What is the encryption mechanism that is used with the WPA2 security standard?

Wi-Fi Protected Access 2 is a network security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and less secure WEP. WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption.

When WPA2 is enabled with its strongest encryption option, anyone else within range of the network might be able to see the traffic, but it is scrambled with the most up-to-date encryption standards.

Certification for WPA3 began in 2018. WPA3 marked the first major Wi-Fi security improvement since WPA2 in 2004. The new standard includes a 192-bit equivalent security layer and replaces the pre-shared key (PSK) exchange with an SAE (Simultaneous Authentication of Equals) exchange.

WPA2 vs. WPA and WEP

It can be confusing to see the acronyms WPA2, WPA, and WEP because these seem so similar that it shouldn't matter which you choose to protect your network, but there are differences.

The least secure is WEP, which provides security equal to that of a wired connection. WEP broadcasts messages using radio waves and is easy to crack. This is because the same encryption key is used for every data packet. If enough data is analyzed by an eavesdropper, the key can be found with automated software (in a few minutes). It's best to avoid WEP.

WPA improves on WEP in that it provides the TKIP encryption scheme to scramble the encryption key and verify that it hasn't been altered during the data transfer. The major difference between WPA2 and WPA is that WPA2 improves the security of a network because it requires using a stronger encryption method called AES.

WPA2 security keys come in different types. A WPA2 Pre-Shared Key uses keys that are 64 hexadecimal digits long. This method is commonly used on home networks. Many home routers interchange WPA2 PSK and WPA2 Personal mode—these refer to the same underlying technology.

AES vs. TKIP for Wireless Encryption

When you set up a home network with WPA2, you usually choose between two encryption methods: Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP).

Many home routers let administrators choose from among these possible combinations:

• WPA with TKIP (WPA-TKIP): This is the default choice for old routers that don't support WPA2.
• WPA with AES (WPA-AES): AES was first introduced before the WPA2 standard was completed, although few clients supported this mode.
• WPA2 with AES (WPA2-AES): This is the default choice for newer routers and the recommended option for networks where all clients support AES.
• WPA2 with AES and TKIP (WPA2-AES/TKIP): Routers need to enable both modes if any clients do not support AES. All WPA2 capable clients support AES, but most WPA clients do not.

WPA2 Limitations

Most routers support both WPA2 and a separate feature called Wi-Fi Protected Setup. While WPS is designed to simplify the process of setting up home network security, flaws in how it was implemented limit its usefulness.

With WPA2 and WPS disabled, an attacker needs to determine the WPA2 PSK that the clients use, which is a time-consuming process. With both features enabled, an attacker only needs to find the WPS PIN to the clients to reveal the WPA2 key. This is a simpler process. Security advocates recommend keeping WPS disabled for this reason.

WPA and WPA2 sometimes interfere with each other if both are enabled on a router at the same time, and can cause client connection failures.

Using WPA2 decreases the performance of network connections due to the extra processing load of encryption and decryption. The performance impact of WPA2 is usually negligible, especially when compared with the increased security risk of using WPA or WEP, or no encryption at all.

Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.

A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary — and beyond — in relatively short order.

WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically every connected device. WPA3 will ditch that in favor of the more secure — and widely vetted — Simultaneous Authentication of Equals handshake.

The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.

Safer Connections

When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today — Wi-Fi Protected Setup — has had known vulnerabilities since 2011. WPA3 provides a fix.

Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you're set — they're securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.

That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You've probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That's because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much.

When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.

As with the password protections, WPA3's expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.

What encryption mechanism does WPA2 use?

Does WPA2 use AES?