Wi-Fi

The Evolution of Wi-Fi Security: From WEP to WPA3

Wi-Fi security has undergone dramatic changes since the late 1990s. What started as a fundamentally flawed encryption scheme has evolved into robust, cryptographically sound protocols. Understanding this evolution helps you appreciate why certain practices matter and why you should never connect to a WEP network.

This guide walks through each major Wi-Fi security protocol, explaining what it does, why it was created, and how it was eventually broken.

Timeline at a Glance

Year Event
1997 WEP introduced with IEEE 802.11
2001 WEP cracked (Fluhrer-Mantin-Shamir attack)
2003 WPA released (Wi-Fi Alliance, based on draft 802.11i)
2004 WPA2 / IEEE 802.11i ratified
2008 TKIP attacks demonstrated (Beck-Tews)
2012 TKIP officially deprecated
2017 KRACK attack breaks WPA2 handshake
2018 WPA3 announced
2020 WPA3 mandatory for Wi-Fi certification

WEP: Wired Equivalent Privacy (1997-2004)

Status: Deprecated and completely broken

WEP was the original security protocol included in the IEEE 802.11 standard in 1997. Its goal was to provide confidentiality comparable to a traditional wired network—hence "Wired Equivalent Privacy."

WEP Variants and Key Sizes

WEP came in several variants with different key lengths:

Variant User Key IV Total Key Input Format
WEP-40 / WEP-64 40 bits 24 bits 64 bits 10 hex characters
WEP-104 / WEP-128 104 bits 24 bits 128 bits 26 hex characters
WEP-152 128 bits 24 bits 152 bits 32 hex characters
WEP-256 232 bits 24 bits 256 bits 58 hex characters

Why the confusing names? WEP-64 and WEP-128 refer to the total key size (including IV), while WEP-40 and WEP-104 refer to the user-supplied key portion. They're the same thing:

  • WEP-40 = WEP-64 (40-bit key + 24-bit IV)
  • WEP-104 = WEP-128 (104-bit key + 24-bit IV)

Why was the original key so short? The initial 40-bit key limit was due to US export restrictions on cryptography in the 1990s. US law classified strong encryption as a munition, restricting its export. Once these restrictions were relaxed in 2000, manufacturers introduced 128-bit WEP. Some vendors later offered 152-bit and 256-bit variants, but these never became widespread.

The fatal flaw: Regardless of key length, the IV was always 24 bits. Longer keys didn't fix the fundamental weakness—with only 16.7 million possible IVs, collisions were inevitable on busy networks.

How WEP Works

WEP uses the RC4 stream cipher for encryption:

  1. Key Setup: The shared secret key is concatenated with a 24-bit Initialization Vector (IV)
  2. Encryption: The combined key seeds the RC4 cipher to generate a keystream
  3. XOR: Plaintext is XORed with the keystream to produce ciphertext
  4. Integrity: A CRC-32 checksum (called ICV) is appended for integrity checking
Packet Structure:
┌──────────┬───────────────────────────────┬──────────┐
│    IV    │        Encrypted Data         │   ICV    │
│ 24 bits  │   (plaintext XOR keystream)   │ 32 bits  │
└──────────┴───────────────────────────────┴──────────┘

Why WEP Failed

WEP had multiple fatal flaws:

1. Tiny IV Space (24 bits)

With only 24 bits, there are only 16.7 million possible IVs. On a busy network, IVs repeat within hours. When two packets use the same IV, an attacker can XOR them together to eliminate the keystream and recover plaintext.

2. Weak Key Scheduling (FMS Attack)

In 2001, Scott Fluhrer, Itsik Mantin, and Adi Shamir published their groundbreaking paper showing that certain "weak IVs" leak information about the secret key. By collecting packets with IVs matching patterns like (3, 255, x), an attacker can statistically recover the key byte by byte.

The math behind FMS:

  • After RC4's Key Scheduling Algorithm processes certain IVs, the internal state becomes predictable
  • Knowing the first byte of plaintext (usually 0xAA from the SNAP header), attackers can derive keystream bytes
  • With enough weak IVs (~100,000 to 1,000,000 packets), the entire key can be recovered

3. No Replay Protection

WEP has no mechanism to prevent replay attacks. An attacker can capture a valid packet and retransmit it indefinitely.

4. Linear CRC-32 Integrity

CRC-32 is not cryptographically secure. Attackers can modify encrypted packets and update the checksum without knowing the key (chop-chop attack).

Cracking WEP in Practice

Tools like aircrack-ng can crack WEP in minutes:

# Capture packets with IVs
airodump-ng --bssid TARGET_MAC -c CHANNEL -w capture wlan0mon

# Crack the key (needs ~20,000+ IVs for 64-bit, ~40,000+ for 128-bit)
aircrack-ng capture-01.cap

In 2005, the FBI demonstrated cracking a WEP network in under 3 minutes using publicly available tools.

Bottom line: Never use WEP. It provides essentially no security.

WPA: Wi-Fi Protected Access (2003-2012)

Status: Deprecated (TKIP deprecated in 2012)

By 2003, WEP's weaknesses were well-known, but millions of devices couldn't support a completely new protocol. The Wi-Fi Alliance created WPA as an emergency stopgap—a firmware update that could run on existing hardware while providing much better security.

How WPA Improved on WEP

WPA introduced the Temporal Key Integrity Protocol (TKIP), which wrapped RC4 with additional security layers:

1. Per-Packet Key Mixing

Instead of using the same key for every packet, TKIP generates a unique key for each packet using a mixing function:

Per-Packet Key = Mix(Temporal Key, IV, Transmitter MAC)

This eliminates the weak IV problem that doomed WEP.

2. Extended IV Space (48 bits)

TKIP uses a 48-bit IV (called TSC - TKIP Sequence Counter), providing 281 trillion possible values—enough to never repeat during a session.

3. Sequence Counter (Replay Protection)

The TSC also serves as a sequence number. Packets with a TSC less than or equal to the last received TSC are rejected, preventing replay attacks.

4. Michael MIC (Message Integrity Code)

TKIP replaced CRC-32 with "Michael," a cryptographic message integrity code. Michael is weak by modern standards (only 64 bits), but it was designed to run on WEP hardware.

Packet with Michael:
┌──────────┬─────────────────────────┬─────────────┬──────────┐
│   TSC    │     Encrypted Data      │ Michael MIC │   ICV    │
│ 48 bits  │  (TKIP per-packet key)  │   64 bits   │ 32 bits  │
└──────────┴─────────────────────────┴─────────────┴──────────┘

5. Countermeasures

If two invalid MIC failures occur within 60 seconds, the access point disconnects all clients and regenerates keys—an extreme but necessary defense against attacks.

The 4-Way Handshake

WPA introduced the 4-way handshake for key establishment, which is still used in WPA2 and WPA3:

  Client                                      AP
    │                                          │
    │ ◄─────── Message 1: ANonce ───────────── │
    │              (AP's random number)        │
    │                                          │
    │ ──────── Message 2: SNonce, MIC ───────► │
    │          (Client's random + proof)       │
    │                                          │
    │ ◄─────── Message 3: GTK, MIC ─────────── │
    │            (Group key, encrypted)        │
    │                                          │
    │ ──────── Message 4: ACK ──────────────►  │
    │              (Confirmation)              │
    │                                          │

Both sides derive the Pairwise Transient Key (PTK):
PTK = PRF(PMK, ANonce, SNonce, AP MAC, Client MAC)

Where PMK = PBKDF2(Passphrase, SSID, 4096, 256)

This handshake ensures that both parties prove knowledge of the Pre-Shared Key (PSK) without transmitting it.

Why WPA/TKIP Failed

In 2008, Martin Beck and Erik Tews demonstrated the first practical attack against TKIP:

The Beck-Tews Attack:

  1. TKIP still uses the underlying WEP mechanism with CRC-32
  2. The "chop-chop" attack from WEP still works—but triggers MIC countermeasures
  3. By waiting 60 seconds between attempts, attackers can slowly decrypt packets
  4. Once the MIC key is recovered, attackers can inject arbitrary packets

The attack takes 12-15 minutes to decrypt a single packet, but it proved TKIP wasn't secure enough for long-term use. TKIP was officially deprecated in 2012.

Bottom line: Don't use WPA with TKIP. Use WPA2 or WPA3 with AES.

WPA2: IEEE 802.11i (2004-Present)

Status: Still widely used, but superseded by WPA3

WPA2 implemented the full IEEE 802.11i security standard. Unlike WPA (which was a quick fix), WPA2 was designed from the ground up with proper cryptography.

Key Improvements

1. AES-CCMP Instead of RC4-TKIP

WPA2 uses AES (Advanced Encryption Standard) in CCMP mode (Counter Mode with CBC-MAC Protocol):

  • AES: 128-bit block cipher, far stronger than RC4
  • Counter Mode (CTR): Provides confidentiality
  • CBC-MAC: Provides integrity (replaces Michael MIC)
CCMP Packet:
┌──────────┬────────────────────────────┬──────────┐
│    PN    │   AES-CTR Encrypted Data   │ CBC-MAC  │
│ 48 bits  │                            │ 64 bits  │
└──────────┴────────────────────────────┴──────────┘

PN = Packet Number (like TKIP's TSC)

2. Stronger Integrity

CBC-MAC is a proper cryptographic MAC, unlike CRC-32 or Michael. It's computationally infeasible to forge.

3. Same Handshake, Different Cipher

WPA2 uses the same 4-way handshake as WPA, but derives keys for AES instead of RC4.

WPA2-Personal vs WPA2-Enterprise

Feature WPA2-Personal (PSK) WPA2-Enterprise
Authentication Pre-Shared Key 802.1X / RADIUS
Key Derivation Password + SSID Per-user, per-session
Use Case Home networks Corporate networks
Security Password strength dependent Stronger (unique keys per user)

The KRACK Attack (2017)

WPA2's encryption (AES-CCMP) was never broken. Instead, researcher Mathy Vanhoef found a flaw in the 4-way handshake implementation:

How KRACK Works:

  1. The AP sends Message 3 of the handshake
  2. If the AP doesn't receive Message 4, it retransmits Message 3
  3. Each time the client receives Message 3, it reinstalls the same session key
  4. Reinstalling the key resets the packet number (nonce) to zero
  5. With a predictable nonce, AES-CTR becomes vulnerable to keystream reuse
Normal:
  Message 3 ──► Client installs key, nonce = 0
  Data packets use nonce 1, 2, 3...

KRACK Attack:
  Message 3 ──► Client installs key, nonce = 0
  Attacker blocks Message 4
  Message 3 (retransmit) ──► Client reinstalls key, nonce = 0 again!
  Now attacker knows: ciphertext1 XOR ciphertext2 = plaintext1 XOR plaintext2

Impact:

  • Linux and Android were especially vulnerable (wpa_supplicant installed an all-zero key!)
  • Attackers could decrypt traffic, inject packets, and hijack connections
  • The attack required being within Wi-Fi range—no remote exploitation

Mitigation:

  • Software patches prevent key reinstallation
  • WPA3's SAE handshake is designed to resist this attack

Bottom line: WPA2 with AES is still acceptable if patched, but WPA3 is preferred.

WPA3: The Current Standard (2018-Present)

Status: Current standard, mandatory for Wi-Fi 6E and Wi-Fi 7

WPA3 addresses the accumulated weaknesses of WPA2. It was announced in January 2018 and became mandatory for Wi-Fi certification in July 2020.

WPA3-Personal: SAE Authentication

The biggest change in WPA3-Personal is replacing PSK with SAE (Simultaneous Authentication of Equals), based on the Dragonfly Key Exchange.

Why SAE is Better:

Feature WPA2-PSK WPA3-SAE
Key Exchange 4-way handshake Dragonfly (SAE)
Offline Dictionary Attacks Vulnerable Protected
Forward Secrecy No Yes
KRACK Resistance Vulnerable Protected

How SAE Works:

SAE treats both parties (client and AP) as equals. Neither side is an "authenticator"—both prove they know the password simultaneously.

SAE "Dragonfly" Exchange:

  Client                                    AP
    │                                        │
    │ ─────► Commit: scalar, element ──────► │
    │ ◄───── Commit: scalar, element ◄────── │
    │                                        │
    │ ─────► Confirm: confirm value ───────► │
    │ ◄───── Confirm: confirm value ◄─────── │
    │                                        │
    ├─────── Both derive the same PMK ───────┤
    │                                        │
    └───── (Then proceed to 4-way handshake) ┘

Technical details:

  • SAE uses elliptic curve cryptography (or finite field)
  • The password is converted to a point on the curve (Password Element)
  • Both sides generate random scalars and compute commitments
  • Zero-knowledge proofs ensure neither side reveals the password
  • Each session generates a unique PMK, providing forward secrecy

Forward Secrecy Explained:

With WPA2-PSK, if an attacker records your traffic and later obtains your password, they can decrypt all recorded traffic.

With WPA3-SAE, each connection uses fresh random values to derive the PMK. Even if the password is compromised later, past sessions cannot be decrypted.

WPA3-Enterprise: 192-bit Security

WPA3-Enterprise adds an optional 192-bit security mode using:

  • AES-256-GCM for encryption
  • SHA-384 for key derivation
  • 384-bit Elliptic Curve Diffie-Hellman
  • BIP-GMAC-256 for management frame protection

This meets Commercial National Security Algorithm (CNSA) requirements for government and high-security applications.

Protected Management Frames (PMF)

WPA3 mandates Protected Management Frames (PMF), preventing:

  • Deauthentication attacks (forcing clients to disconnect)
  • Disassociation attacks
  • Channel switch attacks

Previously optional in WPA2, PMF is now required. This stops the classic "deauth attack" that forces handshake captures.

Transition Mode

WPA3 supports a transition mode where both WPA2 and WPA3 clients can connect. However, this can be exploited through downgrade attacks where an attacker forces WPA2 connection. For maximum security, use WPA3-only mode.

Dragonblood Vulnerabilities

Shortly after WPA3's release, researchers (including Mathy Vanhoef) found vulnerabilities called "Dragonblood":

  1. Timing Side-Channel Attacks: Implementation flaws leaked information about the password
  2. Cache-Based Side-Channel Attacks: Attackers could observe memory access patterns
  3. Downgrade Attacks: Forcing WPA2 fallback

These have been addressed through:

  • Implementation patches
  • Hash-to-Element (H2E) method for Password Element derivation (mandatory for Wi-Fi 6E/7)
  • Guidance against transition mode in high-security environments

Comparison Table

Protocol Encryption Authentication Key Exchange Status
WEP RC4 (40/104-bit) Shared Key None Broken
WPA RC4-TKIP PSK or 802.1X 4-way handshake Deprecated
WPA2 AES-CCMP PSK or 802.1X 4-way handshake Still used
WPA3 AES-CCMP/GCMP SAE or 802.1X Dragonfly + 4-way Current

Which Should You Use?

For Home Networks:

  • Best: WPA3-Personal (SAE) with a strong passphrase
  • Acceptable: WPA2-Personal (AES) with a strong passphrase
  • Never: WEP or WPA with TKIP

For Enterprise Networks:

  • Best: WPA3-Enterprise with 802.1X/RADIUS
  • Acceptable: WPA2-Enterprise with 802.1X/RADIUS

For Maximum Security:

  • Use WPA3-only mode (no transition mode)
  • Enable Protected Management Frames (PMF)
  • Use a passphrase with 15+ characters
  • Consider 802.1X authentication

Key Takeaways

  1. WEP is completely broken. It can be cracked in minutes. Never use it.

  2. WPA/TKIP was a stopgap. It bought time but has known attacks. Deprecated since 2012.

  3. WPA2/AES is still secure when properly patched, but lacks forward secrecy.

  4. WPA3/SAE is the current standard. Forward secrecy, offline attack resistance, and mandatory PMF make it significantly more secure.

  5. The password still matters. Even WPA3 can be attacked if your password is "password123".

  6. Encryption alone isn't enough. Authentication (proving who you are) and integrity (proving data wasn't modified) are equally important.

References

  • IEEE 802.11i-2004 Standard
  • Wi-Fi Alliance WPA3 Specification
  • Fluhrer, Mantin, Shamir: "Weaknesses in the Key Scheduling Algorithm of RC4" (2001)
  • Beck, Tews: "Practical attacks against WEP and WPA" (2008)
  • Vanhoef, Piessens: "Key Reinstallation Attacks" (2017)
  • RFC 7664: Dragonfly Key Exchange

Read next