WPA Evolution · Rolling Thunder Security

WiFi encryption is the rare topic in security where the entire history of attacks is still visible in the wild — old APs in attics still broadcast WEP, mid-2000s consumer routers default to WPA, modern enterprise rolls out WPA3, and any campus has all four somewhere on its network. You need to recognize each generation by its handshake, its known attacks, and the conditions under which it's still acceptable to deploy.

The four generations

1997

WEP

RC4 stream cipher, 24-bit IV. Catastrophically broken by Fluhrer-Mantin-Shamir (2001). Anyone with airodump-ng cracks a WEP key in minutes.

Forbidden

2003

WPA

TKIP, designed as a firmware drop-in for WEP hardware. Beck-Tews (2008) recovered keys for short packets. Deprecated by Wi-Fi Alliance 2014.

Forbidden

2004

WPA2

AES-CCMP. Required the 802.11i amendment. Still the most deployed flavor in 2024. KRACK (2017) & PMKID (2018) attacks exist but require specific conditions.

Legacy-OK

2018

WPA3

SAE (Dragonfly handshake), forward secrecy, no offline dictionary attacks against the PSK. Mandatory on 6 GHz. Dragonblood (2019) hit early implementations; patches landed quickly.

Modern

WEP · how it broke

WEP was the original WiFi privacy standard. It paired a static 40 or 104-bit key with a 24-bit Initialization Vector (IV) and ran RC4 over the result. Three things made it broken at design time, not just in retrospect:

IV space too small. 24 bits = 16.7 million IVs. On a busy AP, those recycle in a few hours. Whenever the same IV repeats with the same key, the XOR of two ciphertexts equals the XOR of two plaintexts — recoverable.
RC4 weak keys. Fluhrer, Mantin, and Shamir showed that for certain "weak" IVs, the first byte of RC4 output reveals information about the key. Capture enough weak-IV packets and you can recover the key byte-by-byte.
No replay protection. Attackers can replay captured ARP requests to generate fresh IVs at line rate, dramatically accelerating the capture.

Status today: WEP is forbidden in every enterprise security policy on the planet. If you see it on a network audit, the AP is either misconfigured or a decade out of date. Tools like aircrack-ng can crack it in under a minute on a modern laptop with a captured handshake.

WPA · the band-aid

When WEP fell, the Wi-Fi Alliance needed something fast. WPA was designed to run on existing WEP-era radios with a firmware update — that constraint shaped the entire design and is why it didn't survive long.

It used TKIP (Temporal Key Integrity Protocol): still RC4 under the hood, but with per-packet key mixing, a 48-bit IV, and a Message Integrity Check (Michael MIC) on top. Better than WEP, but kept enough of the same DNA to inherit problems.

Beck-Tews attack (2008): short ARP packets can be modified and replayed in a way that lets an attacker inject arbitrary frames within ~12 minutes.
The MIC algorithm (Michael) is intentionally weak because it had to run on cheap hardware. Two MIC failures within 60 seconds trigger a key renegotiation, which itself can be abused for DoS.
Wi-Fi Alliance deprecated WPA-TKIP in 2014. Treat it the same as WEP in policy: forbidden.

WPA2 · the workhorse

WPA2 (2004) was the first WiFi standard designed around AES instead of RC4 — specifically AES in CCMP (Counter mode with CBC-MAC) for confidentiality and integrity in one. It required the IEEE 802.11i amendment, which means it needed new radio chips that supported AES in hardware. Once those shipped, WPA2 became the default and stayed that way for fifteen years.

The 4-way handshake

Every WPA2 (and WPA3-Transition) session begins with the four-message EAPOL key exchange. This is where the per-session encryption keys are derived from the shared secret (PSK in personal mode, MSK from 802.1X in enterprise). Memorize this flow — every WPA2 attack targets this handshake.

# Inputs: # PSK = derived from the passphrase + SSID (PBKDF2-SHA1, 4096 iterations) # AA = AP MAC address # SA = client (supplicant) MAC address AP —Msg 1 (ANonce)—→ Client # Client now has: PSK, AA, SA, ANonce. Generates SNonce locally. # Derives PTK = PRF(PSK, "Pairwise key expansion", min/max(AA,SA), min/max(ANonce,SNonce)) Client —Msg 2 (SNonce + MIC)—→ AP # AP can now derive the same PTK (it has all the inputs). # Verifies MIC. If MIC is good, the client proved it knows the PSK. AP —Msg 3 (GTK + MIC)—→ Client # Tells client to install PTK + Group Temporal Key (GTK). Client —Msg 4 (ACK)—→ AP # Both sides install the PTK. Encrypted data flows from here on.

Two things to notice about this handshake. First, the PSK never actually crosses the air — only the nonces and MICs derived from it. Second, an attacker who captures all four messages has everything except the PSK itself, which is exactly the input to PBKDF2 they need to guess. That's why offline cracking of WPA2-PSK exists: capture the handshake once, then run a wordlist (or hashcat) against it for as long as you like.

The named attacks on WPA2

Offline dictionary attack. The original and still the most practical. Capture the 4-way handshake (anyone can — it's not encrypted), then run hashcat against it. An 8-character all-lowercase PSK falls in hours. Password123 falls in milliseconds.
PMKID attack (2018): Steube discovered that some APs include the PMKID (a hash derived from PMK + AP MAC + client MAC) in the first message of the handshake even when no client is connecting. That single capture is enough to start cracking. No deauth required.
KRACK (2017): Vanhoef & Piessens forced reinstallation of an already-used key by replaying message 3 of the handshake. Lets an attacker decrypt traffic, but requires a man-in-the-middle position. Patched in 2017-2018; modern clients are safe.
Hole 196: An authenticated insider can use the group key (GTK) to spoof traffic from other clients. Not a remote attack — you have to be on the network already.

WPA2 status today: Still acceptable for personal networks with a strong PSK (20+ characters of random) and PMF enabled. Enterprise (802.1X) WPA2 is still extremely common in 2024 and is considered safe with current patches.

WPA3 · the fix that finally helps

WPA3 (2018) replaces the 4-way handshake's pre-shared-key step with SAE (Simultaneous Authentication of Equals), also called the Dragonfly handshake. SAE is a password-authenticated key exchange (PAKE) that gives you two properties WPA2 cannot:

No offline dictionary attacks. Each guess of the password requires the attacker to interact with the AP. Capturing thousands of handshakes does not help — every guess is online and rate-limited.
Forward secrecy. Even if the password is compromised later, previously captured sessions can't be decrypted. Each session uses ephemeral keys negotiated by SAE.

SAE in plain terms

Both parties know the password. They each generate an ephemeral keypair, derive a shared secret using their keypair plus the password-derived element, exchange commit and confirm messages, and end up with a Pairwise Master Key (PMK). From there the rest of the WiFi handshake (deriving PTKs, installing keys) looks like WPA2 — but the PMK is now session-specific, not derived from the password directly.

Dragonblood (2019): Vanhoef & Ronen found timing side channels and downgrade attacks in early SAE implementations. Patched quickly — Cisco, Aruba, Mikrotik, hostapd all released fixes in 2019-2020. Modern deployments are not vulnerable. The lesson: protocols can be sound while implementations are not.

Personal vs Enterprise

Both WPA2 and WPA3 come in "Personal" (PSK) and "Enterprise" (802.1X) flavors. The difference is where the master secret comes from.

Mode	Source of master secret	Per-user keys?	Right size for
Personal (PSK)	Everyone shares one passphrase. The AP and clients use it as input to PBKDF2.	No — everyone with the PSK derives the same PMK.	Home, small office, IoT segments without identity infrastructure.
Enterprise (802.1X)	Each user authenticates against a RADIUS server using an EAP method (EAP-TLS, PEAP-MSCHAPv2, EAP-TTLS). The server generates a unique MSK per session.	Yes — each user has their own keys.	Universities, corporate networks, anywhere with identity infrastructure.

The major EAP methods

EAP-TLS — mutual cert authentication. Strongest, most operationally expensive (every client needs a cert). The gold standard for enterprise WiFi.
PEAP-MSCHAPv2 — the most common in the wild. Wraps MSCHAPv2 in a TLS tunnel. The MSCHAPv2 hashes are crackable if an attacker can MitM the TLS tunnel — which they can if clients don't validate the RADIUS cert. (This is the evil twin against enterprise WiFi attack.)
EAP-TTLS — similar to PEAP but more flexible inner methods. Same vulnerability to bad cert validation.
EAP-PWD, EAP-PSK — password-based without certs. Rare.

The cert-validation rule: Whenever enterprise WiFi uses a password-based EAP method (PEAP, EAP-TTLS), clients must be configured to validate the RADIUS server certificate against a specific CA and CN. Otherwise an attacker spins up an evil-twin AP with a self-signed cert, clients accept it, and the attacker captures MSCHAPv2 hashes from every authentication attempt.

WPS · the universal off-switch

WiFi Protected Setup was a usability feature: type an 8-digit PIN (printed on the router) and your device joins the network without typing the WPA passphrase. The PIN is split into two halves that are verified independently — meaning the search space is not 10⁸ (100 million) but 10⁴ + 10³ (11,000). A 2011 attack (Stefan Viehböck) recovered the PIN in under 10 hours. Pixie Dust (2014) does it in seconds on many APs because their PIN generation uses bad randomness.

Policy: Turn WPS off on every AP. Always. It's a feature whose only purpose is to bypass the WPA passphrase, and it does so on a cracking budget of pennies.

Opportunistic Wireless Encryption (OWE)

Open WiFi (coffee shops, airports, "guest" networks) has historically been completely unencrypted — anyone with a radio captures all traffic in cleartext. OWE / Enhanced Open (Wi-Fi Alliance 2018) fixes this without requiring a password: clients and AP do an unauthenticated Diffie-Hellman exchange at connection time, then encrypt the session.

Doesn't protect against active MitM (no authentication, by design), but it makes passive eavesdropping on open networks stop working. Slowly being adopted — iOS, Android, Windows all support it; most public APs don't yet enable it. The 6 GHz band makes Enhanced Open mandatory for open networks, so deployment will pick up.

Takeaway

Walk away with this hierarchy: WEP and WPA are forbidden. WPA2-PSK is acceptable with a strong (20+ char random) passphrase, but the handshake is offline-crackable and the PSK is the only thing standing between an attacker and your traffic. WPA3-SAE is the right default for new deployments — no offline dictionary attacks, forward secrecy, mandatory on 6 GHz.

For enterprise: EAP-TLS with proper cert validation is the gold standard. PEAP/MSCHAPv2 is still common but only safe if clients validate the RADIUS cert — otherwise the evil-twin attack on the next page hands the attacker every employee's hash.

Sources

Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weaknesses in the key scheduling algorithm of RC4. Selected Areas in Cryptography. https://www.crypto.com/papers/others/rc4_ksaproc.pdf
Vanhoef, M., & Piessens, F. (2017). Key reinstallation attacks: Forcing nonce reuse in WPA2. ACM CCS. https://papers.mathyvanhoef.com/ccs2017.pdf
Vanhoef, M., & Ronen, E. (2020). Dragonblood: Analyzing the Dragonfly handshake of WPA3. IEEE S&P. https://wpa3.mathyvanhoef.com/
Steube, J. (2018). New attack on WPA/WPA2 using PMKID. Hashcat forum. https://hashcat.net/forum/thread-7717.html
Wi-Fi Alliance. (2024). WPA3 specification version 3.2. https://www.wi-fi.org/discover-wi-fi/security
IEEE Standards Association. (2004). IEEE Std 802.11i-2004: Medium access control (MAC) security enhancements. IEEE.