Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Does Rotating Preshared Keys Improve Security?

Key Points
  • Rotating pre-shared keys (PSKs) can lower some risks, but it still relies on passwords, leaving networks vulnerable to certain attacks and potential mismanagement.
  • EAP-TLS - or certificate-based authentication for Wi-Fi - provides increased security by removing shared passwords and limiting access to confirmed identities.
  • SecureW2’s managed PKI service makes it simple for organizations to issue and manage certificates for passwordless Wi-Fi authentication.

Wifi Protected Access 2 – Pre-Shared Key (WPA2-PSK), a wireless security standard from 2004, is still used by many organizations today. And although it’s safer than its predecessors, WPA2-PSK relies on pre-shared keys (PSKs), which use a shared password or secret to authenticate users to your wireless network. Shared authentication credentials like PSKs put your organization at a higher risk than other forms of security, like multi-factor authentication or digital certificates.

Still, you may be wondering: does rotating– or periodically changing– your PSKs offset any security concerns? After all, it’s best practice to rotate PSKs to prevent cryptanalysis-based attacks; could rotating PSKs be enough to meet your security needs?

Read on to learn why PSKs are dangerous, whether rotating PSKs will solve security issues, and whether WPA2-PSK is the best choice to keep your organization’s digital assets safe.

Why is PSK dangerous for your network?

First, let’s review the shortcomings of PSKs when it comes to security.

A network secured with PSK is vulnerable to many types of attacks, including: 

  1. Man-in-the-Middle (MITM) attacks
  2. Brute force attacks
  3. Layer 2 attacks
  4. Phishing attacks
  5. Password loss/theft

What’s more, PSKs leave you open to other types of attacks, including:

Offline password attacks

Catching a pre-shared key “in-flight” is easy, which exposes your organization to offline password attacks. Once the hashed password is offline, bad actors can try as many passwords as needed to guess your password without locking the account.

Two methods can capture a PSK in flight. In the first method, the attacker tries to capture the 4-way handshake during the client’s first authentication. At this stage, he can see the challenge and response, which includes the encrypted key. The attacker can listen for a new client to authenticate, or they can send de-auth packets. This causes connected clients to drop and reauthenticate into the network.

The second method takes advantage of the optional management field in 802.1X. The attacker places a request to the access point and sees the PMKID. The PMKID computes the PSK and MAC address of the access point. This would help the attacker take the hash offline and determine your passwords.

Improper key management 

Sometimes, the security threat from a PSK is due to improper key management by your own employees or vendors. A lot of users on your network would have access to the pre-shared key; a disgruntled employee or vendor could access the network from their car with malicious intent. Rotating your PSKs as soon as an employee leaves an organization is essential, but this still won’t cover 100% of security breaches due to improper key management.

An employee can also connect his personal devices to the network through a PSK, which leaves the network even more vulnerable. The PSK becomes easier to guess, and the employee’s device could even introduce malware to your network.

Does rotating pre-shared keys secure the network?

PSK rotation is a process where the old encryption key is replaced by a new encryption key. If a PSK is compromised, regular rotation reduces the amount of time that the data is vulnerable; once the key rotates, the old key no longer grants access to the network. By rotating keys regularly, an organization may stay compliant with some industry standards and cryptography best practices.

PSK rotation is a process where the old encryption key is replaced by a new encryption key. If a PSK is compromised, regular rotation reduces the amount of time that the data is vulnerable; once the key rotates, the old key no longer grants access to the network. By rotating keys regularly, an organization may stay compliant with some industry standards and cryptography best practices.

What’s more, while keys are meant to be rotated periodically, organizations often fail to perform key rotations in a timely manner because they are time-consuming and cumbersome. Other organizations only rotate the Key Encryption Key (KEK) or “master key” and consider the rotation done, when they should rotate the Data Encryption Key (DEK) to boost security.

In all of these cases, while organizations may think that they are protecting their network, they leave their network vulnerable by relying on PSKs (even if they’re rotating PSKs).

Digital Certificates as a Replacement for PSKs

Shifting to certificate-based security is a foolproof method of securing your network. Certificates are a better alternative to PSKs because:

  1. They offer reduced authentication time and remove password fatigue, improving the user experience. 
  2. The asymmetric cryptography of a digital certificate is exponentially more secure than the symmetric cryptography of a password or a PSK.
  3. The risk of hacking and data theft that may occur due to PSK mismanagement is eliminated.
  4. Certificates are tied to identities, so you know who and what devices are using the network.

Plus, if you want to qualify as a cloud service provider for FEDRAMP, there is a requirement that you protect confidential data with a robust form of security. The CISA and NSA have also mandated the use of multi-factor authentication or digital certificates to protect data stored on-prem or in the cloud.

Shift to certificate-based authentication for a more secure network

We’ve reviewed why you should move away from WPA2-PSK, but you may still be reluctant to migrate to WPA-Enterprise certificate-based authentication because, well, migrating anything digital can be a pain. But we’re happy to tell you that making the move is a breeze! You can safely upgrade to a more secure network infrastructure through SecureW2’s turnkey solutions without any huge upgrades.

Once you migrate to digital certificates, you can deploy them to any MDM via our API gateways. Plus, SecureW2’s onboarding solution for MDMs offers certificate management solutions for almost every popular MDM on the market.

Ready to see how easily you can secure your network? Switch to digital certificates with SecureW2 now and get customized pricing for your organization!

Learn about this author

Anusha Harish

Anusha is a copywriter with a passion for telling stories through her writing. With a law degree and keen research skills, she writes articles to help customers make informed decisions. A movie buff and a bookworm, she can be found tucked away with a book and a cup of coffee mostly.

Does Rotating Preshared Keys Improve Security?