CWNA, Authentication & Encryption Types
Different Authentication types
Open Authentication – There is no authentication (Free for all). Device connects to wireless network without any issue. Open Authentication might also redirect to a captive portal like at a Airport or Public Wireless places. There is a two way packet exchange. It is not the secure way to setup the wireless.
PSK / WPA/WPA2 – Preshared Key – Authentication using a set password on the network. Used in small/medium and mostly home deployments. Also deployed in secondary wireless network in organizations.
There is no additional requirements for authentication. PSK can be subjected to dictionary attacks. Suggested to change the PSK regularly. Recently there was an outbreak for WPA2 Krack attack (https://www.krackattacks.com/) You can setup a phrase or lengthy password. Consists of WPA/WPA2 Personal.
802.1X / WPA2 Enterprise – Strongest of all the authentication types. Framework which defines authentication, there is a Supplicant(Client which wants to connect), Authenticator(AP/Controller) and Authentication Server(Radius, ISE etc). Advantageous if there are more than 1 radius servers as a backup if primary server is not available due to any reason. Different EAP (Extensible Authentication Protocol) types are used in this setup. EAP method used (Credentials/Certificate/SIM Card etc) will be defined for the user authentication to the wireless network.
Upcoming Authentication Types in near future
SAE – Simultaneous Authentication of Equals – SAE is resistant to passive attack, active attack, and dictionary attack. It provides a secure alternative to using certificates or when a centralized authority is not available.
DPP – Device provisioning protocol – authenticate device without password like QR code, some kind of tag etc. Applies to lot of IoT devices which do not have screen for authentication.
WPA3 – The new WPA3 security standard is expected to land in devices later in 2019. our new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3™. Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and will simplify the process of configuring security for devices that have limited or no display interface. Another feature will strengthen user privacy in open networks through individualized data encryption. Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial. (https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements)
Only the payload of data frames are encrypted in general cases. In some advanced cases, management frames can also be encrypted. Encryption here is targeted towards data frames.
None – No Encryption – Open Authentication, relying on application for encryption, not reliable. Suggested to use your personal VPN services to mitigate against any attacks. OWE – (Opportunistic Wireless Encryption) – may offer some encryption for open authentication in the near future. (https://tools.ietf.org/html/draft-wkumari-owe-00)
TKIP (Temporal Key Integrity Protocol)- Introduced in 2002, Patch WEP (Wireless Encryption Protocol). It uses RC4 as its cipher, same as WEP. You should refrain from using TKIP and upgrade your devices. Data rates are also limited to 54Mbps.
CCMP/AES (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) – Strongest of all, not compromised till now. Suggested to use for your network. WPA/WPA2 – WPA uses TKIP, WPA2 uses CCMP/AES and TKIP as well.
Thanks to SemFio network for the diagram below.