WPA2-PSK is Not Enough

News Education

WPA2-PSK is Not Enough


In this day and age, employees are accessing their corporate resources wherever they can get a strong wireless signal, whether that’s a public hotspot, the office, or a friend’s apartment. Methods of authentication based on a pre-shared key (PSK) are most often found in these types of environments because they are simple to implement and only involve remembering a single password.

Wouldn’t it be nice if we had something that could make accessing WiFi anywhere even easier? With the rise of features like WiFi Sense, available in the Windows environment, you can connect to shared wireless networks without having to go through the trouble of setting up a connection or memorizing a password. You can also share your personal networks with friends and family. Seems like a win-win situation right? Well, talk to your organization’s IT manager and they may have a different opinion.

WiFi Sense is just the latest in a series of features that should make your organization stop and smell the roses if you are still using PSK wireless security in an enterprise network. Distributing a single password for network access requires putting a lot of good faith on every single user that they will keep the password confidential. Even a single breach of the highly guarded passphrase, whether accidental or on purpose, can lead to a potentially harrowing security breach. If a malicious intruder obtains the PSK and captures the key handshake when a device joins the network, that individual can decrypt ALL of that particular device’s traffic. Resolving this problem involves changing the password for not only the employee impacted by the breach, but also changing the password for ALL users on the network, placing a heavy burden on any organization’s IT department. This is can be a nightmare for any network administrator, as reconfiguration of all connected devices must take place quickly in order to avoid any disruption in wireless access.

A lack of visibility into who is accessing your corporate network is another reason why you should no longer rely on PSK wireless security. Not knowing how many users or the type of devices in your environment makes your network almost impossible to manage, and attempting to provide oversight into authorized users can be a disaster. There are only a few foolproof scenarios where PSK should be used, such as a home office where there are a limited number of trusted users or as an alternative for consumer devices not compatible with a stronger method of authentication such as 802.1X.

Setting the stage on why PSK is used is important when introducing the latest and greatest standard in use today, (::drumroll::) which is 802.1X authentication with WPA2-Enterprise encryption. Instead of using a standard password that all of your users know and are responsible for keeping a secret, 802.1x allows for authentication through certificates or unique individual login credentials (think Active Directory of LDAP). Although it can be argued that implementing 802.1x is difficult due to the requirement of a RADIUS server and more stringent configuration requirements, most organizations already have the back-end infrastructure in place (a Microsoft domain for example), that makes setting up 802.1x a breeze.

You may be thinking, can’t an intruder still use a brute-force or dictionary attack to crack a password and decrypt traffic? Because each device is authenticated before it connects, a personal tunnel is created between the device and the network. All you need is an access point and the authentication protocol of your choice and we take care of the rest. Bottom line: 8021.x authentication with WPA2-Enterprise encryption is the ONLY way to keep your wireless network safe.