In personal mode WPA2 is more secure than WPA. However, I have read that WPA Enterprise provides stronger security than WPA2 and I am unsure exactly how this is achieved.
-
5Where exactly did you read this? There is no doubt `WPA2` is more secure then `WPA`. I would argue that `WPA Enterprise` is an entirely different authentication model then `WPA` – Ramhound May 12 '13 at 09:26
-
1You don't have to argue, it is. WPA2 Personal uses Preshared Keys. That means you have to know the key and it can be shared amongst users. With enterprise, you have to have an account on a back end RADIUS server. This means that you have to have a username and password to gain access to the Wireless network. – Jason H May 13 '13 at 12:00
8 Answers
All earlier answers are missing a very important step and its implication and are misunderstanding EAP.
WPA2-PSK (aka WPA2 Personal) basically does the same thing as WPA2-Enterprise from the clients perspective: The client associates to the access point, authenticates to the access point using the pre-shared key and access point creates a 256bit PMK (pairwise master key) from the SSID and the pre-shared key (PSK). This PMK is then used to encrypt data traffic using CCMP/AES or TKIP.
The important thing to note here is that all clients will always encrypt their data with the same PMK, all the time. So it's easy to gather a lot of data encrypted with the same PMK. Should someone break the PMK, they could decrypt all data encrypted with that key, past/recorded and future/realtime.
WPA2-Enterprise is only a little bit different behind the scenes, but the security implications are severe: The client associates to the access point, authenticates to the access point, who passes this on to a backend RADIUS server (using EAP, but that's not important here, so more on that at the end). When the RADIUS server has authenticated the client, it gives the access point an OK, plus a RANDOM 256bit pairwise master key (PMK) to encrypt data traffic for the current session only.
Well, that's quite a difference. Instead of each client using the same PMK all the time (the seed of which is known plaintext, because the SSID is used as seed!), now every client uses a different PMK, it changes every session/association and the seed is random and unknown. Not only that, but this PMK will be 256bit real entropy (not a hash from a usually much smaller password containing words), so dictionary attacks are useless.
Should someone break a particular PMK, they only get access to one session of one client. Also (if the right EAP method is used) they don't get access to the users credentials, since they where individually encrypted. That's a whole lot more secure.
Also remember that this PMK is 256bit AES, this is currently "uncrackable" (128bit is considered safe for the moment, but not for long). The fact that the PMK of WPA2-PSK (also 256bit) can be cracked comes from the usually weak passwords (dictionary attack), the known seed (SSID) and the fact that all clients use the same PMK all the time, so a lot of ciphertext of known plaintext can be captured.
So, then a little about the Extensible Authentication Protocol (EAP). This is often understood as a security protocol in itself, but it isn't. It's basically a standard for passing messages from a client wanting to authenticate and a server that authenticates. EAP itself has no security features, it just specifies how the client speaks with the RADIUS server.
Now, you can encapsulate these EAP messages in a secure tunnel. Like HTTP (an insecure messaging protocol) goes over a secure layer, SSL/TLS to yield a secure connection to a webserver. Someone said in another answer that there are over 100 different EAP "methods", some very insecure. This is true, because EAP is old there were encryption standards implemented that are sub-standard today.
But in practice, if you need to support recent Apple or Android machines/devices and Windows machines, there's only two options, because others are simply not supported: Protected EAP (PEAP) and TLS-EAP (well, I lied: really there are a few more, but they are basically identical to TLS-EAP in functionality and security).
PEAP is just like a https server, a secure TLS tunnel is setup between the client and the RADIUS server (protecting the entire wireless and wired path between them), the server presents a certificate to the client (in companies often signed by their own CA) and a secure channel is setup on the basis of this certificate.
If the client has the CA as trusted in their certificate store it sends its username and password to the RADIUS server. If the CA isn't trusted, the user gets a warning about the certificate as with a https site that has something wrong with its certificate. The credentials are usually protected with the (old and now weak) MSCHAPv2 protocol, but that doesn't matter, since everything is already protected by 256bit TLS. The MSCHAPv2 protocol talks with the RADIUS server using EAP.
An obvious weak point is that you could setup a false access point, present a false certificate of which you have the private key, and hope that some idiot user gets a warning about an untrusted certificate and just clicks "trust" (and that option is not disabled by an administrator). Then you could maybe capture the client's weakly encrypted credentials that are fairly easy to crack (I'm not sure about this, as I know MSCHAPv2 can be easily cracked if you have the WHOLE exchange, in this case you'd only have the client side as you couldn't send a valid nonce to the client to complete the exchange, as you don't have the real hash of the users password).
While this may get you access to the real network with a lot of work (and I doubt it, but if you must know, look into MSCHAPv2 at http://www.revolutionwifi.net/revolutionwifi/2012/07/is-wpa2-security-broken-due-to-defcon.html), it wouldn't get you access to any other wireless data, as they are encrypted with a different PMK.
But for companies this may still be a problem. Enter TLS-EAP. TLS-EAP is basically the same as PEAP with the notable difference that the client also has a certificate. So the server presents its certificate to the client which must be trusted by the client (because the CA is in the trusted store, or an idiot clicked "trust"), but the client also has to present a certificate to the server. This can be a certificate that's been placed in the cert store when the device/workstation was provisioned, but it could also be from a smartcard etc. The server has to trust this client certificate, or you won't even get the chance to present credentials.
As many of you may know, such 2-way authentication can also be done for HTTP over TLS, but this is not often seen outside corporate settings. In that case, too, you can't access the website unless you first show a certificate that's trusted by the server.
So now the fake access point isn't very useful anymore. You may get the weakly encrypted credentials if the idiot clicks "trust" and you then blindly accept any client certificate, but since you don't have the private key of the client certificate you don't get access to the wireless network, nor do you get encrypted wireless data of this or other clients still courtesy of the random session-based PMK. You may get access to some intranet with the credentials, but if they went to the trouble to setup a CA for wireless they probably require a client cert for that too.
In corporations it's common to have such a client cert on a smart card, which employees then need to access all resources: logging in, network resources, mail using smtps, imaps, pop3s, intranets using https, anything that uses TLS can be setup to require a client certificate. Usually it's as simple as putting it in the keyboard and enter a PIN, then windows will present it when demanded by a trusted server running TLS.
So, I hope this clarifies a bit. The scale goes: "basically unsecured" (WEP) "crackable with some effort" (WPA2-PSK) "partly social-engineerable" (WPA2-Enterprise w/PEAP) "currently secure" (WPA2-Enterprise w/TLS-EAP and similar)
There are ways to make WPA2-PSK somewhat more secure, in that it would take months to crack it instead of minutes (pre-computed rainbow tables) or hours (dictionary attack): Set your SSID to a random string of the maximum length (64 I think), since it's used as the seed for the PMK, and use a random pre-shared key (PSK) of the maximum length. If you then change the key monthly you can be reasonably sure that nobody has a current PMK or had/has access to your network.
Though you can't get rid of the fact that someone could have stored a months worth of data of all clients and reads that once they do get the PMK of that month (which can be done, as it's not a key with 256bit real entropy as you're broadcasting the seed used).
Another drawback is that you will have a highly unique SSID, one that your wireless devices will broadcast wherever you go. If someone has your unique SSID of your home network it's a piece of cake to look up your SSID at https://wigle.net/ and find out where you live. So you're basically walking around with your phone/tablet/laptop announcing where you live...
If you're privacy conscious it's maybe a good middle way to keep your SSID set to one that's common, but not in the top 30 or so (that way it's unlikely to have rainbow tables for it available online) and use a random PSK of maximum length. You lose some entropy though.
If you want the same security as wired, use WPA2-Enterprise with TLS-EAP. (Well, for now... There's nothing stopping someone from capturing and storing all the data they want and decrypt it all in 20 years when we can all rent time on a quantum computer and factor all keys in minutes.
The NSA is said to have built a datacenter to do just that, store anything encrypted they encounter until they can crack it, so that problem also affects everything on wires if it crosses the internet. If something needs to be secure for all time, use a random one-time pad that you exchange out-of-band :)
All that said, while I'm paranoid and want the best security and thus spend two days making WPA2-Enterprise/TLS-EAP work, this is probably out of reach (and overkill) for most home users. If you don't already have a domain controller or some other directory service on your network, experience with RADIUS and have all expensive pro wifi gear that an enterprise would use then you most likely won't get it to work. You'd be better off just setting up an always-on VPN and run that over your wifi, that gives you all the security and none of the fun debugging EAP.
PS. For the sake of simplicity I also left out the fact that the communication between the access point and the RADIUS server is also encrypted by a pre-shared key (called the "shared secret"). Afaik this encryption isn't any good today (uses MD5 which is basically broken) but since you put TLS over it anyway that doesn't matter. You can use a decent key size (something between 64-128 chars = 512-1024bits depending on the implementation). I always set the largest secret possible, it can't hurt.
- 599
- 4
- 5
-
The obvious weak point you present is similar to the weak point of online shopping - some idiot user might provide his credit card details without seeing a green lock near the URL or when seen a red broken one. But I wonder about another thing. What if the attacker buys a TLS certificate for a domain he owns and sets up a rouge CA and presents this certificate for the rogue RADIUS server he set up? Sounds like this shouldn't work, but I don't see anything in your description preventing this, and unlike web browsing where you even a valid certificate for www.g00gle.com might make you suspect... – conio Mar 02 '17 at 23:57
-
you don't see the URL of the RADIUS server you're talking to (at least not in Windows, iOS and Android). – conio Mar 02 '17 at 23:57
-
The CA would have to match the client's cert, so that wouldn't work. – Terrence Koeman Mar 04 '17 at 18:35
-
I wasn't aware of any client certificates in play in PEAP-MS-CHAPv2. I even see a TechNet article saying "PEAP-MS-CHAP v2 an EAP type that is easier to deploy than Extensible Authentication Protocol with Transport Level Security (EAP-TLS) or PEAP-TLS because user authentication is accomplished by using password-base credentials (user name and password) instead of digital certificates or smart cards." What client certificate are you talking about? – conio Mar 04 '17 at 18:52
-
conio: Correct, in PEAP clients don't have certificates (only the server does, but username/password (which allows for capturing the creds when a MITM AP is setup). I said EAP-TLS added client certificates to the mix to prevent this. – Terrence Koeman Mar 25 '18 at 02:18
-
conio: I see I never answered your question directly for PEAP. Yes, you could buy a certificate for a random host.domain.tld, and then setup a rogue RADIUS server that identifies using that certificate. If a user were to manually select your rogue SSID, he wouldn't get a cert warning and would probably input his credentials. Corporations usually use EAP-TLS to prevent this, but if they do use PEAP, they prevent this by pushing wireless profiles to their clients (for instance via Group Policy for Windows) that specify exactly which CA in the trusted CA list will be accepted for the SSID. – Terrence Koeman Jun 30 '19 at 10:50
The PSK variants of WPA and WPA2 uses a 256-bit key derived from a password for authentication.
The Enterprise variants of WPA and WPA2, also known as 802.1x
uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.
The key difference between WPA and WPA2 is the encryption protocol used. WPA uses the TKIP protocol whilst WPA2 introduces suport for the CCMP protocol.
-
So when using a RADIUS server, an EAP protocol will be used instead of TKIP or CCMP? – May 12 '13 at 08:46
-
4@Unw0und No, EAP is an *authentication* protocol while TKIP and CCMP is an *encryption* protocol. – May 12 '13 at 08:50
-
26This answer isn't very informative. How is EAP “more secure”? Does it protect against more threats, or provide greater strength against brute force? What difference does TKIP vs CCMP make? – Gilles 'SO- stop being evil' May 12 '13 at 11:48
-
5EAP is more secure because the keying material is unique and created between client and AP rather than generated based on a known value (PSK). In personal mode, the keying material is generated based off a known value (the PSK) and anyone with that known value is able to capture the key negotiation and therefore decrypt all the resulting traffic. Additionally, with EAP, the keying material can be changed during the session, making it more secure. – YLearn May 13 '13 at 02:30
-
I think I could make this clarification simpler again. Put simply every user has their own "password" (key) instead of using a shared one that everyone is using. – Matthew1471 Apr 20 '16 at 19:36
-
7WPA2 Personal uses one key. Everyone with the key knows how to decrypt your computer's traffic. The WiFi segment is one big broadcast network. Wired networks will generally keep your computer's traffic private as long as the switches are secured. Your traffic goes along the wire and is handed to its destination only. Even someone plugged in to another jack can't see the traffic unless the switch is not set up correctly. WPA Enterprise gives every user their own private session key. This removes the broadcast effect. Now the WiFi network behaves like everyone has their own wire. – Andrew Nov 01 '16 at 22:35
Say you have 10 users. In PSK mode all 10 users are using the same passphrase to generate the same key. Therefore, the likelyhood of capturing traffic and analyzing it to find the key is higher with so much traffic, and that key will be good until all 10 users agree to change the passphrase (and therefore the key)
If those same 10 users use their own username and password to log in to an enterprise WiFi network, each user authenticates to the RADIUS server, which then generates a key for their session and hands that to the AP to use with their client.
Therefore the traffic with the same key is only one users traffic, so it is 1/10th as much data to work with, and the key will change the next time the user logs in. The password the user authenticates with may stay the same, but the key that that generates is unique to each session. Combined with good password habits, WPA enterprise is better. Also, individual users access can be revoked at any time without affecting other users.
- 1,057
- 7
- 11
-
"individual users access can be revoked at any time without affecting other users" I did't know that. Do you mean they can be revoked in real time? If that is the case, what would I user see? Just a disconnection and when tries to connect with his password an error message? If my RADIUS server is connected to a SQL database and I remove a user, will this user be removed in real time? Thanks a lot for clarification. – Ricardo Sep 09 '17 at 17:11
WPA2 is more secure than WPA as explained by Terry. You just need to understand the difference between personal (pre shared key) and enterprise versions of both the protocols.
The personal version is where all the users share a secret password that is configured in the access point. In the enterprise version there is a central authentication server and all the users have different sets of credentials that they use in order to access WiFi. So basically there is no single shared password.
- 7,285
- 5
- 27
- 59
The Enterprise (RADIUS/EAP/802.1X) mode of WPA or WPA2 provides the following benefits over using the Personal (Pre-Shared Key or PSK) mode of WPA or WPA2:
- Overall it complicates the process of "hacking" the wireless.
- Each user can be assigned a unique login credential (username or password, security certificates, or smartcard) for the Wi-Fi, instead of a single global password for all.
- User-to-user snooping is prevented, unlike with the Personal mode where connected users can capture each others traffic, including passwords and session hijacking.
- Enables additional controls (authorizations) such as Login-Time, allowing you to define the exact days and times users can login, Called-Station-ID to specify which access points they can connect through, and Calling-Station-ID to specify which client devices they can connect from.
Though the Enterprise mode requires the use of a RADIUS server, there are hosted or cloud services out there.
- 41
- 1
There are lots of terms being mixed here.
WPA2 is an encryption scheme. The enterprise vs. personal refer to the authentication scheme but not the encryption scheme. The authentication scheme basically verifies your identity to the network owner before you are allowed to send encrypted data.
From an Encryption view point, WPA2-Enterprise and WPA2-Personal have the same 256-bit Encryption algorithm (I believe it is called AES-CCMP). So the difference between them lies in the authentication scheme.
Now, EAP and 802.1x can be thought of as one and the same protocol. They define signalling methods to allow the authentication to happen between (now this is important): the client, the access point and a third entity called the registrar which store the authentication credentials. EAP is used in Personal and Enterprise BUT the key difference is the location and the type of credentials that the registrar requires from the client before agreeing to grant it access to the network. In PERSONAL, it is common for the registrar to reside on the same physical entity as the access point (i.e. wireless router) and the authentication method is usually based on a pre-shared key (e.g. the ones that is pre-programmed with the router when you buy it or the one that the owner of the router would give you when you come to his place). Changing that pre-shared key requires a global update whenever any of the old clients want to access the network again (i.e. you have to tell them that you changed the key and the key is XYZ). In ENTERPRISE the registrar is usually a separate entity that runs a protocol called RADIUS. It provides more manageability (e.g. pre-shared key for every user, the admin can revoke a key for a particular user, etc..).
Now something really important here (from a security view point), the encryption key (i.e. not the authentication) is derived from the pre-shared key, thus it is easier for someone who has the pre-shared authentication KEY in PERSONAL to recreate the encryption key and thus decrypt the data. In addition, PERSONAL allows for other methods to further simplify the issue of entering pre-shared key such as the push-button (push-button on routher and device at the same time and everything happens seamlessly). This method compromised the security if someone was listening on the channel and shown to be easily breakable (now the term easily is relative!!). Such method is not available in Enterprise. Therefore in summary yes Enterprise is more secure but is also more suited for someone who has the knowledge and resources to install and administer a RADIUS server. Good security is achievable over PERSONAL by choosing a strong pre-shared key and disabling the push-button method on the wireless router.
- 103
- 5
- 31
- 1
I am assuming when you ask whether WPA-Enterprise is more secure than WPA2, you mean WPA2-PSK (aka WPA-Personal). This is a bit like asking are vegetables healthier than an apple. WPA-Enterprise covers a spectrum of authentication methods (about 100 of them all under the extensible authentication protocol), some very strong, some very weak. WPA2-PSK is a specific means of authentication relying on 256-bit AES. The only feasible way to break WPA2-PSK is to capture the handshake packets and then run a dictionary attack against it. It doesn't matter how many handshakes you capture (i.e. whether it is one client or 100 that connect using the password). It's not like WEP. Hence if you have a good password (e.g. 20 characters and fairly random), it will be pretty darn secure. By comparison, WPA-Enterprise can use schemes that are weak, such as LEAP, which uses the MS-CHAPv2 handshakes. These are mere 56-bit DES encryption, easily crackable via brute force regardless of password complexity. Now, among the 100 EAP options, which range in cost and complexity, you can find something that would approximate the strength of a WPA2-PSK with a random 20 character password. But if that is your only goal, you are missing the point of WPA Enterprise. The main driver for WPA Enterprise is the granular control you can have over who or what connects to your network. WPA Enterprise can create credentials for each device and user. If you all of a sudden you need to cut out one user or a category of devices (e.g. mobile phones) you can do that. Of course in setting it up, if you botch the implementation by using something like LEAP, you just let those people/things that you turn away at the front door in through the back door. Unless you have the budget, resources, and need for WPA Enterprise, WPA2-PSK will be easier, cheaper and likely more secure. The three caveats: A sufficiently complex password that you change occasionally, you have no need for user or device specific control, and most important - disable that utterly stupid Wifi Protected Access (WPS) that comes on some access points.
- 79
- 3
It's not. WPA-Enterprise and WPA-PSK will ultimately create a PTK key to be used in the TKIP algorithm, because it is WPA, therefore less secure than WPA2, whether it is WPA2-PSK or WPA2-Enterprise.
Enterprise just offers encryption for the 4-way handshake, such as PEAP, or use of certificates, so WPA-Enterprise is arguably more secure than WPA-PSK but will ultimately meet the same fate. Enterprise also offers higher granularity over who accesses the network by using user accounts or per-user preshared key information from RADIUS or ultimately Active Directory for material to be used in CCMP key generation.
- 151
- 1
- 6