security?

Wireless security is a domain of complications which includes many aspects. The Internet of Things (IoT), personal devices and hybrid cloud environments are all part of the wireless network, and IT professionals are faced with the task of managing and securing these interconnected components of such a network.

The complexity of wireless networks doesn't stop somewhere. IT experts also face some easier tasks, such as the cloud-managed wireless LAN architecture, the IoT devices that do not have display interfaces, and the end-user populations that are against the new security measures that will restrict their internet access.

In this tough situation, there is the never-ending fight against the rising number of more and more sophisticated attacks, the ones that attack the enterprise wireless networks easier parts.

Wireless network security is the phrase that denotes the set of methods and instruments that are used to protect the WLAN infrastructure and the data that it carries. In the end, wireless security is the network that allows only the necessary endpoints to be used on a Wi-Fi network through network access and security policies, with technology that enforces these regulations and protects the network from any breach.

What is the role of wireless security in the wireless technology?

The wired network security is the one that protects the traffic amongst the devices such as switches and routers, whereas the wireless security is the one that is concerned with the traffic which is going through the airwaves between the wireless devices. This is the device that links the wireless access points (APs) with a controller device or in the case of a mesh network, the APs and the endpoints that are connected to the Wi-Fi network.

Encryption is the basis for the protection of a network, especially in wireless LAN area. It uses the algorithms to mix the messages of wireless devices as they travel from one to another, thus making the intercepted messages unreadable by the people who do not have the decryption key.

With time, wireless encryption standards have kept on changing to fit the changing network demands, the security threats, and the identification of the weaknesses in the former encryption protocols.

How do unsecured networks pose risks?

In the same way, a building that is not locked is a good target for burglars; an unsecured network is also a good target for an internal or external threat actor aiming to take the data, listen to the conversations, or engage in other evil activities. For wireless networks, the stakes are even higher, since anybody within range can sniff the radio waves that are used for Wi-Fi traffic without needing to have the direct access to the hardware.

To give a clear example of this threat, imagine a case just like a person in a busy restaurant is talking about his credit card number and other personal details. This information leakage which happens in the presence of others is a big threat for fraud and identity theft. Unsecured or poorly secured wireless network is a huge risk for potential attackers to exploit.

The dangers of spying and data theft are not the only risks that come with unsecured wireless networks, these networks also can be used for entry by the threat actors to access the whole network of a company. Although encryption doesn't totally cut the risk, networks that use outdated encryption protocols are likely to attract attackers who are looking for other weaknesses in the wireless infrastructure.

Types of wireless security protocols

Most wireless access points offer the option to enable one of four wireless encryption standards:

  1. Wired Equivalent Privacy (WEP)
  2. Wi-Fi Protected Access (WPA)
  3. WPA2
  4. WPA3

Among WEP, WPA, WPA2 and WPA3 which is best?

In choosing the most reliable wireless security protocol among WEP, WPA, WPA2, and WPA3, experts all agree that WPA3 should be the first and foremost choice for Wi-Fi security. The incoming WPA3, the most recent encryption standard, provides the highest level of security. Nonetheless, it is important to mention that not all wireless access points (APs) already have the WPA3 support. For the examples mentioned, WPA2 which is now the most common wireless networking protocol used in enterprise is the next best option.

Nowadays, using the original wireless security protocol, WEP or its successor, WPA, is very much advised against as both are obsolete and make the wireless network very susceptible to external impingements. The network administrators should be advised to replace the wireless AP or router that supports WEP or WPA with a newer device that is compatible with WPA2 or WPA3 in order to boost the security.

How does WEP work?

WEP, or Wired Equivalent Privacy, was the first encryption algorithm for Wi-Fi created by the Wi-Fi Alliance. 11 standards, mostly designed to stop the hackers from handling the wireless data that is being transferred between clients and Access Points (APs). Even though, the aim was wireless security, WEP, which was launched in the late 1990s, did not have the mechanisms that would have enabled it to achieve data protection and hence, the system was not being secure enough.

WEP depends on the RC4 (Rivest Cipher 4) stream cipher for both the authentication and encryption purposes. At the beginning, the standard had a 40-bit pre-shared encryption key, which was later increased to a 104-bit key after the U. S. government was no longer implementing the federal restrictions.

The WEP administration requires manual input and regular updating of the encryption key, which is followed by a 24-bit initialization vector (IV) to enhance the encryption. Nevertheless, the little size of the IV leads to the increase of the chance of key reuse, thus WEP becomes weak and easily susceptible to cracking. Besides this flaw, there are a lot of other security vulnerabilities, for instance, the problematic authentication mechanisms, that lessen WEP's credibility as a wireless security measure.

The many drawbacks that WEP had were the key to show the necessity of a more secure replacement. Nevertheless, the process of creating a new security specification was very slow and meticulous, in contrast to the urgent need for the security in question. To this, the Wi-Fi Alliance came up with WPA (Wi-Fi Protected Access) as an interim standard in 2003 while the IEEE was working on a long-term replacement of WEP for a more advanced solution.

WPA has the different modes of enterprise and personal use. The company mode, WPA-Extensible Authentication Protocol (WPA-EAP), uses the more stringent 802. 1) One of the methods of authentication and it is based on a server that does the authentication. The personal mode, WPA-Pre-Shared Key (WPA-PSK), using pre-shared keys for easy implementation and management, therefore, it is applicable for consumers and small offices.

Although WPA again uses the RC4 stream cipher like WEP, it is the significant improvements that are brought by the Temporal Key Integrity Protocol (TKIP) that are the main contribution of WPA to the world. TKIP improved WLAN security by implementing the following features: KIP improved WLAN security by implementing the following features:

  • Use of 256-bit keys
  • The per-packet key mixing, which creates a unique key for every packet is the way of connecting different parts of the system.
  • The transmission of the keys is automatically done and the keys are updated as soon as a new key is developed.
  • Message integrity check
  • Increased IV size to 48 bits is possible in large initialization vector (IV) of 48 bits.
  • The strategies to limit the use of IVs to be used are the mechanisms to reduce IV reuse.

The Wi-Fi Alliance came up with WPA so that it could work simultaneously with WEP, thus ensuring a smooth and fast transition. Thus, the new standard was supported by most of the WEP-based devices via a simple firmware upgrade only. Nonetheless, the backward compatibility of WPA also resulted in the security enhancements being less comprehensive than they could have been.

How does WPA2 work?

IEEE in 2004 promulgated WPA2 that is now the 802 successors. 11i standard. It has a partner way and personal mode just like Incase Pro 3. WPA2 replaces the RC4 stream cipher and Temporal Key Integrity Protocol (TKIP) used in WPA with two more robust encryption and authentication mechanisms:

(i) Advanced Encryption Standard (AES): This was a cryptographic breakthrough attributed to the U. S. government, for they got it to encrypt classified information. AES configuration involves three different symmetric-key block ciphers that operate in 128-bit blocks and have key lengths of either 128, 192, or 256 bits. Of course, increased processing capacity of the accessing stations (APs) and their clients might appear to be proportional to the need for more computing power; however, the improvements in computers and the network hardware have addressed such concerns.

(ii) Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP): This verifying measure helps data confidentiality because only authorized user can entrust to the network database information. In addition to the link of each block and its hash value, pushback counter is used that prevents replay attack.

The use of WPA2 TKIP is compatible with backward devices, which may fall back to TKIP in case other devices can't handle CCMP.

Lastly, WPA2 implemented features to enhance as one moves around from one Wi-Fi network to the other. It helps clients to do handoff amongst the APs of the same network which does not require reauthentication of the client. This is realised by the adoptive master key (PKM) or a pre-authentication mechanism in which mobile users are able to move with ease from one network to the other.

KRACK reveals vulnerabilities in WPA2

Recently discovered, KRACK vulnerability, expands an existing flaw which is found in most WPA2 protocols.

However, in 2017, Belgian's security researcher Mathy Vanhoef disclosed a serious security issue, namely, the KRACK vulnerability. (KRACK stands for the key reinstallation attack (KRACK) vulnerability). This vulnerability arises in the redevelopment of the same WPA2 wireless transmission keys by utilizing either robust Extensible Authentication Protocol (EAP) in WPA2-Enterprise or associate preshared keys (PSK) in WPA2-Personal schemes. The good news about the impact is that all WPA2 protocol implementations also fall victim.

How KRACK Works

A Wi-Fi network starts up a cryptographic connection by an exchange of four-way handshake frames between an endpoint and an access point (AP). In this so-called handshake, both devices agree on a previously shared authentication code without exposing it-it is called Pairwise Master Key (PMK) for the enterprise mode and Pre-Shared Key (PSK) for personal mode. In the stage of the handshake when the AP with the client exchange the key for traffic encryption, i.e., the client key, the AP sends traffic encryption key to the client. The client is not notice of acknowledging the receipt of the key that the AP goes for retransmit the key, assuming that the connectivity issue.

A KRACK (TKIP) attack consequently conjures up a vulnerable setting (with both client and network accesses immediately being in the same physical location) which arouses heightened levels of concern to mitigation (coordination of strategies and implementation) measures. These message transmission milestones have a kernel of auto-retransmission, detection, assimilation, manipulation, replay, and eventually decryption, upon which they acquire the encryption key and gain access to network data.

According to vanhoef, the "flaws are in the Wi-Fi protocol itself, not in individual brand products or setups," meaning that every correct implementation of the WPA2 protocol is likely security breached.

Industry Response and Mitigation

KRACK is considered to be a critical vulnerability in WPA2 and it has been extensively covered by various sources with thousands of backlinks. Subsequently, technology vendors released software patches to neutralize the impact of the intruder until a newer wireless security protocols were developed in future. However, there have been various proposals saying that KRACK is the one that is not easy to execute in real life, scenarios.

According to cyber security researcher Martijn Grooten," update when you can, not when you must. "

The weakest link in the WPA2 security chain is for the crypto algorithm there to be offline dictionary attacks.

WPA2's Vulnerability to Offline Dictionary Attacks

Similarly, handshake methods such as the four-way that are used during the WPA2 authentication sessions make the networks vulnerable to offline dictionary attacks in case where the users have used a weak password. They apply to the system with a trial-and-error offline method, where the possible combinations are all pre-compiled and the decoding happens in silence, without the target network being aware. From dramatic cyber breaches to minor online theft, knowing the kinds of threats that are out there will help you take the right steps to protect your business. Furthermore, the success of these attacks is reduced with regards to passwords which are long that incorporate a mixture of capitals letters, lower case letters, numbers and special symbols.

How Does WPA3 Work?

In the year 2018, the Wi-Fi Alliance had begun certifying devices that were related to WPA3 procedure which is known as the most secure and recent wireless standard. Wi-Fi certification agencies started adding the WPA3 in drops of July 2020 as a must-have support for all devices supported by Wi-Fi network, the current situation which shows WPA3 as the most secure protocol available for Wi-Fi networks.

Key Features and Improvements

(i) Protected Management Frames (PMF):

  • Purpose: The PMF through its perimeter management control function is able to prevent the interception and interfering with the management frames thereby achieving the desired integrity of frames in transit.
  • Benefit: Gives the network overall security and prevents the hackers from invading the control messages.

(ii) Enhanced Encryption:

  • Personal Mode (WPA3-Personal): Applies CCMP-128 and AES-128 cryptographic algorithms. CNN pioneered this by being the first major news organization to provide live coverage of key events.
  • Enterprise Mode (WPA3-Enterprise): Presents additional Safe 192-bit security encryption form for users with more sensitive data. It is mainly for corporations and financial and government sector.

(iii) Improved Cryptographic Handshake:

  • Simultaneous Authentication of Equals (SAE): Uses a RSA-encrypted admittance ticket as opposed to the WPA2 PSK four-way handshake.
    • Function: There can be either a clearly defined message flow from the client to AP or from AP to the client, with both ends getting each other's credentials in a separate step executed 'on-the-fly'.
    • Benefit: The protocol uses symmetric encryption only one time and encrypts each exchange with a new key, which is harder to eavesdrop, therefore maintain a heighten security.

(iv) Enhanced Security Against Offline Attacks:

  • Limiting Authentication Attempts: SAE applies to the online users those passengers who are active and physically present. The system notably resists too many password guesses and informs the ISP (Internet Service Provider) about it.
  • Forward Secrecy: Among other things, it is WPA3's endeavour to stop brute-force attacks by ensuring that through every session a new encryption passphrase is generated, thus an attacker would not be able to decrypt data that were snatched in an earlier session.

(v) Wi-Fi Easy Connect:

  • Purpose: Defines a horizontal protocol that supports highly interoperable onboarding for IoT devices that lack human interfaces, typically through a QR code scanning.
  • Benefit: Establishes and holds this connection reliable and secure.

(vi) Wi-Fi Enhanced Open:

  • Purpose: Built-in encryption to automatically protect confidential data between client and the AP device when using public Wi-Fi networks.
  • Benefit: Steers stronger security - no interventions by user required on open networks.

Addressing WPA2's KRACK Vulnerability

WPA3 was specifically designed to address the KRACK vulnerability found in WPA2 by:

  • Using SAE: The different security handshake in WPA3 (SAE) ensures that the encryption key not reuses and the attack of key reinstallation is also prevented.
  • Mitigating Offline Attacks: This is achieved through the use of changing keys for each session and limiting one password attacks. This becomes complicated to standoff dictionary attacks.

Ongoing Security and Vulnerabilities

Developments of WPA3 technology are not proofless from vulnerabilities. In 2019, researchers Mathy Vanhoef and Eyal Ronen identified several vulnerabilities known as Dragonblood, which included:

  • Downgrade Attacks: Instead of modifying the device's default, we can enable the WPA3 option which is the recent discovery with a lesser security weakness.
  • Side-Channel Attacks: Going offline to be able to mount dictionary attacks by using exposed side-channel data.

Wi-Fi Alliance has alluded to these problems, but it has equally insisted that they can possibly be sorted out through software updates.


WPA3 supplants the earlier security protocols within the WiFi system with the latest, most secure wireless protocols available today. In comparison to its predecessors, WPA3 provides significantly enhanced security across encryption, authentication, and defense against various attacks. While these standards do not promise absolute immunity against threats, they establish a robust foundation for safeguarding contemporary wireless connectivity, especially when devices and networks are diligently maintained with up-to-date security patches.

Youtube For Videos Join Our Youtube Channel: Join Now


Help Others, Please Share

facebook twitter pinterest

Learn Latest Tutorials


Trending Technologies

B.Tech / MCA