What is Wi-Fi encryption?

digital data lock on screen
(Image credit: Shutterstock)

Wireless networking has become ubiquitous in our society, used in both homes and businesses alike to connect a wide variety of computing products. Wi-Fi at most homes requires a password, if for no other reason that this gets enabled by default at the factory. However, many businesses, airports, schools, libraries and municipalities have open Wi-Fi, free for the taking to make it simple for anyone to log on to their network with a device. 

While open Wi-Fi is quite convenient, it also represents a security risk, as then anyone can eavesdrop on the conversation of the wireless traffic as it goes between the client and the router. In fact, this is common enough that it has a specific name, known as a man-in-the-middle attack (MitM).

To avoid such an attack, security is needed to encode this wireless traffic, making it much more difficult for anyone to grab this data wirelessly, and then participate in your private conversation. This type of wireless security is known as wireless encryption, it is designed to protect a WLAN, so let’s take a look at this technology.

What is wireless encryption?

If you think back to the last spy show you watched, chances are there was some message sent between the spies to communicate the info. The message gets sent with a code applied, so that if it gets intercepted, the message comes out scrambled, and won’t be able to be read. Unless you have the key, and can put it through the correct decryption software, it is completely useless.

Just like in that spy show, wireless encryption does the same thing. A protocol for encryption gets applied- there are multiple generations available - and the scrambled data at the other end needs to be decrypted prior to the message being read. In the case of Wi-Fi data, the message is the data that the router is sending back and forth to the client that is consuming the data. 

Wireless encryption arrives

Prior to wireless encryption, wireless data was out in the open, and subject to packet sniffing by anyone in range. Clearly some security needed to be applied to this highly insecure situation, or else folks would be better off using a wired connection (although with Ethernet hubs more commonplace than the more expensive network switches sending all traffic to everyone attached, wired Ethernet was not really secure either).

In 1997, the first attempt at wireless security arrived: Wired Equivalent Privacy, which got abbreviated and referred to as WEP. Look at the name of this first gen security protocol, and it is obvious that it was an attempt to upgrade wireless traffic to the level of security of a wired network connection. 

WEP, in its original version, offered a 64-bit key with the RC4 stream encryption algorithm; in later versions this went to 128-bit, and then 256-bit. Unlike current wireless passwords, with WEP it was a hexadecimal pre shared key, that was 10 digits or 26 digits in length. There was also an option for Open System Authentication (OSA) based on the recognition of a service set identifier. Data integrity is assured via the CRC-32 checksum algorithm.

However, despite these security measures, it was realized that WEP was quite insecure. It started out that all users had to utilize the same shared key. Furthermore, as it was a stream cipher, with a reused key for encryption on a data stream, it was easily vulnerable to an attack. The RC4 algorithm was also broken and is no longer considered secure. Finally, as it was optional to be implemented, and the difficulty of entering a hexadecimal password, many users did not even turn it on.

With ‘WEP cracks’ published in 2005, it was considered no longer secure, and  clearly a better solution was needed. Today, WEP should not be used, and is considered obsolete.

What came next?

Introduced in 2003, the next version of wireless encryption is known as Wi-Fi Protected Access (WPA). This was built on WEP, and offered some advantages.

The first one is that it used 256-bit encryption, offering higher security than what WEP had initially, which debuted with only 64-bit encryption. Furthermore, while WEP used a single static key, WPA changed that to a dynamic key. This is known as the temporal key integrity protocol (TKIP) that keeps changing, and this serves as a protection to an intruder creating their own key to compromise the network. It was further improved upon with TKIP changed out for the Advanced Encryption Standard (AES). An additional improvement was that the password did not need to be hexadecimal, so users could now use a secure but easy to remember ‘password. Finally, WPA includes ‘Integrity checks’ for a check if there was an attack changing the data packets.

What is the sequel to WPA? 

Despite all of the improvements that WPA had over WEP, there was still room for improvement. This next generation protocol came as WPA2, which was released in 2004.

With WPA2, a crucial difference is that the RC4 and TKIP are replaced by the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) at 128-bit that has the AES algorithm doing the encryption. 

While WPA2 was considerably more secure, as testified by the several years before another protocol was released, it eventually got compromised. This was due to key reinstallation attacks (KRACK) where an attacker offers a clone network, then decrypts a small portion of the message, which then is used in aggregate form to compromise the password.

What is the current standard?

The latest wireless encryption protocol is WPA3. It addresses the weaknesses of the prior three protocols, and is considered secure. This includes that the CCMP is upgraded to 256-bit, and also uses the Simultaneous Authentication of Equals protocol for password verification. There is also stronger protection from brute force attacks as only a single guess is allowed at a password before physical interaction with the device is required. 

Protect your online privacy with the best VPN services.

Jonas P. DeMuro

Jonas P. DeMuro is a freelance reviewer covering wireless networking hardware.