How WPA Works

How WPA Works

How WPA Works – WPA, or Wi-Fi Protected Access, was developed as “WEP’s replacement.” There are two versions of Wi-Fi Protected Access: WPA and WPA2. The original WPA standard was intended as a temporary replacement for WEP while the 802.11i (WPA2) standard was being developed. Because of the way WPA works, it was able to run on most existing wireless cards and access points through a simple firmware update.

The technology that allows WPA to work on existing hardware is TKIP, the Temporal Key Integrity Protocol. We won’t go too deeply into the details of how TKIP works, but you should understand the basics. TKIP still uses the RC4 algorithm to encrypt data, which is one of the reasons TKIP can run on existing hardware. TKIP encrypts every packet with its own unique encryption key, which is still based on the root key (the pre-shared WEP key).

Essentially, TKIP is performing a more secure version of what WEP was intended to do using a root WEP key and a “unique” IV for every packet. TKIP also provides a “re-keying mechanism,” which is where it gets its name (because the encryption keys are only “temporary”).

WPA is implemented in two basic ways:

● ● WPA-PSK (Pre-Shared Key)
● ● WPA-Enterprise

How WPA Works


With WPA-PSK (Pre-Shared Key), also sometimes referred to as WPA-Personal, you assign a key that is shared among all devices that wish to join the wireless network. Operationally, this is identical to creating and distributing the WEP key. However, the key is now 256 bits in length. This is clearly intended for home or small-office solutions, yet it is very widely deployed even in enterprises.


WPA-Enterprise is much more complicated to configure compared to WPA-PSK. It requires additional servers on the backend to perform authentication of each individual user (typically this would be a RADIUS server). Although WPA-Enterprise is more complicated to configure initially, you’ll see that it is much easier to administer for larger organizations and provides a better layer of security.

How WPA Works

WPA2 Encryption Algorithms

WPA2 still supports the TKIP encryption algorithm but has also introduced a new, more secure option that’s typically referred to as CCMP or AES. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) uses the much more secure and vetted AES encryption algorithm. AES, the Advanced Encryption Standard, has been around for many years and has withstood the test of time. Whenever possible, you should be configuring your access points and clients to use the WPA2 CCMP algorithm.

How WPA Works

Attacking WPA Protected Networks

This is great, so all we have to do is replace all of our wireless equipment that uses WEP with equipment that uses WPA and we’re completely secure, right? Well, not exactly. Remember that every single technology has its own inherent limitations and weaknesses. We’re going to look at the following vulnerabilities associated with the WPA protocol:

● ● WPA-PSK cracking
● ● WPA deauthentication spoofing
● ● WPA denial of service
● ● Attacks on TKIP
● ● WPS Bruteforcing

Cracking the WPA Pre-Shared Key

Cracking the WPA pre-shared key is the simplest attack to understand. When a user connects to an access point using WPA-PSK, that user goes through what is referred to as a four-way handshake. This four-way handshake authenticates the user by verifying that he has the correct WPA key. The basic process looks like this:

  1. The access point sends the client a pseudo-random number (typically referred to as a nonce value).
  2. The client encrypts the nonce value using the WPA key and sends it back to the access point.
  3. The access point encrypts the same nonce value with the WPA key and compares it to what the client sent. If the values match, then the client has the correct WPA key and the access point continues the association process by sending the client the group key.
  4. The client acknowledges the transaction and says “Thank you” to the access point.

You should already be familiar with the vulnerability here because it is almost identical to the authentication vulnerability in WEP. If an attacker can observe the unencrypted nonce value sent to the client and can also observe the encrypted response sent back to the access point, then the attacker has a perfect situation for brute-forcing the PSK.

Remember that in a brute-force attack, the attacker simply tries all possible combinations of characters until the correct key is found. Therefore, the length and complexity of the WPA key is extremely important to the security of the network.

There’s also a specific type of brute-force attack called a dictionary attack, which operates very similar, except that rather than trying every combination of characters, an attacker simply tries all the words in a dictionary. These words are typically pulled from an existing file referred to as a wordlist or dictionary file. Massive collections of wordlists can be found online, in many different languages, and some are even geared toward specific pop culture lists such as Star Wars and sports leagues.

The WPA standard actually includes the SSID as part of the encrypted nonce value, which helps protect the handshake from a typical rainbow table attack. Thus, an attacker would have to have rainbow tables that are specific to every SSID. The encrypted nonce would look something like this:

WPA Handshake
Encrypted Handshake = Algorithm (SSID & Nonce)

Thus, when a client associates and authenticates to the access point, we simply capture the transaction and then crack it using the aircrack-ng program.

WPA Deauthentication Spoofing

You may already be thinking that it might be a little annoying to sit around sniffing a network waiting for someone new to associate so you can capture the WPA handshake. Well, there is a solution, and it’s quite simple. We use a program called aireplay-ng to spoof a deauthentication packet to the client, forcing the client to disconnect and reconnect to the wireless network.

Also, keep in mind that if you wait for someone to connect to the access point naturally, your attack is completely passive and extremely discrete. If you start deauthenticating clients, your attack, although still very stealthy, is not 100 percent passive.

WPA Denial of Service

We just looked at how an attacker could spoof deauthentication packets to cause a denial of service, but other options are available as well. In addition, there’s a function within WPA that essentially says that if the access point receives two invalid packets, it will disconnect the clients and wait 60 seconds before resuming operation; this is to protect the hardwired side of the network from attack, but opens the wireless side to a denial-of-service attack. Also, as always, there’s the possibility of a physical denial of service by flooding the wireless spectrum with junk.

So What Should I Use?

At this point, you might be getting a little frustrated with the available security options for wireless networks—and rightly so! Many people just want to know how to secure their wireless network. The answer is the quintessential consultant answer: It depends. but for now the short answer is that if you have the option, stick with WPA2 and CCMP.

Wpa Full Info SearchTechTarget

IF You Like This Blog Please Comment Down

For More Hacking Post Click Here

Related posts

Leave a Comment