Wireless Security (WPA3, 802.1X)
BαΊ£o mαΊt MαΊ‘ng KhΓ΄ng dΓ’y
Wireless Security Protocol Evolution
Wireless security standards evolved from deeply broken (WEP) to current best practice (WPA3). Each generation fixed critical vulnerabilities in the previous. The exam tests knowing the specific weakness of each standard and why they were deprecated.
| Standard | Authentication | Encryption | Status & Key Issues |
|---|---|---|---|
| WEP | Shared key (static, weak) | RC4 with weak IV (Initialization Vector) | BROKEN β crack in minutes using aircrack-ng. RC4 with 24-bit IV reuse exposes the key. Never use. |
| WPA (TKIP) | PSK or 802.1X | TKIP (RC4-based with per-packet key mixing) | DEPRECATED β TKIP has known vulnerabilities. Still RC4-based. Deprecated by IEEE in 2012. |
| WPA2 | PSK or 802.1X | AES-CCMP (128-bit AES) | CURRENT MINIMUM β PSK vulnerable to offline dictionary attacks (PMKID attack). Enterprise mode (802.1X) significantly stronger. |
| WPA3 | SAE (Personal) or 802.1X (Enterprise) | AES-CCMP-128 (Personal), GCMP-256 (Enterprise) | CURRENT BEST β SAE defeats offline dictionary attacks. Forward secrecy. PMF mandatory. 192-bit security option for enterprise. |
WPA3 β Key Improvements Over WPA2
Replaces WPA2's PSK (Pre-Shared Key) handshake. SAE uses the DRAGONFLY key exchange protocol β a zero-knowledge proof that proves knowledge of the password without transmitting anything that can be used for offline cracking. Even if an attacker captures the full WPA3 handshake, they cannot perform an offline dictionary attack against it. This was the primary vulnerability of WPA2-PSK.
WPA3 sessions use ephemeral keys. If the network password is later compromised, previously captured wireless traffic cannot be decrypted β past sessions are protected. WPA2-PSK has no forward secrecy: a captured handshake + later-discovered password = all past traffic decryptable.
WPA3 mandates IEEE 802.11w (Protected Management Frames). This protects deauthentication and disassociation frames from being forged. In WPA2 without PMF, attackers can send fake deauth frames to disconnect clients (deauth attack) β used to force clients to reconnect through a rogue AP. WPA3 PMF makes these attacks ineffective.
Optional mode for high-security environments (government, financial). Uses GCMP-256 encryption and HMAC-SHA-384, aligned with CNSA (Commercial National Security Algorithm) suite. Required for classified or highly regulated environments.
802.1X Port-Based NAC & EAP Types
802.1X is the IEEE standard for port-based Network Access Control. Used for both wired and wireless networks. Forces authentication before any network access is granted.
EAP Types β Most Secure to Least Secure
| EAP Type | Client Auth | Server Auth | Security Level |
|---|---|---|---|
| EAP-TLS | Client certificate (X.509) | Server certificate (X.509) | HIGHEST β mutual cert auth; no passwords; most complex to deploy |
| PEAP | Password (inside TLS tunnel) | Server certificate (X.509) | HIGH β server cert required; password protected inside TLS; common in enterprise |
| EAP-TTLS | Password (inside TLS tunnel) | Server certificate (X.509) | HIGH β similar to PEAP; supports legacy inner auth methods; cross-platform |
| EAP-MD5 | Password hash (MD5) | None (no server cert) | WEAK β no server authentication; vulnerable to MITM; do not use for wireless |
Common Wireless Attacks
Attacker sets up an AP mimicking a legitimate SSID. Clients connect to the attacker's AP instead. Mitigated by 802.1X (clients verify server certificate β fake AP has no valid cert) and wireless intrusion detection.
Attacker sends forged deauthentication frames (802.11 management frames) to force clients to disconnect. Often used to force re-authentication for handshake capture. Mitigated by PMF (Protected Management Frames) β mandatory in WPA3.
WPA2-specific offline cracking attack. Attacker requests a single PMKID frame from the AP (no need to wait for a client to connect). PMKID contains enough information to attempt offline dictionary attack against the PSK. WPA3's SAE defeats this.
WPS (Wi-Fi Protected Setup) has a design flaw β the 8-digit PIN is verified in two 4-digit halves, reducing brute-force space from 10^8 to 10^4 + 10^3 = 11,000 attempts. Disable WPS on all APs.
Key Terms
Wired Equivalent Privacy β completely broken wireless protocol. RC4 with 24-bit IV. Crackable in minutes.
Wi-Fi Protected Access 2. AES-CCMP encryption. Current minimum. PSK mode vulnerable to offline dictionary attack.
Latest wireless standard. SAE replaces PSK. PMF mandatory. Forward secrecy. 192-bit enterprise mode available.
Simultaneous Authentication of Equals. WPA3's replacement for PSK. DRAGONFLY protocol defeats offline dictionary attacks.
AES Counter Mode with CBC-MAC Protocol. The encryption standard used in WPA2/WPA3 Personal. 128-bit AES.
IEEE standard for port-based Network Access Control. Requires RADIUS authentication server. Works on wired and wireless.
Remote Authentication Dial-In User Service. The required Authentication Server in 802.1X deployments.
Most secure EAP type. Both client and server authenticate with X.509 certificates. No passwords involved.
Protected EAP. Server presents certificate; client uses password inside a TLS tunnel. Common in enterprise Wi-Fi.
Attacker's access point mimicking a legitimate SSID to intercept client connections.
Forged 802.11 deauthentication frames force clients to disconnect. PMF in WPA3 prevents this attack.
IEEE 802.11w. Cryptographically protects management frames to prevent deauth attacks. Mandatory in WPA3.
- WEP = BROKEN (RC4 + weak 24-bit IV); WPA2 = current minimum (AES-CCMP); WPA3 = latest and best. Never recommend WEP or WPA for anything.
- WPA3 SAE defeats offline dictionary attacks that plagued WPA2-PSK. The PMKID attack and 4-way handshake capture attacks do not work against WPA3 SAE.
- 802.1X requires a RADIUS authentication server. The switch/AP is the Authenticator β it does not make auth decisions. RADIUS does.
- EAP-TLS = most secure (both sides use certificates β no passwords). PEAP = server cert + inner password (common, good for enterprises with Active Directory).
- PMF (Protected Management Frames) is mandatory in WPA3 β prevents deauth attacks. In WPA2, PMF is optional (802.11w) β enable it if supported.
- Corporate office wireless: Use WPA3-Enterprise with 802.1X (RADIUS server) and EAP-TLS for all corporate devices. Issue client certificates via internal CA (Google Workspace Certificate Manager or HashiCorp Vault PKI). Do NOT allow WPA2-PSK on corporate SSIDs.
- Corporate device authentication: Devices without a valid client certificate are rejected by RADIUS β this prevents unauthorized personal devices from connecting to the corporate network even if they know the password (there is no shared password in 802.1X).
- Guest network: Separate SSID on a separate VLAN with no access to corporate resources. Use WPA3-Personal (SAE) with a unique guest password rotated frequently. Guest network should only have internet access β no routes to internal RFC 1918 space.
- Partner C frontend users (PH mobile users): Partner C web app is served over HTTPS regardless of the user's WiFi security. CloudFlare TLS 1.3 protects data in transit even on insecure networks. Advise users to avoid unencrypted public WiFi for sensitive financial operations, or use a VPN.
- Remote engineers: If working from home on WPA2-PSK (not WPA3), require full-tunnel VPN connection for any production access. Document this as a risk acceptance if WPA3 cannot be enforced on personal home routers.
Practice Quiz β Wireless Security
Q1. What specific attack does WPA3's SAE protocol prevent that WPA2-PSK is vulnerable to?
Q2. An attacker captures WPA2-PSK network traffic over several months. Later, the network password is discovered. Which statement is TRUE?
Q3. 802.1X wireless authentication requires which server component?
Q4. Which EAP type requires client certificates on BOTH the client device and the authentication server?
Q5. Which WPA3 feature specifically mitigates deauthentication attacks?