Wireless Notes
Learn WPA WPA2 with TKIP AES-CCMP encryption, 4-way handshake, Personal PSK vs Enterprise 802.1X RADIUS, KRACK vulnerability, and security best practices for engineering students.
Understanding WPA and WPA2 security protocols, TKIP's temporary fixes for WEP, AES-CCMP's robust encryption, the four-way handshake, enterprise 802.1X authentication, and why WPA2 dominated WiFi security for 14 years.
WPA — The Emergency Fix
TKIP (Temporal Key Integrity Protocol)
WPA was designed under a severe constraint: it had to work on existing WEP hardware that could only run RC4 cipher in hardware. TKIP wraps RC4 with additional security mechanisms that fix WEP's specific vulnerabilities:
| WEP Problem | TKIP Solution |
|---|---|
| 24-bit IV (repeats quickly) | 48-bit IV (sequence counter — won't repeat in device lifetime) |
| Weak IV → key recovery | Per-packet key mixing function (eliminates weak key vulnerability) |
| CRC-32 integrity (forgeable) | Michael MIC (64-bit Message Integrity Check) |
| No replay protection | Sequence counter rejects out-of-order packets |
| Static key (never changes) | Re-keying after configurable packet count |
TKIP Per-Packet Key Mixing
Instead of simply concatenating IV + Key (as WEP did), TKIP uses a two-phase key mixing function:
Phase 1: Mixes temporal key + transmitter MAC address + IV upper 32 bits → intermediate key Phase 2: Mixes intermediate key + IV lower 16 bits → per-packet WEP seed
This ensures every packet uses a unique key that has no mathematical relationship to keys of other packets — eliminating the FMS/KoreK attacks that destroyed WEP.
Michael MIC
TKIP's integrity check (Michael) is a 64-bit message authentication code. Unlike WEP's CRC-32 (which could be forged), Michael is cryptographically keyed — an attacker cannot compute a valid MIC without knowing the MIC key.
However, Michael is deliberately weak by modern standards (designed for hardware that couldn't run AES). As a countermeasure, TKIP includes a "MIC failure countermeasure": if two MIC failures are detected within 60 seconds, the network shuts down for 60 seconds (assuming an attack is in progress). This prevents brute-force MIC forgery attempts.
WPA2 — The Complete Solution
AES-CCMP
WPA2 replaced RC4+TKIP entirely with AES-CCMP (Counter Mode with CBC-MAC Protocol):
| Feature | TKIP (WPA) | AES-CCMP (WPA2) |
|---|---|---|
| Cipher | RC4 (stream) | AES-128 (block) |
| Key length | 128 bits | 128 bits |
| IV/Nonce | 48-bit IV | 48-bit Packet Number |
| Integrity | Michael (64-bit, weak) | CBC-MAC (128-bit, strong) |
| Encryption mode | Stream (RC4 keystream XOR) | Counter mode (AES-CTR) |
| Hardware | Legacy WEP chips | New AES hardware required |
| Security level | Adequate (workaround) | Strong (AES is unbroken) |
| Performance | Moderate | Faster (hardware AES acceleration) |
How AES-CCMP Works
- Construct nonce: From packet number (48-bit), priority, and transmitter address
- CBC-MAC computation: Generate 128-bit authentication tag over header + payload using AES
- Counter mode encryption: Encrypt payload using AES in counter mode (CTR) with the same nonce
- Append MIC: 64 bits of the CBC-MAC tag appended as integrity check
The nonce MUST never repeat with the same key — the 48-bit packet number guarantees this for the lifetime of any temporal key (2⁴⁸ = 281 trillion packets before wraparound).
The Four-Way Handshake
Purpose
After authentication (PSK or 802.1X), the four-way handshake establishes fresh session keys:
- Confirms both parties share the same PMK (Pairwise Master Key)
- Derives a fresh PTK (Pairwise Transient Key) using random nonces
- Installs encryption keys without transmitting them
- Establishes the group key for broadcast/multicast
The Four Messages
| │── Msg 1: ANonce (AP's random nonce) ── | │ |
| │←── Msg 2 | SNonce + MIC ───────────────│ |
| │── Msg 3: GTK (encrypted) + MIC ────── | │ |
| │←── Msg 4 | ACK + MIC ─────────────────│ |
PTK Derivation
PTK = PRF-384(PMK, "Pairwise key expansion", Min(MAC_AP, MAC_Client) || Max(MAC_AP, MAC_Client) || Min(ANonce, SNonce) || Max(ANonce, SNonce))
The PTK is split into:
- KCK (Key Confirmation Key, 128 bits) — authenticates handshake messages
- KEK (Key Encryption Key, 128 bits) — encrypts the GTK in message 3
- TK (Temporal Key, 128 bits) — encrypts/authenticates data frames
WPA2-Personal vs WPA2-Enterprise
WPA2-Personal (PSK)
- All users share one password
- Password → PMK via PBKDF2(password, SSID, 4096 iterations, SHA-1)
- Simple to deploy (just set password on router)
- Vulnerable to offline dictionary attacks on captured handshake
- Cannot identify individual users (all share same PMK)
WPA2-Enterprise (802.1X)
- Each user has unique credentials (username/password, certificate, or SIM)
- Authentication via RADIUS server using EAP methods
- PMK derived during EAP authentication (unique per user per session)
- Cannot perform offline dictionary attacks (no shared secret to target)
- Individual user identification and access control
- Supports certificate-based mutual authentication (EAP-TLS)
| Feature | WPA2-Personal | WPA2-Enterprise |
|---|---|---|
| Credentials | One shared password | Per-user (password, cert, SIM) |
| PMK source | PBKDF2(password, SSID) | EAP authentication (unique) |
| Offline attack | Vulnerable | Not applicable |
| User identification | No (all identical) | Yes (individual accounts) |
| Scalability | Poor (> 20 users impractical) | Excellent (thousands of users) |
| Infrastructure | Router only | RADIUS server + CA (certs) |
| User revocation | Change password for everyone | Disable individual account |
| Best for | Home, small office | Enterprise, campus, organization |
Known Vulnerabilities
Offline Dictionary Attack (PSK only)
A captured four-way handshake allows unlimited offline password testing. Mitigation: use 12+ character passwords with mixed characters, or use WPA2-Enterprise.
KRACK Attack (2017)
Key Reinstallation Attack exploits handshake message retransmission:
- Forces reuse of already-installed encryption key (nonce reset)
- Allows decryption of frames and possible packet injection
- Protocol-level flaw affecting ALL WPA2 implementations
- Patched via software updates (ensuring nonce is never reinstalled)
Hole196 (Enterprise)
An authenticated user can exploit the shared Group Temporal Key (GTK) to decrypt other users' broadcast traffic. Limited practical impact but demonstrates that WPA2 does not provide per-user traffic isolation within the same network.
GCMP (Galois/Counter Mode Protocol)
WPA2 with 802.11ac introduced optional GCMP as an alternative to CCMP:
- Uses AES in Galois/Counter Mode (more parallelizable than CBC-MAC)
- Supports 128-bit and 256-bit key lengths
- Better performance on modern hardware with AES-GCM acceleration
- Mandatory in WPA3-Enterprise 192-bit mode
Key Takeaways
- WPA was an emergency fix that kept RC4 but added TKIP wrapper (48-bit IV, per-packet key mixing, Michael MIC) to patch WEP's critical vulnerabilities
- WPA2 replaced RC4 entirely with AES-CCMP, providing 128-bit authenticated encryption that remains unbroken after 20 years
- The four-way handshake derives fresh session keys (PTK) from the PMK using random nonces — without ever transmitting the key material
- WPA2-Personal (PSK) is vulnerable to offline dictionary attacks on captured handshakes — password complexity is the primary defense
- WPA2-Enterprise (802.1X) eliminates shared-secret vulnerabilities by providing unique per-user PMK through RADIUS authentication
- KRACK (2017) demonstrated a protocol-level vulnerability in key installation, patched in all major OS implementations by late 2017
- WPA2 served as the dominant WiFi security standard from 2004 to 2018 and remains in widespread use; WPA3 addresses its remaining weaknesses (offline attacks, forward secrecy, open network protection)
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for WPA and WPA2 TKIP AES-CCMP Enterprise Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Wireless Communications topic.
Search Terms
wireless-communications, wireless communications, wireless, communications, security, wpa, and, wpa2
Related Wireless Communications Topics