WPA (Wi-Fi Protected Access) works by employing different modes for enterprise and personal use, each using a robust authentication and encryption protocol to secure wireless networks.
WPA for Enterprise (WPA-EAP)
- Authentication: WPA in Enterprise mode leverages EAP (Extensible Authentication Protocol) over 802.1X. This means that instead of just using a shared password, each user authenticates individually, typically against a central authentication server like RADIUS.
- 802.1X: This is a port-based network access control protocol. It requires users to authenticate before gaining access to the network.
- RADIUS Server: Acts as the gatekeeper, verifying user credentials against a database. This allows for more granular access control and auditing capabilities.
- TKIP (Temporal Key Integrity Protocol) & CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): WPA originally used TKIP for encryption, but due to vulnerabilities, it was superseded by CCMP, which is based on AES (Advanced Encryption Standard). CCMP provides stronger data encryption.
In Summary (Enterprise): When a user connects to a WPA-EAP network, their device initiates an 802.1X authentication process. The access point forwards the authentication request to the RADIUS server. If the server verifies the user's credentials, it allows network access and provides encryption keys.
WPA for Personal Use (WPA-PSK)
- PSK (Pre-Shared Key): In personal mode, WPA uses a pre-shared key or passphrase, which is the password you enter when connecting to a Wi-Fi network.
- SAE (Simultaneous Authentication of Equals): WPA3 replaced the older TKIP and WPA-PSK authentication methods with SAE. SAE offers enhanced security features by preventing offline dictionary attacks. It establishes a secure handshake based on the Dragonfly Key Exchange protocol.
How SAE Works:
- Mutual Authentication: Both the client and the access point prove their knowledge of the password without directly transmitting it.
- Forward Secrecy: The encryption keys are derived independently for each session. If one session is compromised, previous and future sessions remain secure.
- Resistance to Offline Dictionary Attacks: SAE makes it significantly harder for attackers to crack the password by trying various combinations offline.
- CCMP (AES): As with WPA-EAP, WPA-PSK uses CCMP with AES for data encryption.
In Summary (Personal): When connecting to a WPA-PSK network, the client and access point engage in an SAE handshake using the pre-shared key. This establishes a secure connection and allows for encrypted data transfer.
| Feature | WPA-EAP (Enterprise) | WPA-PSK (Personal) |
|---|---|---|
| Authentication | 802.1X with EAP (e.g., TLS, TTLS, PEAP) via RADIUS | SAE (Simultaneous Authentication of Equals) |
| Key Management | Dynamic, per-user keys | Pre-Shared Key (PSK) |
| Encryption | CCMP (AES) | CCMP (AES) |
| Use Case | Corporate networks, universities | Home networks, small businesses |
| Security Level | High | Medium to High (WPA3-PSK) |
In essence, WPA enhances Wi-Fi security through robust authentication methods and encryption techniques, with enterprise versions offering greater control and user management compared to personal versions.
