The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
WEP (Wired Equivalent Privacy) was an early encryption protocol for wireless networks, designed to secure WLAN connections.
[3] The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard.
WPA could be implemented through firmware upgrades on wireless network interface cards designed for WEP that began shipping as far back as 1999.
[4] WPA also includes a Message Integrity Check, which is designed to prevent an attacker from altering and resending data packets.
Researchers have since discovered a flaw in WPA that relied on older weaknesses in WEP and the limitations of the message integrity code hash function, named Michael, to retrieve the keystream from short packets to use for re-injection and spoofing.
[21] The Wi-Fi Alliance also says that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface.
As of July 2020, WPA3 is the latest iteration of the WPA standard, bringing enhanced security features and addressing vulnerabilities found in WPA2.
WPA3 improves authentication methods and employs stronger encryption protocols, making it the recommended choice for securing Wi-Fi networks.
[22] Also referred to as WPA-PSK (pre-shared key) mode, this is designed for home, small office and basic uses and does not require an authentication server.
This enterprise mode uses an 802.1X server for authentication, offering higher security control by replacing the vulnerable WEP with the more advanced TKIP encryption.
[28] Originally, only EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) was certified by the Wi-Fi alliance.
This certification is an attempt for popular EAP types to interoperate; their failure to do so as of 2013[update] is one of the major issues preventing rollout of 802.1X on heterogeneous networks.
[34] Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication.
WPA and WPA2 do not provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past, which could be passively and silently collected by the attacker.
[21] In 2013, Mathy Vanhoef and Frank Piessens[40] significantly improved upon the WPA-TKIP attacks of Erik Tews and Martin Beck.
They mentioned this can be used to hijack a TCP connection, allowing an attacker to inject malicious JavaScript when the victim visits a website.
The authors say using a short rekeying interval can prevent some attacks but not all, and strongly recommend switching from TKIP to AES-based CCMP.
[40] A more serious security flaw was revealed in December 2011 by Stefan Viehböck that affects wireless routers with the Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they use.
Many consumer Wi-Fi device manufacturers had taken steps to eliminate the potential of weak passphrase choices by promoting alternative methods of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network.
Moxie advised: "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.
"[49] Tunneled EAP methods using TTLS or PEAP which encrypt the MSCHAPv2 exchange are widely deployed to protect against exploitation of this vulnerability.
However, prevalent WPA2 client implementations during the early 2000s were prone to misconfiguration by end users, or in some cases (e.g. Android), lacked any user-accessible way to properly configure validation of AAA server certificate CNs.
[50] Under stricter compliance tests for WPA2 announced alongside WPA3, certified client software will be required to conform to certain behaviors surrounding AAA certificate validation.
Researchers showed that, if vendors implement the proposed RNG, an attacker is able to predict the group key (GTK) that is supposed to be randomly generated by the access point (AP).
Similarly, they demonstrated the keys generated by Broadcom access daemons running on VxWorks 5 and later can be recovered in four minutes or less, which affects, for example, certain versions of Linksys WRT54G and certain Apple AirPort Extreme models.
[54][55] The KRACK attack is believed to affect all variants of WPA and WPA2; however, the security implications vary between implementations, depending upon how individual developers interpreted a poorly specified part of the standard.
These included side-channel attacks potentially revealing sensitive user information and implementation weaknesses in EAP-pwd and SAE.