Loading learning content...
By 2003, WEP's security collapse was complete and undeniable. The cryptographic community had demonstrated practical attacks that could break any WEP network in minutes. The wireless networking industry faced a crisis: millions of deployed devices were fundamentally insecure, and the proper replacement (IEEE 802.11i) was still years from completion.
The Wi-Fi Alliance responded with an emergency interim solution: Wi-Fi Protected Access (WPA). Released in 2003, WPA was designed to be deployable on existing WEP-capable hardware through firmware updates, while providing genuinely robust security. This constraint—legacy hardware compatibility—shaped every design decision.
By the end of this page, you will understand TKIP (Temporal Key Integrity Protocol), how per-packet key mixing solved WEP's IV problem, the Michael MIC algorithm's design tradeoffs, the 4-way handshake for key derivation, and why WPA succeeded as an emergency measure while still having vulnerabilities.
WPA (specifically WPA-TKIP) was deprecated by the Wi-Fi Alliance in 2012 and prohibited for new certifications in 2015. While WPA-TKIP remains more secure than WEP, it has known weaknesses showing its age. Modern deployments should use WPA2 or WPA3 exclusively.
Understanding WPA requires appreciating the constraints under which it was designed. The Wi-Fi Alliance faced a dilemma: the mathematically superior solution (AES-based encryption, which became WPA2) required hardware changes that would strand millions of existing devices. The interim solution needed to work with existing WEP hardware.
The Hardware Reality:
Most wireless chipsets of the early 2000s had RC4 acceleration in hardware but no support for AES or any other block cipher. The RC4 key scheduling was fixed in silicon. WPA had to achieve security using only the cryptographic primitives available:
The TKIP Solution:
The engineers designed Temporal Key Integrity Protocol (TKIP) as a cryptographic wrapper around RC4 that addressed every WEP vulnerability:
| WEP Problem | TKIP Solution |
|---|---|
| 24-bit IV space exhaustion | 48-bit TSC (TKIP Sequence Counter) |
| Weak IV correlation attacks | Per-packet key mixing function |
| CRC-32 integrity bypass | Michael MIC (Message Integrity Check) |
| Static key exposure | 4-way handshake for session keys |
| Replay attacks | Monotonic sequence counter validation |
Each of these solutions needed to work within the RC4 + CRC hardware constraints.
TKIP introduced a sophisticated key hierarchy that generates unique keys for each packet, preventing the IV reuse and related-key attacks that broke WEP.
Key Hierarchy Overview:
PMK (Pairwise Master Key) — 256 bits
↓ 4-way handshake
PTK (Pairwise Transient Key) — 512 bits
├── KCK (Key Confirmation Key) — 128 bits, for MIC in handshake
├── KEK (Key Encryption Key) — 128 bits, for encrypting GTK
├── TK (Temporal Key) — 128 bits, for data encryption
└── TMK (TX/RX MIC Keys) — 128 bits (64 each direction)
↓ Per-packet mixing
Per-Packet Key — 128 bits, unique for each frame
This hierarchy ensures that:
The 48-bit TKIP Sequence Counter (TSC):
WPA replaced WEP's 24-bit IV with a 48-bit TSC:
The TSC is split across the frame:
Replay Prevention:
The monotonic counter provides inherent replay protection. Each receiver maintains the last-received TSC. Any packet with TSC ≤ last received is discarded without decryption. This is a fundamental security improvement—WEP had no replay protection at all.
Doubling the IV from 24 to 48 bits does not double security—it increases the space by a factor of 16 million. This exponential relationship means practical exhaustion becomes impossible within any reasonable device lifetime.
The most innovative aspect of TKIP is its per-packet key mixing function, which eliminates the weak-key correlation attacks that broke WEP. Rather than concatenating IV and key (as WEP did), TKIP cryptographically mixes them.
Two-Phase Mixing:
The mixing is split into two phases for efficiency:
Phase 1 (Per-Station, computed once per 2¹⁶ packets):
Inputs: TK (128 bits), TA (48 bits, transmitter MAC address), TSC32-47 (upper 32 bits of TSC)
Output: TTAK (80 bits, intermediate value)
Phase 1 mixes the Temporal Key with the transmitter address and upper TSC bits. This computation is relatively expensive but needs to run only once every 65,536 packets.
Phase 2 (Per-Packet):
Inputs: TTAK (80 bits), TK (128 bits), TSC0-15 (lower 16 bits of TSC)
Output: PPK (128 bits, per-packet key)
Phase 2 takes the cached TTAK and mixes in the lower TSC bits to produce the final per-packet key (PPK). This runs for every packet but is computationally lightweight.
Why Mixing Defeats Key Correlation:
WEP's concatenation scheme meant that:
TKIP's mixing means:
The S-Box Construction:
The mixing function uses two pre-computed 256-entry S-boxes derived from the low and high bytes of the TK. These S-boxes scramble the input in a way that creates diffusion—changing one input bit affects many output bits unpredictably.
The two-phase design was critical for legacy hardware. Phase 1 involves complex operations but runs rarely. Phase 2 runs per-packet but uses only XOR, addition, and table lookups—operations that even 2003-era wireless chipsets could handle in software without significant performance impact.
Replacing CRC-32 with a cryptographic message integrity check (MIC) was essential. However, WPA faced a severe constraint: no AES hardware meant no CBC-MAC or other strong message authentication. The designers created Michael—a purpose-built MIC algorithm optimized for legacy hardware.
Michael's Design Philosophy:
Michael is not a general-purpose cryptographic MAC. It was designed with specific constraints:
The Michael Algorithm:
Initialize with 64-bit key (split from TMK):
L = K0, R = K1
For each 32-bit block M of padded message:
L ^= M
(L, R) = b(L, R) // Michael block function
Return (L, R) as 64-bit MIC
The block function b() performs a series of XOR, rotation, and modular addition operations designed to mix bits efficiently.
Michael's Known Weakness:
Michael is not collision-resistant in the cryptographic sense. Given enough attempts, an attacker could potentially forge a valid MIC. The estimated attack complexity:
This is weak by modern standards. However, WPA includes countermeasures that make exploitation impractical.
TKIP Countermeasures:
When two MIC failures occur within 60 seconds:
This means an attacker attempting to forge Michael:
The countermeasures transform a cryptographic weakness into a practical non-issue—at the cost of denial-of-service vulnerability.
An attacker who can inject two malformed packets per minute can keep a TKIP network in perpetual countermeasure mode—effectively a denial of service. This is a design tradeoff: accepting potential DoS to prevent cryptographic bypass. WPA2's AES-based integrity eliminates this issue.
MIC Field Placement:
The 8-byte Michael MIC is appended to the plaintext before encryption:
[MAC Header] [IV/KeyID/ExtIV] [Encrypted: Payload + MIC + ICV]
Note that WPA retains the CRC-32 ICV—but now as an additional integrity layer, not the primary one. The encrypted ICV catches unintentional bit errors (for which CRC excels), while Michael catches malicious modifications.
The 4-way handshake is WPA's mechanism for deriving fresh session keys without exposing the Pairwise Master Key (PMK). It provides mutual authentication and enables secure key distribution.
Key Derivation Prior to Handshake:
For WPA-Personal (PSK mode), the PMK is derived from the password:
PMK = PBKDF2(SHA1, passphrase, SSID, 4096, 256)
For WPA-Enterprise, the PMK comes from the RADIUS authentication server after EAP authentication.
The Four Messages:
Message 1 (AP → Client):
Contains: ANonce (random 256 bits from AP)
Purpose: Provide AP's contribution to PTK derivation
After receiving M1, the client can compute the PTK:
PTK = PRF(PMK, "Pairwise key expansion",
min(AA,SA) || max(AA,SA) || min(ANonce,SNonce) || max(ANonce,SNonce))
Message 2 (Client → AP):
Contains: SNonce (random 256 bits from client), MIC
Purpose: Provide client's contribution + prove PMK knowledge
Now the AP can also compute the PTK (has all inputs). The MIC proves the client derived the correct PTK.
Message 3 (AP → Client):
Contains: ANonce (repeat), GTK (encrypted with KEK), MIC
Purpose: Confirm PTK, deliver Group Temporal Key for broadcast
The MIC proves the AP also derived the correct PTK. The client installs keys.
Message 4 (Client → AP):
Contains: MIC only
Purpose: Acknowledge key installation
AP installs keys. Secure communication can begin.
| Message | Direction | Key Contents | State After |
|---|---|---|---|
| M1 | AP → Client | ANonce | Client has all PTK inputs |
| M2 | Client → AP | SNonce + MIC | AP has all PTK inputs, verified client |
| M3 | AP → Client | ANonce + GTK + MIC | Client verified AP, installs keys |
| M4 | Client → AP | MIC only | AP installs keys, communication secure |
The handshake provides: mutual authentication (both prove PMK knowledge), key freshness (new nonces each time), forward secrecy for session keys (compromising one session doesn't expose others), and secure GTK distribution for broadcast traffic.
While WPA successfully defeated all WEP attacks, it introduced new vulnerabilities—some inherent to the design, others specific to the PSK mode:
1. Dictionary Attacks Against WPA-PSK
The 4-way handshake is visible to passive observers. An attacker who captures the handshake has all the information needed for offline password guessing:
For each candidate password:
candidate_PMK = PBKDF2(SHA1, password, SSID, 4096, 256)
candidate_PTK = PRF(candidate_PMK, context)
If MIC matches captured handshake → Password found
Defenses against dictionary attacks:
2. The Beck-Tews/Ohigashi-Morii Attack (2008-2009)
Researchers discovered practical attacks on TKIP that could:
Attack Mechanism:
The attack exploits the QoS (Quality of Service) feature in 802.11e:
The attack cannot recover the TKIP key directly but enables limited injection and decryption.
3. Hole196 (2010)
Insider threat exploiting the Group Temporal Key (GTK):
Due to these attacks, TKIP was deprecated in 2012. The Wi-Fi Alliance prohibits TKIP in new certifications since 2015. The consensus: TKIP served its emergency purpose, but AES-based WPA2 is the appropriate long-term solution.
WPA supports two distinct operating modes, each suited to different deployment scenarios:
WPA-Personal (WPA-PSK):
Pre-Shared Key mode for home and small office use:
Passphrase Requirements:
Critical Weakness: If one client is compromised or the password shared improperly, all traffic is potentially exposed. There's no way to revoke access for one user without changing the password for everyone.
WPA-Enterprise (WPA-802.1X):
Uses IEEE 802.1X port-based access control with RADIUS authentication:
EAP Methods Commonly Used:
Authentication Flow:
1. Client associates with AP (open authentication)
2. AP blocks all traffic except EAP
3. Client and RADIUS exchange EAP messages (via AP)
4. RADIUS authenticates client
5. RADIUS sends PMK to AP via encrypted RADIUS attribute
6. AP and client execute 4-way handshake
7. Port is unblocked, traffic flows
WPA-Enterprise enables individual revocation (fired employee loses access instantly), centralized logging (who connected when), dynamic VLAN assignment (segment users by role), and integration with existing identity systems (Active Directory, LDAP).
WPA accomplished its mission: providing genuinely strong security for wireless networks using only firmware updates to WEP-era hardware. It bought time for the industry to develop and deploy WPA2 while protecting users from active WEP exploitation.
Historical Assessment:
WPA was a brilliant engineering achievement under impossible constraints. The designers worked with a fundamentally broken primitive (RC4 as used by WEP hardware) and built a secure protocol around it. The fact that WPA held up for years—and that attacks when found were theoretical or limited—validates the design.
However, WPA was always intended as transitional. The proper solution required new cryptographic primitives, which brings us to WPA2 and its foundation: AES-CCMP.
What's Next:
The next page covers WPA2 (IEEE 802.11i), the robust successor that replaced TKIP's workarounds with proper AES-based encryption and integrity through the CCMP protocol.
You now understand WPA's architecture: how TKIP wrapped RC4 with per-packet key mixing, implemented the Michael MIC with countermeasures, and used the 4-way handshake for session key derivation. These mechanisms formed the bridge from broken WEP to robust WPA2.