The phone (tablet) does not connect to Wi-Fi, writes “Saved, WPA \ WPA2 protection. Security of public WiFi networks

WPA encryption involves using a secured Wi-Fi network. In general, WPA stands for Wi-Fi Protected Access, that is, protected.

Most system administrators know how to configure this protocol and know a lot about it.

But ordinary people can learn a lot about what WPA is, how to set it up and how to use it.

True, on the Internet you can find many articles on this matter, from which it is impossible to understand anything. Therefore, today we will speak in simple language about difficult things.

A bit of theory

So, WPA is a protocol, technology, program that contains a set of certificates used in transmission.

In simpler terms, this technology allows you to use various methods to secure your Wi-Fi network.

This can be an electronic key, it is also a special certificate of the right to use this network (we will talk about this later).

In general, with the help of this program, only those who have the right to do so will be able to use the network, and that's all you need to know.

For reference: Authentication is a means of protection that allows you to establish the identity of a person and his right to access the network, by matching the reported and expected data.

For example, a person can authenticate when they apply their own. If he just enters a username and password, this is only authorization.

But the fingerprint allows you to check whether this person really logs in, and not someone took his data and entered with their help.

Rice. 1. Smartphone fingerprint scanner

And also on the diagram there is a WLC - a wireless LAN controller. On the right is the authentication server.

All this is connected by a regular Switch (a device that simply connects various network devices). The key is sent from the controller to the authentication server and is stored there.

The client, when trying to connect to the network, must transmit to the LAP a key that it knows. This key goes to the authentication server and is compared with the desired key.

If the keys match, the signal is freely distributed to the client.

Rice. 2. An exemplary WPA scheme in Cisco Pocket Tracer

Components of WPA

As we said above, WPA uses special keys that are generated every time you try to start signal transmission, that is, turn on Wi-Fi, and also change once in a while.

WPA includes several technologies at once that help generate and transmit these same keys.

The figure below shows the general formula, which includes all the components of the technology under consideration.

Rice. 3. Formula with WPA components

Now let's look at each of these components separately:

• 1X is a standard that is used to generate that very unique key, with which authentication occurs in the future.
• EAP is the so-called Extensible Authentication Protocol. It is responsible for the format of the messages by which the keys are transmitted.
• TKIP is a protocol that allowed expanding the key size to 128 bytes (earlier, in WEP, it was only 40 bytes).
• MIC is a mechanism for checking messages (in particular, they are checked for integrity). If the messages do not meet the criteria, they are sent back.

It is worth saying that now there is WPA2, which, in addition to all of the above, also uses CCMP and AES encryption.

We will not talk about what it is now, but WPA2 is more reliable than WPA. That's all you really need to know.

Once again from the start

So there you have it. The network uses WPA technology.

To connect to Wi-Fi, each device must provide a user certificate, or, more simply, a special key issued by the authentication server.

Only then will he be able to use the network. That's all!

Now you know what WPA is. Now let's talk about what is good and what is bad about this technology.

Advantages and Disadvantages of WPA Encryption

The advantages of this technology include the following:

1. Enhanced security of data transmission (compared to WEP, its predecessor, WPA).
2. Tighter control over Wi-Fi access.
3. Compatible with a wide range of devices that are used to organize a wireless network.
4. Centralized security management. The center in this case is the authentication server. This prevents attackers from gaining access to hidden data.
5. Enterprises can use their own security policies.
6. Easy to set up and use.

Of course, this technology also has disadvantages, and they often turn out to be very significant. In particular, we are talking about the following:

1. The TKIP can be cracked in a maximum of 15 minutes. This was announced by a group of specialists in 2008 at the PacSec conference.
2. In 2009, specialists from the University of Hiroshima developed a method to hack any network using WPA in one minute.
3. With the help of the vulnerability, named by the Hole196 specialists, you can use WPA2 with your key, and not with the one required by the authentication server.
4. In most cases, any WPA can be hacked using the usual enumeration of all possible options (brute-force), as well as using the so-called dictionary attack. In the second case, the options are used not in a chaotic order, but according to the dictionary.

Of course, in order to take advantage of all these vulnerabilities and problems, it is necessary to have special knowledge in the field of building computer networks.

For most ordinary users, none of this is available. Therefore, you don't have to worry about someone gaining access to your Wi-Fi.

Rice. 4. Cracker and computer

With the proliferation of wireless networks, the WPA and WPA2 encryption protocols have become known to almost all owners of devices connecting to Wi-Fi. They are indicated in the properties of the connections, and the attention of most users who are not system administrators attracts a minimum. There is enough information that WPA2 is a product of the evolution of WPA, and therefore WPA2 is newer and more suitable for today's networks.

WPA Is an encryption protocol designed to protect wireless networks of the IEEE 802.11 standard, developed by the Wi-Fi Alliance in 2003 as a replacement for the outdated and insecure WEP protocol.
WPA2 Is an encryption protocol that is an improved development of WPA, introduced in 2004 by the Wi-Fi Alliance.

Difference between WPA and WPA2

Finding the difference between WPA and WPA2 for most users does not have relevance, since all the protection of a wireless network comes down to choosing a more or less complex password for access. Today the situation is such that all devices operating in Wi-Fi networks are required to support WPA2, so the choice of WPA can only be due to non-standard situations. For example, operating systems older than Windows XP SP3 do not support WPA2 without patches, so machines and devices controlled by such systems require the attention of a network administrator. Even some modern smartphones may not support the new encryption protocol, mainly for off-brand Asian gadgets. On the other hand, some versions of Windows older than XP do not support WPA2 at the GPO level, and therefore require more fine-tuning of network connections in this case.
The technical difference between WPA and WPA2 lies in the encryption technology, in particular, in the protocols used. WPA uses the TKIP protocol, WPA2 uses the AES protocol. In practice, this means that the more modern WPA2 provides a higher degree of network security. For example, the TKIP protocol allows you to create an authentication key up to 128 bits, AES - up to 256 bits.

TheDifference.ru determined that the difference between WPA2 and WPA is as follows:

WPA2 is an enhanced WPA.
WPA2 uses the AES protocol, WPA uses the TKIP protocol.
WPA2 is supported by all modern wireless devices.
WPA2 may not be supported by legacy operating systems.
WPA2 is more secure than WPA.

This article is about security when using WiFi wireless networks.

Introduction - WiFi vulnerabilities

The main reason for the vulnerability of user data when this data is transmitted over WiFi networks is that the exchange takes place over the radio wave. And this makes it possible to intercept messages at any point where the WiFi signal is physically available. Simply put, if the signal of an access point can be caught at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In an adjacent room, on another floor of the building, on the street.

Imagine this picture. In the office, the local network is built via WiFi. The signal from the access point of this office is picked up outside the building, for example in a parking lot. An attacker outside the building can gain access to the office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and discreetly. Technically much easier than wired networks.

Yes. To date, the means of protecting WiFi networks have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital "garbage".

How does WiFi protection work?

The access point includes in its WiFi network only the device that will send the correct (specified in the access point settings) password. In this case, the password is also sent encrypted, in the form of a hash. The hash is the result of irreversible encryption. That is, data that is translated into a hash cannot be decrypted. If an attacker intercepts the password hash, he will not be able to obtain the password.

But how does the access point know if the password is correct or not? If she also receives a hash, but cannot decrypt it? Everything is simple - in the settings of the access point, the password is specified in its pure form. The authorization program takes a clean password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client has the correct password. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If the two hashes match, then they are both created from the same dataset.

By the way. Due to this feature, hashes are used to control data integrity. If two hashes (created with a time interval) match, then the original data (during this time interval) has not been changed.

However, although the most modern method of securing a WiFi network (WPA2) is reliable, this network can be hacked. How?

There are two methods for accessing a WPA2 secured network:

1. Password brute-force attacks (so-called dictionary brute-force attacks).
2. Exploiting a vulnerability in the WPS function.

In the first case, the attacker intercepts the password hash for the access point. Then a hash comparison is performed over a database containing thousands or millions of words. A word is taken from the dictionary, a hash for this word is generated, and then this hash is compared with the hash that was intercepted. If a primitive password is used on the access point, then cracking the password, this access point, is a matter of time. For example, an 8-digit password (8 characters is the minimum password length for WPA2) is one million combinations. On a modern computer, it is possible to enumerate one million values ​​in a few days or even hours.

In the second case, a vulnerability is exploited in the first versions of the WPS function. This feature allows you to connect a device to the access point where you cannot enter a password, such as a printer. When using this function, the device and the access point exchange a digital code, and if the device sends the correct code, the access point will authorize the client. There was a vulnerability in this function - the code was 8 digits, but uniqueness was checked only with four of them! That is, to hack WPS, you need to enumerate all the values ​​that give 4 digits. As a result, hacking an access point via WPS can be performed literally in a few hours, on any, the weakest device.

Setting up WiFi security

The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.

WiFi network access mode

The access point can operate in one of two modes - open or protected. In the case of open access, any device can connect to the access point. In the case of secure access, only the device that transmits the correct access password is connected.

There are three types (standards) for protecting WiFi networks:

• WEP (Wired Equivalent Privacy)... The very first standard of protection. Today, it does not actually provide protection, since it is very easy to hack due to the weakness of the defense mechanisms.
• WPA (Wi-Fi Protected Access)... Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective protection for WiFi networks. But in the late 2000s, opportunities were found to break WPA security through vulnerabilities in security mechanisms.
• WPA2 (Wi-Fi Protected Access)... The latest protection standard. Provides reliable protection if certain rules are followed. To date, there are only two known ways to break WPA2 protection. Searching for a password in a dictionary and a workaround through the WPS service.

Therefore, to ensure the security of the WiFi network, you must select the WPA2 security type. However, not all client devices can support it. For example Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Use AES encryption method.

The password for accessing the WiFi network must be composed as follows:

1. Use letters and numbers in the password. An arbitrary set of letters and numbers. Or a very rare, meaningful only for you, word or phrase.
2. Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991 or dom12345.
3. If it is necessary to use only a digital password, then its length must be at least 10 characters. Because an eight-character digital password is brute-force in real time (from several hours to several days, depending on the power of the computer).

If you use complex passwords, in accordance with these rules, then your WiFi network will not be able to be hacked by guessing a password using a dictionary. For example, for a password like 5Fb9pE2a(arbitrary alphanumeric), maximum possible 218340105584896 combinations. Today it is almost impossible to match. Even if the computer compares 1,000,000 (million) words per second, it will take almost 7 years to iterate over all the values.

WPS (Wi-Fi Protected Setup)

If your access point has Wi-Fi Protected Setup (WPS), you need to disable it. If this feature is required, you need to make sure that its version is updated to the following features:

1. Using all 8 symbols of the pincode instead of 4, as it was in the beginning.
2. Enabling a delay after several attempts to transmit the wrong PIN code from the client.

An additional opportunity to improve WPS security is the use of an alphanumeric pincode.

Security of public WiFi networks

Today it is fashionable to use the Internet via WiFi networks in public places - in cafes, restaurants, shopping centers, etc. It is important to understand that the use of such networks can lead to theft of your personal data. If you access the Internet through such a network and then authorize on any site, then your data (login and password) can be intercepted by another person who is connected to the same WiFi network. Indeed, on any device that has passed authorization and is connected to an access point, you can intercept network traffic from all other devices on this network. And the peculiarity of public WiFi networks is that anyone can connect to it, including an attacker, and not only to an open network, but also to a protected one.

What can you do to protect your data when connected to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. However, not all sites support the HTTPS protocol. Addresses on a site that supports HTTPS start with the prefix https: //. If the addresses on the site have the http: // prefix, this means that the site does not support HTTPS or it is not used.

Some sites do not use HTTPS by default, but they have this protocol and you can use it if you explicitly (manually) specify the https: // prefix.

For other use cases such as Internet chats, skype, etc., free or paid VPN servers can be used to protect this data. That is, first connect to the VPN server, and only then use chat or an open site.

WiFi password protection

In the second and third parts of this article, I wrote that in the case of using the WPA2 security standard, one of the ways to hack a WiFi network is to guess a password using a dictionary. But for an intruder, there is another way to get the password for your WiFi network. If you store your password on a sticker glued to the monitor, this makes it possible for a stranger to see this password. Also, your password can be stolen from a computer that is connected to your WiFi network. An outsider can do this if your computers are not protected from unauthorized access. This can be done using malware. In addition, the password can be stolen from a device that is taken outside the office (home, apartment) - from a smartphone, tablet.

Thus, if you need reliable protection for your WiFi network, you need to take steps to securely store your password. Protect it from unauthorized access.

If you found it useful or just liked this article, then do not hesitate - financially support the author. This is easy to do by throwing money on Yandex Wallet No. 410011416229354... Or on the phone +7 918-16-26-331 .

Even a small amount can help you write new articles :)

Recently, there have been many "revealing" publications about hacking of any next protocol or technology that compromises the security of wireless networks. Is this really so, what is worth fearing, and how to make access to your network as secure as possible? WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies in use. I will try to show that a properly configured wireless network is an insurmountable barrier for an attacker (up to a certain limit, of course).

The basics

Any interaction between an access point (network) and a wireless client is based on:

• Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
• Encryption- what scrambling algorithm for the transmitted data is used, how the encryption key is generated, and when it is changed.

Wireless network parameters, primarily its name (SSID), are regularly announced by the access point in broadcast beacon packets. In addition to the expected security settings, wishes for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication defines how the client is presented to the point. Possible options:

• Open- the so-called open network, in which all connected devices are authorized at once
• Shared- the authenticity of the connected device must be verified with a key / password
• EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server

The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, it is necessary to match the applied encryption algorithm, and, accordingly, to correctly establish an encrypted connection. The encryption algorithms are as follows:

• None- no encryption, data is transmitted in clear text
• WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
• CKIP- a proprietary replacement for WEP from Cisco, an early version of TKIP
• TKIP- improved WEP replacement with additional checks and security
• AES / CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in guest access systems such as providing the Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often, such a connection is combined with an additional check on the Captive Portal by redirecting the user's HTTP request to an additional page where you can ask for confirmation (login-password, consent to the rules, etc.).

Encryption WEP is compromised and cannot be used (even with dynamic keys).

Commonly used terms WPA and WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have been supporting WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal and WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, codeword, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is specified in the access point settings, and is the same for all clients of this wireless network. Compromising such a key (letting a neighbor slip, an employee fired, a laptop stolen) requires an immediate password change for all remaining users, which is realistic only in the case of a small number of them. For corporate applications, as the name suggests, a dynamic key is used that is individual for each working client at the moment. This key can be periodically updated during operation without breaking the connection, and an additional component is responsible for its generation - an authorization server, and almost always this is a RADIUS server.

All possible safety parameters are summarized in this plate:

Property	Static WEP	Dynamic WEP	WPA	WPA 2 (Enterprise)
Identification	User, computer, WLAN card	User, computer	User, computer	User, computer
Authorization	Shared key	EAP	EAP or shared key	EAP or shared key
Integrity	32-bit Integrity Check Value (ICV)	32-bit ICV	64-bit Message Integrity Code (MIC)	CRT / CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES
Encryption	Static key	Session key	Per-packet key via TKIP	CCMP (AES)
Key distribution	One-shot, manually	Segment Pair-wise Master Key (PMK)	Derived from PMK	Derived from PMK
Initialization vector	Text, 24 bit	Text, 24 bit	Extended vector, 65 bit	48-bit packet number (PN)
Algorithm	RC4	RC4	RC4	AES
Key length, bit	64/128	64/128	128	up to 256
Required infrastructure	Not	RADIUS	RADIUS	RADIUS

While WPA2 Personal (WPA2 PSK) is clear, an enterprise solution requires additional consideration.

WPA2 Enterprise

Here we are dealing with an additional set of different protocols. On the client side, a special software component, the supplicant (usually a part of the OS) interacts with the authorizing part, the AAA server. This example shows the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points "with brains" the entire role of an intermediary between the clients and the server can be assumed by the point itself. In this case, the data of the client supplicant is transmitted over the radio, formed in the 802.1x protocol (EAPOL), and on the side of the controller, they are wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) authentication of the client by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the following products are the most efficient:

• Microsoft Network Policy Server (NPS), formerly IAS- configurable via MMC, free, but you need to buy Windows
• Cisco Secure Access Control Server (ACS) 4.2, 5.3- configurable via a web interface, heaped up in functionality, allows you to create distributed and fault-tolerant systems, is expensive
• FreeRADIUS- free, configurable by text configs, not convenient in management and monitoring

In this case, the controller closely monitors the ongoing exchange of information, and waits for a successful authorization, or refusal in it. If successful, the RADIUS server is able to transmit additional parameters to the access point (for example, in which VLAN to place the subscriber, which IP address to assign to it, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is containerized, that is, the actual authorization mechanism is at the mercy of the internal protocols. At the moment, the following have gained some significant distribution:

• EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization by login-password transmitted within the TLS tunnel between the supplicant and the RADIUS server
• EAP-TLS(Transport Layer Security). Uses a public key infrastructure (PKI) to authenticate the client and server (supplicant and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires the signing and installation of client certificates for each wireless device, therefore only suitable for a managed corporate environment. Windows Certificate Server has a means of allowing a client to generate a certificate for itself if the client is a member of a domain. Blocking a client is easily done by revoking his certificate (or through accounts).
• EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but no client certificate is required when creating a tunnel. In such a tunnel, similar to an SSL browser connection, additional authorization is performed (using a password or something else).
• PEAP-MSCHAPv2(Protected EAP) - Similar to EAP-TTLS in that it initially establishes an encrypted TLS tunnel between a client and a server, requiring a server certificate. Later, authorization takes place in such a tunnel using the well-known MSCHAPv2 protocol.
• PEAP-GTC(Generic Token Card) - similar to the previous one, but requires one-time password cards (and the corresponding infrastructure)

All of these methods (except for EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client's device in the trusted group (which is easy to implement using Group Policy in Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is carried out both by digital signature and (optionally) by comparing the certificate provided by the client to the RADIUS server with the one retrieved by the server from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built into Windows XP / Vista / 7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which explains the popularity of these methods. The ProSet utility is shipped with Intel Windows Client Adapters to expand the available list. The Cisco AnyConnect Client does the same.

How reliable is it

After all, what does it take for an attacker to compromise your network?

For Open Authentication, No Encryption is nothing. Connected to the network, and that's it. Since the radio environment is open, the signal travels in different directions, it is not easy to block it. If there are appropriate client adapters that allow listening to the air, the network traffic is seen as if the attacker was connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption only requires a brute-force IV and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice, hacking has not been encountered.

Of course, you can try to guess the PSK key, or the password for one of the EAP methods. No common attacks against these methods are known. You can try social engineering techniques, or