Hopefully, many security technologies were developed to secure the wireless communication. With a proper security mode, surfing the internet via wireless connection can be almost as secure as the wired connection.

Here comes the big question: how to choose a proper security mode?

This article discusses the basic concepts of security modes and things to be noticed for each mode, which will help you flexibly adjust your network security settings. To quickly choose a proper security mode, refer to 3 Summary: How to Choose a Proper Security Mode?.

1  What Do We Mean When Talking About Security Modes?

To set a security mode for a Wi-Fi network, you choose a security mode on the AP (indicates AP and router devices in this article) management page, and all clients need to choose the same security mode to join the network.

When talking about security modes in wireless networks, two topics are involved: authentication and encryption.

Authentication is a process to validate users who is trying to connect to the wireless network. It occurs every time a client attaches to a network. Clients must identify themselves and present credentials, like usernames and passwords, or digital certificates. In short, it’s based on WHO YOU ARE.

After a successful authentication, encryption occurs.

Encryption provides mechanisms for data privacy. The way the wireless signal radiates away from the transmitting device is just like light radiates away from a bulb. It travels in all directions. In other words, anyone within earshot can hear the signal. Therefore, we should take actions to ensure data privacy. Encryption is exactly about HIDING AND RECOVERING DATA to ensure only the sender and recipient can read the data.

2  How Has 802.11 Security Evolved?

To better understand wireless security modes, it’s important to learn about its history.

Over the years, different organizations and vendors developed different security solutions to enhance the wireless network security, or make up for shortcomings in the standard. Among all the solutions, Institute of Electrical and Electronics Engineers (IEEE) adopted the solutions which were developed by Wi-Fi Alliance and itself into 802.11 standards.

The following figure shows the evolving model of 802.11 security.

Figure 2-1 Evolving Model of 802.11 Security

 

 

The following table shows today’s mainstream security modes and their corresponding authentication and encryption methods. Your device may provide some of the listed security modes or their variants.

Note: WPA3 is the latest security mode and provides many benefits, but for now it’s not a mainstream mode.

Table 2-1 Mainstream Security Modes

As you can see, the security modes take their names either from the corresponding authentication method or encryption method.

Now let’s take a closer look at why the above security modes became mainstream based on the evolving model.

WEP

The WEP security mode family consists of one encryption method (WEP) and two authentication methods (Open System and Shared Key). It’s defined by the original 802.11 standard (1997-2004), which is also called Legacy 802.11 Security.

■  WEP Encryption

WEP (Wired Equivalent Privacy), as the name suggests, was developed with the goal to provide security up to the equivalent levels with the wired networks do. Before 2004, it was the only defined method of wireless encryption by the original IEEE 802.11 standard.

However, it has long been cracked, which means it cannot provide effective protection for Wi-Fi networks. As a result, it’s not allowed with 802.11n and the later standards. You can still use WEP on many 802.11n or newer devices, but the rate will decrease to 802.11g levels. Have you ever suffered long loading time and lag with a sufficient bandwidth and the latest Wi-Fi router, like 802.11ax router? That may be the reason.

If WEP is so bad, why do most APs still support it? As WEP was at one time the only widely used standard for wireless security, some early devices only support WEP security. To be backward compatible with these devices, most APs provide WEP security.

In conclusion, don’t use WEP security unless there are devices only support WEP in your network.

■  Open System Authentication

Open System authentication is the simpler one of the two authentication methods. Only two messages (request and response) are exchanged between the client and AP, no types of client verification are required.

However, it’s the only legacy security mechanism that hasn’t been deprecated. It seems confusing, but is actually straightforward. In many cases, there are other overlay authentication methods which can provide more advanced security, such as 802.1X/EAP. As the following figure shows, Open System authentication helps the client to associate with the AP in a simple way.

Figure 2-2 Open System Works with 802.1X/EAP

■  Shared Key Authentication

As the following figure shows, Shared Key authentication is a 4-way handshake process. It requires both the client and AP to configure a static WEP key, and the authentication will not work if the static WEP keys don’t match.

If Shared Key authentication succeeds, the same static WEP key will also be used to encrypt the 802.11 data frames.

Figure 2-3 Shared Key Authentication Exchange

It seems that compared with Open System authentication, Shared Key authentication provides a more secure solution, but the fact is the opposite. Hackers who capture the cleartext (data that haven’t been encrypted) in and the encrypted text in can easily derive the static WEP key. It’s a disaster to the network as the key is also used to encrypt all the data traffic.

If WEP is the only available encryption option, it’s better to choose the authentication method as Open System authentication rather than Shared Key.

WPA

WPA was introduced by the Wi-Fi Alliance as a preview of 802.11i amendment, with the background that the only encryption method WEP was proven to have serious security weaknesses, and people cannot wait for the ratification of 802.11i amendment.

For the authentication method, WPA uses Pre-Shared Key (PSK) authentication in a home environment, and 802.1X/EAP authentication in the enterprise. Therefore, WPA is divided into two versions: WPA-Personal for home and WPA-Enterprise for business. For the encryption method, both WPA-Personal and WPA-Enterprise use TKIP/RC4 encryption.

■  Pre-Shared Key Authentication

Pre-Shared Key authentication is also a 4-way handshake process as mentioned in Shared Key Authentication, but security level has been improved through the following solutions:

• It uses a longer key to encrypt the cleartext in the third handshake process.

Pre-Shared Key authentication uses a 256-bit PSK while Shared Key authentication uses a static WEP key which is 104 bits at most.

Moreover, to improve the convenience, Pre-Shared Key provides a mapping formula to convert a short (8-63 characters) password into the 256-bit PSK. You only need to configure an easy-to-remember password on the AP and all clients, then Pre-Shared Key authentication will automatically use the 256-bit PSK to encrypt the cleartext.

Figure 2-4 Password and PSK Mapping

• It uses a far more complex key to encrypt the data traffic.

Shared Key authentication directly uses the static WEP key to encrypt the data traffic, while Pre-Shared Key authentication combines the PSK with other parameters to generate dynamic keys for data encryption. This brings about barriers to hackers in decrypting the data traffic.

However, risks still exist in Pre-Shared Key authentication. A hacker with advanced security knowledges can crack the password first, and then other necessary parameters to calculate the encryption keys. After that, all data traffic appears to be bare to him.

For this reason, we recommend that you do not use WPA-Personal in enterprise network. For a home network, do not use any easy-to-guess passwords like telephone numbers or birthdays. Always use a long password (at least 12 characters) containing numbers, capital letters, small letters, and even symbols. It will become impractical for hackers to crack the password due to the high computational cost.

■  802.1X/EAP Authentication

802.1X authentication is designed for business networks. It uses EAP protocol to validate users, and RADIUS protocol to encrypt the authentication traffic. Other than Shared Key or Pre-Shared Key authentication, which requires all the users to join the network with the same credential, 802.1X authentication provides a unique credential for each user. This significantly enhances the network security, but requires an additional server to store user accounts.

802.1X can be implemented in either a wired or wireless network. Here we only talk about the implementation in a wireless network.

The following figure shows the framework of 802.1X.

Figure 2-5 802.1X Framework

As shown in the figure, 802.1X uses a client-server model which contains three components: supplicant, authenticator, and authenticator server.

The supplicant is the device that needs to be validated before accessing the network. In a wireless environment, it’s usually a laptop or mobile phone that runs an 802.1X authentication client software. Each supplicant will be given a unique authentication credential that is recorded in the authentication server.

The authenticator acts as a bridge between the client and authentication server. It forwards the authentication traffic between the client and server, and decides whether to allow all other traffic based on the authentication result. In a wireless network, it can be either an AP or AP controller.

The authentication server maintains a list of legal users. It validates supplicants according to the list and notifies the authenticator of the authentication result. It’s usually a RADIUS server.

■  TKIP/RC4 Encryption

TKIP is an enhancement of WEP, and is created to replace WEP since WEP was broken. It uses RC4, the same encryption algorithm as WEP. People can upgrade the network to TKIP without replacing the existing equipment.

TKIP addresses many known weaknesses of WEP. However, later TKIP was also proven to have security holes and limitations. Similar with WEP, TKIP is not allowed with IEEE 802.11n and the later protocols. Devices that implement TKIP are forbidden from using 802.11n and the above rates.

WPA2

WPA2 is upgraded from WPA, and is a mirror of IEEE 802.11i. The only difference between WPA and WPA2 is their encryption methods. WPA2 adds support for CCMP/AES encryption, which was created by IEEE 802.11i. In WPA2, CCMP/AES is mandatory while TKIP/RC4 is optional.

■  CCMP/AES Encryption

CCMP was created to replace WEP and TKIP. It has proven to be a durable cryptographic system, and is the only encryption method specified by IEEE 802.11n and the later standards.

CCMP uses AES cipher, which is different from that of WEP and TKIP. This brings a problem that early devices that only support WEP and TKIP cannot deal with CCMP/AES encryption. Therefore, you need to replace these devices with newer hardware version.

3  Summary: How to Choose a Proper Security Mode?

We all want to use the best security mode, but may have to compromise for some reasons. One main reason is the cost, and another is that the better security mode is not supported by some devices in the network.

When choosing the security mode, refer to the following tips:

• Use WPA2 whenever it’s possible.

For home, WPA2-Personal is a cost efficient solution. But remember to set a strong enough password (at least 12 characters, and contains numbers, capital letters, small letters, and even symbols).

For business, it’s better to use WPA2-Enterprise if the budgets permit. WPA2-Enterprise provides very strong security, but needs an additional RADIUS server.

• WPA is the second choice.

The only difference between WPA2 and WPA is the encryption cipher. WPA uses TKIP/RC4 cipher.

Both TKIP and WEP encryption have flaws and were forbidden by 802.11n and the later standards. When using these two encryption methods, the whole network will suffer a low speed (at most 54 Mbps theoretically and about 20 Mbps actually).

• Use WEP when there are some old devices that only support WEP.

Only choose WEP when you have no other choices. Though WEP had been cracked, it’s still better than no security. Another choice for you is to create two Wi-Fi networks on your AP if it supports multiple SSIDs. One is specially for those old devices, and the other is for the rest.