WPA: Abbreviation for Wifi Protect Access, and consists of an access control mechanism to a wireless network, designed with the idea of eliminating the weaknesses of WEP. It is also known as TSN (Transition Security Network).
Functionality
According to abbreviationfinder, WPA uses TKIP TKIP (Temporal Key Integrity Protocol) for dynamic key management, notably improving data encryption, including the initialization vector. In general WPA is TKIP with 8021X. Otherwise WPA works in a similar way to WEP but using dynamic keys, it uses the RC4 algorithm to generate a stream of bits that are used to encrypt with XOR and its initialization vector (IV) is 48 bits. Dynamic key modification can make it impossible to use the same system as with WEP to open a wireless network with WPA security. In addition, WPA can support different access control systems including user-password validation, digital certificate or other system or simply use a shared password to identify yourself.
WPA-PSK
It is the simplest access control system after WEP, for practical purposes it has the same configuration difficulty as WEP, a shared common key, however, dynamic key management significantly increases its level of security. PSK corresponds to the initials of PreShared Key and comes to mean previously shared key, that is, for the client it bases its security on a shared password. WPA-PSK uses a passkey between 8 and 63 characters long, which is the shared key. As with WEP, this key must be entered in each of the stations and access points of the wireless network. Any station that identifies itself with this password has access to the network. The characteristics of WPA-PSK define it as the system, currently, most suitable for small office or home networks, the configuration is very simple, the security is acceptable and it does not require any additional components.
WPA-PSK weaknesses
The main weakness of WPA-PSK is the shared key between stations. When a system bases its security on a password, it is always susceptible to a brute outside attack, that is, checking passwords, although given the length of the password and if it is correctly chosen, it should not pose major problems. We must think that there is a moment of weakness when the station establishes the authentication dialogue. This dialog is encrypted with the shared keys, and if so, then access is guaranteed and the use of dynamic keys begins. The weakness is that the content of the authentication packet is known and its encrypted value is known. Now what remains is, using a brute force or dictionary attack process, to try to determine the password.
Enterprise WPA
In corporate networks, other more versatile and easy-to-maintain access control mechanisms are essential, such as the users of a system identified with a name / password or the possession of a digital certificate. Obviously, the hardware of an access point does not have the capacity to store and process all this information, so it is necessary to resort to other elements of the wired network to verify some credentials. It seems complicated that a client can validate against a component of the wired network if they still do not have access to the network, it seems like the chicken and egg problem. This is where IEEE 802.1X, described below, comes into play to allow validation traffic between a client and a local machine. Once a client has been validated, WPA starts TKIP to use dynamic keys. WPA clients have to be configured to use a specific validation system that is completely independent of the access point. WPA validation systems can be, among others, EAP-TLS, PEAP, EAP-TTLS.