📘 CCNA 200-301 v1.1
5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)
Wireless networks (Wi-Fi) allow devices to connect to the network without cables.
But this also makes them more vulnerable to attacks, because anyone nearby can try to connect or capture wireless data.
To protect wireless networks, we use wireless security protocols.
These protocols encrypt (scramble) data so that even if someone captures it, they cannot read or modify it easily.
🔒 Main Wireless Security Protocols Over Time
| Protocol | Year Introduced | Encryption Used | Security Level | Status |
|---|---|---|---|---|
| WEP (Wired Equivalent Privacy) | 1997 | RC4 | Weak | Obsolete |
| WPA (Wi-Fi Protected Access) | 2003 | TKIP | Better than WEP | Legacy |
| WPA2 | 2004 | AES (CCMP) | Strong | Still Common |
| WPA3 | 2018 | AES (GCMP) + SAE | Very Strong | Latest Standard |
1. WEP (Wired Equivalent Privacy) – (for reference only)
Although not part of the current CCNA objectives, it’s important to know why newer protocols were created.
- Used in early Wi-Fi networks (802.11b)
- Used RC4 stream cipher for encryption
- Weakness: Used static keys (same key for all packets) → easy to crack
- Status: Completely insecure and deprecated
So, it was replaced by WPA.
2. WPA (Wi-Fi Protected Access)
🧠 Purpose:
To fix WEP’s weaknesses quickly, before a more permanent solution was ready.
⚙️ Key Features:
- Introduced in 2003 (as a temporary fix for WEP)
- Uses TKIP (Temporal Key Integrity Protocol)
- Supports 802.1X authentication for enterprise networks
- Provides Message Integrity Check (MIC) to prevent data tampering
🔐 How WPA Works (Simplified)
When a wireless client connects:
- It authenticates using a pre-shared key (PSK) or 802.1X (RADIUS).
- TKIP dynamically changes the encryption key for each packet — improving security compared to WEP.
- Data is then encrypted before transmission.
⚠️ WPA Weaknesses:
- Still uses the old RC4 cipher, just with improvements.
- TKIP is no longer considered secure today.
- WPA has been replaced by WPA2.
3. WPA2 (Wi-Fi Protected Access 2)
🧠 Purpose:
To provide stronger security by using modern encryption.
⚙️ Key Features:
- Introduced in 2004 (based on IEEE 802.11i standard)
- Uses AES (Advanced Encryption Standard) with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
- Can work in two modes:
- WPA2-Personal (PSK): Uses a shared password (for small networks)
- WPA2-Enterprise: Uses a RADIUS server and 802.1X authentication (for corporate networks)
🔐 How WPA2 Works (Simplified)
- When a device connects, it authenticates using:
- Pre-shared key (PSK) or
- Enterprise authentication (EAP/RADIUS).
- A secure encryption key is created.
- All communication is encrypted using AES/CCMP.
✅ Advantages of WPA2
- Much stronger encryption than WPA.
- Widely used and still supported on most devices.
- Meets most security needs for home and enterprise networks.
⚠️ WPA2 Weaknesses
- Vulnerable to brute-force attacks if users choose weak passwords.
- The KRACK (Key Reinstallation Attack) vulnerability (discovered in 2017) can exploit WPA2 if not patched.
- Lacks forward secrecy (if the password is compromised later, past traffic can be decrypted).
Because of these issues, WPA3 was created.
4. WPA3 (Wi-Fi Protected Access 3)
🧠 Purpose:
To replace WPA2 with stronger protection, especially against modern attacks.
⚙️ Key Features:
- Introduced in 2018 by the Wi-Fi Alliance.
- Uses AES-GCMP (Galois/Counter Mode Protocol) for encryption (stronger and faster than CCMP).
- Introduces SAE (Simultaneous Authentication of Equals) instead of PSK.
🔐 How WPA3 Works (Simplified)
- When two devices connect, they use SAE to perform a secure key exchange:
- SAE protects against dictionary attacks (guessing passwords).
- Even if someone captures the handshake, they cannot reuse or crack it offline.
- Encryption is done using AES-GCMP.
- Provides Forward Secrecy — past sessions stay secure even if the password is later leaked.
✅ WPA3 Key Improvements
| Feature | WPA2 | WPA3 |
|---|---|---|
| Encryption | AES-CCMP | AES-GCMP |
| Authentication | PSK / 802.1X | SAE / 802.1X |
| Offline dictionary attack protection | ❌ | ✅ |
| Forward secrecy | ❌ | ✅ |
| Mandatory encryption (Open networks) | ❌ | ✅ (OWE – Opportunistic Wireless Encryption) |
| Device onboarding | Manual | Easy Connect (QR code or NFC) |
| Recommended for IoT | Limited | Supported |
🏢 WPA3 Modes
- WPA3-Personal:
- Uses SAE for authentication.
- No need for RADIUS server.
- Stronger than WPA2-PSK.
- WPA3-Enterprise:
- Uses 802.1X and RADIUS for authentication.
- Provides 192-bit encryption strength for sensitive environments.
⚠️ WPA3 Compatibility Notes
- Older devices may not support WPA3 unless firmware is updated.
- Many modern routers offer a “WPA2/WPA3 mixed mode” to support both old and new clients.
5. Summary Table for CCNA
| Feature | WPA | WPA2 | WPA3 |
|---|---|---|---|
| Year Introduced | 2003 | 2004 | 2018 |
| Encryption | TKIP (RC4) | AES-CCMP | AES-GCMP |
| Authentication | PSK / 802.1X | PSK / 802.1X | SAE / 802.1X |
| Protection Against Brute Force | Weak | Moderate | Strong |
| Forward Secrecy | No | No | Yes |
| Secure Open Networks | No | No | Yes (OWE) |
| Current Use | Legacy | Common | Recommended |
6. Exam Tip for CCNA 200-301
✅ You must remember:
- WPA used TKIP (temporary fix for WEP).
- WPA2 uses AES/CCMP (strong, widely used).
- WPA3 uses SAE (most secure, prevents offline dictionary attacks).
- WPA2 and WPA3 both can use 802.1X for Enterprise authentication.
- WEP is obsolete and not used anymore.
📘 Key Terms to Know
- TKIP: Temporal Key Integrity Protocol – older encryption used in WPA.
- AES: Advanced Encryption Standard – strong encryption used in WPA2 and WPA3.
- CCMP: Counter Mode with CBC-MAC Protocol – ensures confidentiality and integrity.
- GCMP: Galois/Counter Mode Protocol – advanced encryption mode used in WPA3.
- SAE: Simultaneous Authentication of Equals – new, secure handshake for WPA3.
- 802.1X: Framework for centralized authentication (usually with RADIUS server).
