Being a wireless technology, Wi-Fi is inherently vulnerable to security threats such as eavesdropping and unauthorized access. To address these concerns, the IEEE 802.11 standards specify support for continuously evolving authentication and encryption protocols to ensure that Wi-Fi networks remain secure against the latest threats.
Authentication is used to ensure that only STAs that should be allowed to join the network are able to join. Whereas encryption refers to the process of cyphering the messages exchanged between Wi-Fi devices, ensuring that if that message is captured by an unauthorized eavesdropper, the content of the message remains hidden and unrevealed.
One of the first security methods established by the IEEE 802.11 standards was Wired Equivalent Privacy (WEP). WEP aimed to make wireless connections as secure as their wired counterparts by specifying encryption and authentication methods. However, WEP suffered from multiple vulnerabilities, including a simple encryption method that made it susceptible to replay attacks. Due to these vulnerabilities, many modern Wi-Fi routers no longer support WEP.
Wi-Fi Protected Access (WPA) encompasses three versions: WPA, WPA2 and WPA3, and was introduced as a replacement for WEP, providing enhanced security in terms of more advanced authentication and encryption protocols.
WPA has two different versions, depending on the target end-user:
WPA-PSK uses a pre-shared key (password) set on both the AP and the STA for authentication. WPA uses dynamic encryption methods to encrypt Wi-Fi data frames, such as the Temporal Key Integrity Protocol (TKIP). TKIP is used to protect against replay attacks, significantly increasing the security level of Wi-Fi communications.
WPA2-PSK offers further improvements in Wi-Fi security. WPA2-PSK still uses pre-shared keys for authentication but uses the 128-bit Advanced Encryption Standard (AES-128) encryption algorithm. AES-128, a superior encryption method to TKIP, provides enhanced encryption for Wi-Fi communication and has been the most commonly used security protocol in Wi-Fi for many years.
WPA2-PSK-SHA256 is a variant of WPA2-PSK that uses SHA-256 as the hashing method instead of SHA-1.
WPA3-SAE introduces Simultaneous Authentication of Equals (SAE) as a replacement for PSK, providing more security against password-guessing attacks. In addition, the introduction of SAE also brought in another key feature called Forward Secrecy, which helps protect past and future communication if an intruder manages to break the encryption key of a certain message.
Besides securing data frames between Wi-Fi devices, WPA3 includes a feature called Management Frame Protection (MFP) which safeguards the integrity of management frames by adding and performing integrity checks using AES-128 bits. MFP ensures that the frames used to control the Wi-Fi network are kept intact and untampered.
EAP in itself is not one authentication protocol, but rather, it provides a framework that supports a variety of authentication methods used mainly in enterprise network setups. This means that a Wi-Fi network can use EAP as its authentication framework while still using WPA-2, for example, as the encryption protocol for the Wi-Fi data frames exchange.
EAP provides a number of advantages for enterprise network setups, such as the use of digital certificates for authentication, in addition to the possibility of commencing centralized network setup for new Wi-Fi devices joining the network.
The WLAN Authentication and Privacy Infrastructure (WAPI) is also a replacement for WEP, used by the Chinese government. Despite not being an 802.11 standard, WAPI is still supported by Nordic’s Wi-Fi solutions to facilitate their use with Chinese Wi-Fi infrastructure.