Wi-Fi is the world’s leading wireless local area networking technology with devices using it to transfer quintillions of bytes of data every day. Wi-Fi is used for a wide range of applications spanning industry, commerce, government, healthcare, and domestic use.
One reason Wi-Fi has been so widely adopted is that it has in-built, proprietary security protocols that secure and protect both the Wi-Fi network and the data that is transferred over it.
In this article, we’ll compare the second and third-generation Wi-Fi security protocols, WPA2 and WPA3, to understand which standard is best for protecting your home or business Wi-Fi.
What is Wi-Fi Protected Access (WPA)?
WPA is a Wi-Fi-based security technology developed by the Wi-Fi Alliance and Institute of Electrical and Electronic Engineers (IEEE) that comprises three certification programs:
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access 2 (WPA2)
- Wi-Fi Protected Access 3 (WPA3)
WPA was first introduced in 2003 and now must be used for every Wi-Fi-certified device. It was developed to address weaknesses in the wired security standards that were previously being used. WPA strengthens the security of Wi-Fi networks with robust authentication procedures and encryption of the data that is transferred.
What is WPA2?
WPA2 (also called IEEE 802.11i-2004 or Robust Security) is an amended version of the original WPA security protocol. It was released by the Institute of Electrical and Electronic Engineers (IEEE) in 2004. It has only recently been superseded by WPA3, so it is still widely used.
The WPA2 security protocol specifies security mechanisms and standards for Wi-Fi (802.11) networks. It upgrades and expands the authentication and privacy mechanisms of the original WPA release to make a Robust Security Network (RSN) the standard for a secure wireless network.
There are two types of WPA2 protocols that are implemented in specific types of Wi-Fi networks:
- WPA2-Personal has been developed for home networks and other consumer use. It uses AES data encryption and requires a network name and password to access a Wi-Fi network.
- WPA2-Enterprise is for commercial and industrial use. It also uses AES encryption but uses the Extensible Authentication Protocol (EAP) for access control. There are five EAP types that tailor WPA2-Enterprise to specific network applications and end-user devices.
WPA2 Security Features
WPA2 includes many features present in WPA and WEP but has greater scope for more robust protection of wireless networks and the data that is transferred over them.
Below are the main features of WPA 2.
Mandatory Wi-Fi Alliance Testing and Certification
In 2006, the Wi-Fi Alliance implemented mandatory WPA2 testing and certification, making WPA2 a mandatory feature of certified Wi-Fi products. This ensured that Wi-Fi users could access this upgraded security technology.
Support for CCMP Encryption Mode
The Counter Mode Cipher Block Chaining Message Authentication Code Protocol, also known as CCMP, is a protocol for enhanced encryption of data on wireless local area networks (WLANs). It is specifically developed for Wi-Fi but is based on elements of the Advanced Encryption Standard (AES) standard.
Message Integrity Check
Message Integrity Check (MIC) is a mechanism that prevents attacks on encrypted messages. Attackers are known to penetrate networks using ‘bit-flip’ attacks where an intercepted message is slightly altered and then retransmitted to the receiver where it may be accepted.
The Temporal Key Integrity Protocol (TKIP) is another encryption protocol that was used by WPA2 until 2012. It encrypts data using a key mixing function that conceals the root key and uses a stream cipher called RC4 to encrypt and decrypt data.
Advanced Encryption Standard (AES)
AES is an encryption standard developed by the U.S. National Institute of Standards and Technology for encrypting U.S. Government data. AES was developed from the Belgian Rijndael block cipher and uses a 128, 192, or 256-bit key.
WPA2 uses the four-way handshake as a network authentication tool. With this protocol, four messages are exchanged between a supplicant client device and the network’s access point, which acts as an authenticator. The exchange of messages generates various classes of encryption keys that are used to encrypt further messages sent between the device and the access point.
Group Key Handshake
Access points in a Wi-Fi network use a group key handshake to deliver a new group transient key (GTK) to client devices in the network. The access point uses a two-way handshake to complete the process with each connected and authenticated device.
Limitations of WPA2
WPA2 has some real-world limitations.
The increased encryption and decryption can impact the overall performance of the network, though any reduction in speed is usually not noticeable.
It can clash with another Wi-Fi feature called Wi-Fi Protected Setup (WPS). The two protocols interfere with one another if they are both active on a router. The WPA2 key can also be exposed if the WPS PIN is known.
What is WPA3?
WPA3 is the most recent version of the Wi-Fi Protected Access. The Wi-Fi Alliance released it in January 2018 and it succeeds WPA2 as the mandatory certification standard for official Wi-Fi devices.
This update of WPA2 strengthens security protocol on several fronts, with upgrades to the protocol’s cryptographic strength and a new authentication standard. The Wi-Fi Alliance has also developed WP3 to have a simpler device configuration, especially where there is no display interface.
Notable changes to WPA3 include
- 192-bit encryption: This security mode is a feature of WPA3-Enterprise and provides an uplift in baseline security across an entire WPA3 network.
- AES-256: WPA3 uses 256-bit authentication and encryption.
- Simultaneous Authentication of Equals (SAE) exchange: SAE is a method of password-based authentication and agreement that uses 128-bit encryption in WPA3-Personal and 192-bit encryption in WPA3-Enterprise.This initial key exchange method replaced the pre-shared key exchange used in the previous WPA version.
- Forward secrecy (FS): Forward secrecy prevents network attacks that target encrypted data from previous or future sessions. FS regularly changes encryption keys at random so that a hacked encryption key will only reveal a small amount of data and cannot be used to decrypt historical data or data that is yet to be transferred.
- Wi-Fi Easy Connect: This alternative to Wi-Fi Protected Setup (WPS) is designed to provide a more simplified setup process that tackles vulnerabilities introduced by weak passwords. It also facilitates the secure setup of devices with no display interface by using a QR code.
What’s the Difference Between WP2 and WP3?
WP2 and WP3 are stages in the continual development process of Wi-Fi security technology. The three generations of Wi-Fi Protected Access were created in response to evolving threats to Wi-Fi networks and differ in the technologies they use to mitigate security issues, secure data, and authenticate users.
The main differences between WPA2 and WPA3 can be grouped into three areas, which we’ve outlined below.
Forward Secrecy and More Robust Encryption
The Wi-Fi Alliance has made improvements to WPA3 in response to the increased use of public Wi-Fi networks where devices are vulnerable to attacks.
Encryption standards like AES and CCMP are strengthened with longer encryption keys. With WPA2, encryption was available but not in open (password-free) networks. WPA3 addresses this by providing individualized encryption to each device that participates in a network, whether or not a password is required.
Forward secrecy prevents a would-be hacker from the opportunistic gathering of data and encryption keys. With FS, the keys are changed so often and randomly that it will be impossible to keep up with the changes in encrypted data.
Strengthening Password Vulnerabilities
The introduction of Simultaneous Authentication of Equals provides much better protection against a weak password that can be the target of passive or active attacks. SAE is a much more secure initial key exchange in WPA3-personal for more stringent device authentication. This is valuable for public Wi-Fi networks.
The rise of IoT has meant that more and more smart devices are available that do not have an interface for entering a network password. For WPA3, the Wi-Fi Alliance has created a Wi-Fi Easy Connect which enables certified devices to pair via QR code.
WPA2 vs. WPA3: A Side-by-Side Comparison
|What is it?||Wireless network security technology||Wireless network security technology|
|Primary Use||Securing Wi-Fi networks against attacks and protecting transferred data||Securing Wi-Fi networks against attacks and protecting transferred data|
|Influential Developers||The Institute of Electrical and Electronic Engineers (IEEE)|
The Wi-Fi Alliance
|The Institute of Electrical and Electronic Engineers (IEEE)|
The Wi-Fi Alliance
|Technologies Influenced||Wi-Fi 1 to 6 (IEEE 802.11)||Wi-Fi 1 to 6 (IEEE 802.11)|
Similarities and Differences
- WPA2 and WPA3 are versions of Wi-Fi Protected Access (WPA).
- The Wi-Fi Alliance developed WPA2 and WPA3.
- Both WPA2 and WPA3 are wireless network security technologies that have been developed specifically for Wi-Fi.
- WPA2 and WP3 testing is mandatory for the certification of approved Wi-Fi products.
- WPA2 and WPA3 use enhanced encryption, authentication, and device setup protocols to increase the security of Wi-Fi networks.
- Both types of Wi-Fi Protected Access (WPA) are available in personal and enterprise versions.
- WPA3 is a more recent version of the Wi-Fi Protected Access (WPA) protocol.
- WPA2 uses TKIP encryption and a four-way handshake.
- WPA3 uses AES encryption, Simultaneous Authentication of Equals (SAE) exchange, and forward secrecy.
- Wi-Fi Easy Connect, for simplified network setup, was introduced with WPA3.
Why is WPA3 Important?
WPA3 is the latest security protocol for Wi-Fi. The Wi-Fi Alliance has updated it to strengthen weaknesses that existed in WPA2.
The technologies it uses are also designed to protect users of public or open Wi-Fi networks that are not secured by a password. WPA3 should project users from the following common Wi-Fi network attacks, listed below.
This attack targets unencrypted traffic being transferred on an open network. With WPA and WPA2, non-password-protected networks would not encrypt subscriber device data. Malicious agents can then use a variety of sniffing tools to monitor unsecured data and look for sensitive data like passwords or credit card numbers. WPA3 provides encryption for individual devices to prevent this.
Brute Force Dictionary Attacks
Hackers can attempt to penetrate Wi-Fi networks using this specific type of brute force attack that runs through a dictionary list of words and phrases that are commonly used as passwords. WPA3 uses Simultaneous Authentication of Equals (SAE) exchange to strengthen networks with weak and obvious passwords.
In Man-in-the-Middle-Attacks, a hacker inserts themselves in the data exchange in a wireless network and passively harvest large volumes of data. If they are able to obtain the encryption key, they can then decrypt the data and harvest sensitive information.
WPA3 prevents this type of security break by using forward secrecy, randomly changing the security key from message to message, so that past or future data cannot be easily decrypted.
Does WPA2 Need to be Upgraded?
WPA3 is the latest version of the WPA protocol and is the best option for securing your Wi-Fi network. If you are able to use WPA3 devices for your network, they will be more secure than WPA2 ones.
However, WPA2 is still a competent security protocol for password-secured private (home) Wi-Fi networks. Its main vulnerabilities are in open networks, so you should take care when using unsecured Wi-Fi networks. If you are using WPS for your Wi-Fi network, upgrading to WPA2 will make your network more secure.
WPA2 vs. WPA3: 6 Must-Know Facts
- Any Wi-Fi devices that were certified after 2006 support WPA and WPA2.
- WPA3 became mandatory for certified devices on the 1st of July, 2020.
- Only Wi-Fi Alliance-certified devices can bear the Wi-Fi trademarked logo.
- Wired Equivalent Privacy, the precursor to WPA, was introduced as a security standard in 1999.
- WPS PIN recovery is a major security weakness that can expose the WPA/WEP2 password.
Wi-Fi security needs to be taken seriously as it is very easy for snoops and hackers to evade detection on these networks. WPA2 and 3 increase the security of Wi-Fi networks. But, for the most robust security, WPA3 is the better technology as it is more recent and has been developed to protect your Wi-Fi network from the latest threats.