Wifi Security - Learning Module

Loading content...

0/240

WPA2 (802.11i)

The Robust Security Standard

IEEE 802.11i, ratified in June 2004, represents the definitive specification for wireless LAN security. The Wi-Fi Alliance's certification program implementing 802.11i is called WPA2—a name that emphasizes continuity with WPA while signaling substantive improvements.

Unlike WPA, which was constrained to work with WEP-era hardware, WPA2 requires hardware support for the Advanced Encryption Standard (AES). This requirement enabled a complete cryptographic redesign using modern symmetric cryptography, eliminating the compromises that made TKIP necessary.

What You Will Learn

By the end of this page, you will understand the AES block cipher foundations, how CCMP (Counter Mode with CBC-MAC Protocol) provides authenticated encryption, the structure of 802.11i RSN (Robust Security Network), the key hierarchy and derivation functions, and why WPA2 remained the standard for over 15 years.

Current Status

WPA2-AES remains secure for most deployments when configured properly with strong passphrases or enterprise authentication. KRACK attacks (2017) exposed implementation issues rather than fundamental protocol flaws. WPA3 adds forward secrecy and improved handshake security, but WPA2 with proper configuration remains adequate for many use cases.

AES: The Cryptographic Foundation

The Advanced Encryption Standard (AES) was selected by NIST in 2001 after a rigorous five-year public competition. Originally known as Rijndael (designed by Belgian cryptographers Joan Daemen and Vincent Rijmen), AES replaced the aging DES standard and has become the most widely used symmetric cipher in the world.

AES Core Properties:

Block cipher: Operates on fixed 128-bit (16-byte) blocks
Key lengths: 128, 192, or 256 bits (WPA2 uses 128-bit)
Structure: Substitution-Permutation Network (SPN)
Rounds: 10 rounds for 128-bit keys
Security margin: No practical attacks after 20+ years of cryptanalysis

Why AES Over RC4:

Property	RC4 (WEP/TKIP)	AES (WPA2)
Type	Stream cipher	Block cipher
Key scheduling	Simple, exploitable	Complex, secure
Hardware acceleration	Limited	Universal (AES-NI)
Cryptographic margin	Theoretical breaks	No known attacks
Standardization	Proprietary	NIST/government standard

AES Internal Structure:

Each AES round applies four operations:

SubBytes: Each byte substituted via 16×16 S-box (non-linear transformation)
ShiftRows: Rows of state matrix cyclically shifted (diffusion)
MixColumns: Columns mixed via matrix multiplication in GF(2⁸) (diffusion)
AddRoundKey: State XORed with round key derived from cipher key

The final round omits MixColumns. The combination of non-linear substitution and linear diffusion provides the mathematical properties needed for strong encryption.

Hardware Acceleration:

Modern CPUs include dedicated AES instructions (Intel AES-NI, ARM AES extensions). These provide:

Single-cycle encryption/decryption per block
Resistance to timing side-channel attacks
Throughput exceeding 10 Gbps on commodity hardware

This acceleration means WPA2-AES is actually faster than WPA-TKIP on modern hardware, reversing the performance concerns of 2004.

AES Security Margin

The best publicly known attack against AES-128 (biclique attack, 2011) reduces the effective key strength from 128 bits to approximately 126.1 bits—requiring 2¹²⁶ operations instead of 2¹²⁸. This remains completely impractical; 2¹²⁶ operations would take billions of years on all computing hardware on Earth combined.

CCMP: Authenticated Encryption for Wireless

Counter Mode with CBC-MAC Protocol (CCMP) is WPA2's mandatory encryption protocol. CCMP is an implementation of CCM (Counter with CBC-MAC) mode using AES as the underlying cipher.

What Makes CCMP Special:

CCMP is an Authenticated Encryption with Associated Data (AEAD) scheme. This means it provides:

Confidentiality: Encrypted data cannot be read without the key
Integrity: Any modification to encrypted data is detectable
Authentication of associated data: Header fields can be protected without encryption

These three properties are cryptographically bound—you cannot strip the authentication or tamper with protected headers.

CCMP Components:

CCMP combines two AES modes:

1. CTR (Counter) Mode for Encryption:

Counter₀ = Nonce || 0x0001
Counterᵢ = Nonce || (i + 1)
Keystream = AES(K, Counter₀) || AES(K, Counter₁) || ...
Ciphertext = Plaintext ⊕ Keystream

Each packet uses a unique nonce (derived from the packet number)
Counter increments for each 16-byte block
Produces keystream for XOR encryption (like a stream cipher but from AES)
Decryption is identical to encryption (XOR is self-inverse)

2. CBC-MAC for Authentication:

MAC₀ = AES(K, Nonce || message_length)
MACᵢ = AES(K, MACᵢ₋₁ ⊕ Blockᵢ)
Final MIC = Truncate(MAC_final, 64 bits)

Computes a Message Integrity Check (MIC) over headers and payload
Uses AES in CBC mode with IV=0 and discards ciphertext, keeping only final block
MIC encrypted with first counter block (Counter₀) before transmission

CCMP vs TKIP Comparison
Property	TKIP	CCMP
Cipher	RC4 (stream)	AES-128 (block)
Key mixing	Per-packet via S-boxes	Counter mode nonce
Integrity	Michael (64-bit, weak)	CBC-MAC (64-bit, strong)
Nonce size	48 bits	48 bits (packet number)
Replay protection	TSC sequencing	PN sequencing
Hardware required	RC4 (legacy)	AES (modern chipset)
Known attacks	Beck-Tews, dictionary	Dictionary only (PSK)

AEAD Mode Benefits

CCMP's AEAD construction means you cannot accidentally misuse it the way WEP misused RC4. The encryption and authentication are inseparable—you always get both, computed correctly, or neither. This 'secure by default' property prevents the class of errors that broke WEP.

CCMP Packet Processing in Detail

Understanding CCMP requires tracing how a packet is encrypted and authenticated:

CCMP Encryption Steps:

Step 1: Construct the Nonce (13 bytes)

Nonce = Priority (1 byte) || A2 (6 bytes) || PN (6 bytes)

Priority: QoS priority (0 for non-QoS)
A2: Transmitter MAC address (Address 2 field)
PN: 48-bit Packet Number (incremented each frame)

Step 2: Construct Additional Authentication Data (AAD)

AAD = FC || A1 || A2 || A3 || SC || A4 (if present) || QoS (if present)

FC: Frame Control (masked to remove mutable bits)
A1-A4: MAC addresses from header
SC: Sequence Control

The AAD is authenticated but not encrypted—attackers cannot modify addresses or headers without detection.

Step 3: Compute CBC-MAC over AAD and Plaintext

B₀ = Flags || Nonce || PlaintextLength
B₁ = AAD length || AAD (padded)
Bₙ = Plaintext blocks (padded to 16 bytes)

T₀ = AES(TK, B₀)
Tᵢ = AES(TK, Tᵢ₋₁ ⊕ Bᵢ)

Step 4: Encrypt Plaintext with Counter Mode

A₀ = Flags || Nonce || 0x0000
Aᵢ = Flags || Nonce || i

E_MIC = T_final ⊕ AES(TK, A₀)  // Encrypt the MIC
Cᵢ = Pᵢ ⊕ AES(TK, Aᵢ)         // Encrypt plaintext blocks

Step 5: Construct CCMP MPDU

[MAC Header] [CCMP Header (8 bytes)] [Encrypted Payload] [Encrypted MIC (8 bytes)]

The CCMP header contains:

PN0-PN1 (2 bytes): Lower packet number bits
Reserved (1 byte)
ExtIV + Key ID (1 byte)
PN2-PN5 (4 bytes): Upper packet number bits

Decryption and Verification:

The receiver performs the inverse process:

Extract PN from CCMP header
Check PN > last received PN (replay protection)
Reconstruct Nonce from Priority, A2, PN
Decrypt MIC using AES(TK, A₀)
Decrypt payload using counter mode
Recompute CBC-MAC over AAD and decrypted payload
Compare computed MIC with received MIC
If match → accept packet; if mismatch → discard silently

Security Note: Unlike TKIP, CCMP does not need countermeasures for MIC failures. The cryptographic strength of CBC-MAC means forgery attempts cannot succeed—there's no need to throttle because the attack is computationally infeasible, not merely slow.

Packet Number Management

The 48-bit PN must never repeat for a given temporal key. At 10 million packets/second, exhaustion would take 890 years. However, implementations should rekey before PN reaches 2⁴⁸ - 1. Most networks rekey via Group Key Handshake periodically regardless.

The 802.11i Key Hierarchy

WPA2 uses the same key hierarchy as WPA, with modifications for CCMP:

Master Keys:

PMK (Pairwise Master Key) — 256 bits:

For PSK: PMK = PBKDF2(SHA256, Passphrase, SSID, 4096, 256)
For Enterprise: Derived from MSK provided by RADIUS after EAP

PSK Derivation Detail:

DK = PBKDF2(PRF, Password, Salt, Iterations, KeyLength)
Where:
  PRF = HMAC-SHA1
  Password = user passphrase (8-63 characters)
  Salt = SSID (network name)
  Iterations = 4096
  KeyLength = 256 bits

The SSID as salt means the same password on different networks produces different PMKs. This prevents pre-computed rainbow tables from working across networks (though tables exist for common SSIDs like 'linksys' or 'default').

Session Keys (via 4-Way Handshake):

PTK (Pairwise Transient Key) — 384 bits for CCMP:

PTK = PRF-384(PMK, "Pairwise key expansion",
              min(AA,SPA) || max(AA,SPA) ||
              min(ANonce,SNonce) || max(ANonce,SNonce))

Where:

AA = Authenticator Address (AP MAC)
SPA = Supplicant Address (client MAC)
ANonce = AP's random nonce
SNonce = Client's random nonce

PTK Decomposition for CCMP:

PTK (384 bits) = KCK (128 bits) || KEK (128 bits) || TK (128 bits)

KCK: Key Confirmation Key
     - Used for MIC in 4-way handshake messages
     - Proves possession of PMK during key negotiation

KEK: Key Encryption Key  
     - Encrypts GTK when transmitted in handshake message 3
     - Protects group key distribution

TK: Temporal Key
     - The actual key for CCMP encryption/decryption
     - Used for all unicast data traffic

Group Keys:

GTK (Group Temporal Key) — 128 bits:

Used for broadcast/multicast traffic encryption
All clients in the BSS share the same GTK
Distributed by AP via encrypted transport in 4-way handshake
Periodically rotated via Group Key Handshake

GMK (Group Master Key) — 256 bits:

Random value generated by AP
Used to derive GTK: GTK = PRF-128(GMK, "Group key expansion", AA || GNonce)
Rotation of GMK forces GTK refresh

Key Lifetime Considerations:

Key	Typical Lifetime	Rotation Trigger
PMK	Until password change	Password change, certificate expiry
PTK	Until reassociation	Client roaming, explicit reauth
GTK	Hours (configurable)	Timer, client departure, AP policy

Short GTK lifetimes limit the impact of insider attacks (any client knowing GTK can decrypt broadcast traffic).

TKIP vs CCMP Key Sizes

TKIP uses 512-bit PTK (includes separate MIC keys). CCMP uses 384-bit PTK (CBC-MAC uses the same TK as encryption). This is why mixed mode access points negotiate cipher suites—the PTK size differs based on the selected protocol.

Robust Security Network (RSN) Architecture

802.11i defines the Robust Security Network (RSN) framework that encompasses the complete security architecture:

RSN Information Element (RSN IE):

Access points advertise their security capabilities in beacon frames via the RSN IE. This includes:

RSN IE Structure:
├── Element ID (0x30 = RSN)
├── Length
├── Version (1 for 802.11i)
├── Group Cipher Suite (broadcast encryption)
├── Pairwise Cipher Suite Count
├── Pairwise Cipher Suites (unicast encryption options)
├── AKM Suite Count
├── AKM Suites (authentication methods)
├── RSN Capabilities (optional features)
├── PMKID Count (for fast BSS transition)
└── PMKIDs (cached PMK identifiers)

Cipher Suite Selectors:

00-0F-AC:01 — WEP-40 (deprecated)
00-0F-AC:02 — TKIP
00-0F-AC:04 — CCMP (AES in CCM mode)
00-0F-AC:05 — WEP-104 (deprecated)
00-0F-AC:08 — GCMP-128 (WPA3)
00-0F-AC:09 — GCMP-256 (WPA3)

Authentication and Key Management (AKM) Selectors:

00-0F-AC:01 — 802.1X (EAP with RADIUS)
00-0F-AC:02 — PSK (Pre-Shared Key)
00-0F-AC:03 — FT over 802.1X (Fast BSS Transition)
00-0F-AC:04 — FT over PSK
00-0F-AC:05 — 802.1X with SHA-256
00-0F-AC:06 — PSK with SHA-256
00-0F-AC:08 — SAE (WPA3-Personal)
00-0F-AC:12 — OWE (Opportunistic Wireless Encryption)

RSN Association Process:

Discovery: Client scans, receives beacons with RSN IE
Selection: Client chooses AP based on signal and security capabilities
Authentication: Open system authentication (legacy frame)
Association: Client sends Association Request with RSN IE indicating selected cipher/AKM
Key Negotiation: 4-way handshake derives and installs keys
Secure Communication: All data frames encrypted with negotiated cipher

Mixed Mode Operation:

Access points can advertise multiple cipher suites for backward compatibility:

Group cipher: TKIP (lowest common denominator for broadcast)
Pairwise ciphers: CCMP, TKIP (clients choose based on capability)

Note: Using TKIP as group cipher when CCMP is available for pairwise slightly reduces broadcast security.

Mixed Mode Security Implications

When an AP allows both TKIP and CCMP clients, it must transmit broadcast with the weakest cipher (TKIP). A single TKIP client therefore degrades security for all clients. Modern best practice: CCMP-only configuration.

The KRACK Attack and Its Lessons

In October 2017, researcher Mathy Vanhoef disclosed KRACK (Key Reinstallation Attacks)—a class of vulnerabilities affecting the implementation of 802.11i's 4-way handshake. KRACK was significant not because it broke WPA2's cryptography, but because it exposed dangerous edge cases in protocol state machines.

The Vulnerability:

During the 4-way handshake:

Message 3 delivers the GTK and triggers client key installation
Client sends Message 4 as acknowledgment
If AP doesn't receive Message 4, it retransmits Message 3
Client receives Message 3 again and... what happens?

The 802.11i specification didn't clearly define the behavior. Many implementations:

Reinstalled the PTK when receiving a retransmitted Message 3
Reset the packet number (nonce) to zero
This is catastrophic for CCMP (and especially TKIP)

Why Nonce Reuse Breaks CCMP:

CCMP's counter mode security relies on unique (Key, Nonce) pairs. If the same TK is used with the same PN:

C₁ = P₁ ⊕ AES(TK, Nonce)
C₂ = P₂ ⊕ AES(TK, Nonce)

C₁ ⊕ C₂ = P₁ ⊕ P₂  (keystream cancels)

The attacker learns the XOR of plaintexts. With partial knowledge of P₁ (e.g., HTTP headers are predictable), P₂ can be recovered.

KRACK Attack Procedure:

Attacker positions as man-in-the-middle between client and AP
Block client's Message 4 from reaching AP
AP retransmits Message 3 (thinking Message 4 was lost)
Forward retransmitted Message 3 to client
Client reinstalls keys and resets PN to 0
Client encrypts new traffic with same keystream as previous traffic
Attacker observes C_old ⊕ C_new = P_old ⊕ P_new

KRACK Impact by Implementation
Platform	Severity	Reason
Linux/Android (wpa_supplicant 2.4+)	Critical	Reinstalled all-zero encryption key
Windows	Moderate	Rejected retransmitted Message 3 (by accident)
iOS/macOS	Moderate	Limited key reinstallation scenarios
Access Points (4-way)	Low	Most APs don't accept retransmitted Message 4
Access Points (GTK)	Variable	Group key handshake similarly affected

KRACK Lessons

KRACK demonstrated that protocol specifications must define behavior for all state transitions, including error cases and retransmissions. The fix was simple (ignore retransmitted handshake messages after key installation), but required patching millions of devices. WPA3's SAE handshake explicitly addresses these state machine issues.

WPA2 Deployment Best Practices

Despite WPA3's availability, WPA2 remains widely deployed and secure when properly configured. The following practices maximize WPA2 security:

PSK Configuration:

Strong Passphrase Requirements

•20+ characters minimum — Entropy matters more than complexity rules
•Random passphrase — Use a password manager to generate true random strings
•Unique per network — Never reuse passphrases across different SSIDs
•Avoid common SSIDs — Rainbow tables exist for 'linksys', 'netgear', 'default', etc.
•Change SSID — Even slightly modified SSID defeats pre-computed tables

Passphrase Entropy Calculation:

Random lowercase + digits (36 chars): log₂(36) = 5.17 bits per character
  12 characters: ~62 bits (weak)
  20 characters: ~103 bits (strong)
  30 characters: ~155 bits (excellent)

Random printable ASCII (95 chars): log₂(95) = 6.57 bits per character
  12 characters: ~79 bits (moderate)
  20 characters: ~131 bits (very strong)

Attack Time Estimates (1 billion guesses/second):

62 bits: 4.6 million seconds ≈ 53 days
80 bits: 38 million years
100 bits: 40 trillion years

Aim for 80+ bits of entropy for long-term security.

Network Configuration:

Hardening Recommendations

•CCMP-only mode — Disable TKIP entirely if all clients support CCMP
•Disable WPS — Wi-Fi Protected Setup has multiple vulnerabilities
•Use WPA2-Enterprise — For corporate environments, RADIUS provides per-user keys
•Enable PMF — Protected Management Frames (802.11w) prevents deauth attacks
•Regular firmware updates — Applied patches prevent known vulnerabilities
•Short GTK rotation — Reduce exposure window for group key compromise
•Isolate clients — Enable AP isolation to prevent client-to-client attacks

Common Misconfigurations

Disabling PMF leaves networks vulnerable to deauthentication attacks that force handshake recapture. WPS PIN mode can be brute-forced in hours. TKIP compatibility mode degrades security for all clients. Management interface exposed to wireless allows router compromise.

Summary: WPA2's Enduring Security

WPA2 represents the mature, production-grade wireless security standard that has protected networks for nearly two decades. Its design demonstrates how proper cryptographic construction creates lasting security.

WPA2 Security Strengths

•AES foundation — NIST-standardized cipher with no practical attacks after 20+ years
•CCMP authenticated encryption — Combines confidentiality and integrity cryptographically
•48-bit packet numbers — Prevents practical nonce reuse within key lifetime
•Robust key hierarchy — Master, session, and per-packet key separation
•AAD protection — Headers authenticated without encryption overhead
•RSN framework — Comprehensive security capabilities negotiation

WPA2 Known Limitations

•PSK dictionary vulnerability — Offline attack against weak passwords remains feasible
•No forward secrecy — Compromised PMK decrypts all past captured traffic
•KRACK-style implementation issues — Protocol edge cases required patching
•Deauth vulnerability — Management frames unprotected without 802.11w
•Passive handshake capture — Any observer can capture the handshake for offline attack

WPA2's Place in History:

WPA2 succeeded because it used well-understood cryptographic primitives (AES, CBC-MAC) in a straightforward construction (CCM). Unlike WEP, which tried to be clever and failed, WPA2 followed established cryptographic engineering principles.

The few issues discovered (KRACK, Hole196) were implementation and edge-case problems, not fundamental cryptographic breaks. This validates the design philosophy of using standardized, well-analyzed components.

What's Next:

The next page covers WPA3, the latest generation of WiFi security. WPA3 addresses WPA2's remaining weaknesses: dictionary attacks via SAE, forward secrecy via ephemeral key exchange, and stronger protection for open networks via OWE.

Page Complete

You now understand WPA2's architecture: AES-CCMP for authenticated encryption, the complete key hierarchy from PMK to per-packet keys, RSN framework for capability negotiation, and the KRACK vulnerability that exposed implementation edge cases. WPA2 remains secure for most deployments with proper passphrase strength and configuration.