When you open the list of available networks on your smartphone or laptop and select the desired name, the device begins a complex process of interaction with the router, which to the user appears as an instant connection. Authorization on a WiFi network — this is not just entering characters, but a multi-stage algorithm for checking access rights, encrypting traffic, and negotiating security parameters between the client and the access point.
Understanding how this process works is essential for anyone looking to reliably protect their home or office network from unauthorized intrusion. In this article, we'll examine in detail the mechanics of security protocols, the stages of the handshake, and the methods used by equipment to verify users.
⚠️ Attention: Security protocols are constantly evolving. If you're using outdated equipment manufactured more than 10 years ago, some modern encryption methods may be unavailable or may not work correctly.
Basic principles of identification in wireless networks
The foundation of any wireless connection is the need to distinguish a legitimate device from a foreign one. Unlike wired networks, where physical access to the cable is already a barrier, the radio channel is open to everyone within the antenna's range. This is why IEEE 802.11 The standards provide for strict authentication procedures.
The process begins with the client device scanning the airwaves and receiving beacon frames from the router. These frames contain information about supported security methods. If the network is open, access is granted immediately. If security is enabled, the next stage begins. associations and subsequent key exchange. Without successful completion of this stage, the transfer of user data is impossible.
It's important to distinguish between authentication (confirming your identity) and association (establishing a data connection). First, a device must prove to the router that it knows the secret key or has a valid certificate, and only then does the router allow it to send packets to the internet.
- 📡 Scanning: The device searches for available SSIDs and analyzes security parameters.
- 🔑 Authentication: Verification of credentials (password, certificate) on the client and server sides.
- 🔗 Association: Final establishment of a logical connection and assignment of an IP address.
Evolution of security protocols: from WEP to WPA3
The history of WiFi security has seen several eras, each offering its own authorization mechanisms. The very first standard was WEP (Wired Equivalent Privacy), which used static keys and the RC4 encryption algorithm. This method proved extremely vulnerable because the keys did not change during a session, allowing attackers to intercept traffic and deduce the password in minutes.
The standard has replaced it WPA (Wi-Fi Protected Access), and then its improved version WPA2. It is WPA2 with the algorithm AES (Advanced Encryption Standard) became the industry gold standard for many years. Unlike its predecessors, it uses dynamic encryption key rotation and a more robust message integrity verification mechanism.
The newest protocol is being implemented today WPA3, which addresses many of the vulnerabilities of previous versions, including protection against brute-force password attacks and ensuring privacy even on open networks through personalized data encryption.
What is the main weakness of WPA2?
The main vulnerability of WPA2 is KRACK (Key Reinstallation Attacks), which allow data to be intercepted when the encryption key is reinstalled, although for a home network with a strong password the risk remains low.
⚠️ Attention: Router settings interfaces may differ from manufacturer to manufacturer. Menu item names may vary, but the underlying protocols (WPA2/WPA3) remain the same.
The mechanics of the 4-way handshake
The most critical moment in the connection process is the so-called "four-way handshake." This is the process during which the client and access point confirm that they both know a shared secret key (password), but the password itself is never transmitted over the air in clear text.
Everything happens in four steps, exchanging special frames. First, the router sends a random number (ANonce) to the client. The client, knowing the password and network SSID, calculates a temporary key and sends its random number (SNonce) to the router along with a checksum. The router verifies the checksum and, if correct, sends an acknowledgement and sets the timers.
As a result of this dance, both parties independently generate identical session keys, which will be used to encrypt traffic in this specific session. If you enter an incorrect password, the process is interrupted at the checksum verification stage, and the connection is not established.
Step 1: AP -> Client (ANonce)Step 2: Client -> AP (SNonce + MIC)
Step 3: AP -> Client (GTK + MIC)
Step 4: Client -> AP (ACK)
- 🔄 PTK generation: Generate a pairwise temporary key based on a password and random numbers.
- 🛡️ MIC Check: Message integrity code verification confirms knowledge of the password.
- 🔐 Installing GTK: The group key is broadcast for broadcast traffic.
The difference between Personal (PSK) and Enterprise modes
Most home users are familiar with the diagram. WPA-Personal (or WPA2-PSK), which uses a single pre-shared key known to all network participants. This is convenient, but less secure: if one user loses a device or shares the password with someone else, everyone has to change the password.
In the corporate sector the regime is used WPA-Enterprise (802.1X). Here, authorization occurs individually for each user or device. This requires a separate authorization server (usually RADIUS). When connecting, the router acts only as an intermediary, sending the user's credentials to the server for verification.
This approach allows for the use of complex certificates, two-factor authentication, and the instant blocking of access for a specific employee without affecting the rest of the organization. This level of security is required by banks, government agencies, and large companies.
Captive Portal authorization in public places
In cafes, airports, and hotels, you often encounter an open network that, once connected, redirects your browser to a login page. This mechanism is called Captive PortalTechnically, a connection to the router has already been established, but all traffic is blocked by the filter until successful identification.
The router or wireless network controller analyzes HTTP requests from the client. If the device hasn't yet been authorized, any request is redirected to a special local address, where a login form is displayed. This form may require entering a code from an SMS, authorization via social media, or simply accepting the terms of the agreement.
It's important to understand that on such networks, data is often transmitted unencrypted between your device and the access point, even if the site uses HTTPS. An attacker on the same network could attempt a type of attack. Man-in-the-Middle.
td>Partial
| Parameter | Home network (PSK) | Enterprise (802.1X) | Public (Portal) |
|---|---|---|---|
| Access method | Single password | Login/Password or Certificate | Web form / SMS |
| Equipment | A regular router | Router + RADIUS server | Controller + Gateway |
| Isolation of clients | Full (VLAN) | Full | |
| Difficulty of implementation | Low | High | Average |
Vulnerabilities and modern protection methods
Despite the complexity of modern protocols, threats remain. One popular attack is the creation of an "Evil Twin." An attacker creates an access point with a name (SSID) identical to the legitimate network and a stronger signal. The user's device can automatically switch to it, thinking it's their home router.
At this point, an authorization attempt occurs, and if the user enters the password, it falls directly into the hands of the hacker. Protocol WPA3 implements SAE (Simultaneous Authentication of Equals) protection, which makes it impossible to intercept a handshake for subsequent offline password brute-force attacks.
Also worth mentioning is the vulnerability WPS (Wi-Fi Protected Setup). The quick connection feature, which requires a PIN or push-button, often has security holes that allow password recovery within a few hours. It is recommended to completely disable the WPS function in the router settings if you are not using it right now.
☑️ Check your network security
Practical recommendations for setting up access
To ensure maximum security for your network, it's important to configure authentication settings correctly. Start by selecting the encryption mode: use only WPA2-AES or WPA3Avoid mixed modes (TKIP/AES), as they reduce the overall speed and security of the network to the level of the weakest element.
The passphrase should be sufficiently long and complex. It is recommended to use at least 12-15 characters, including numbers and special characters. Avoid using simple dictionary words or dates of birth. It is also critical to regularly update your router firmware, as manufacturers patch vulnerabilities in the software responsible for processing handshake packets.
If you have guests, use the guest network feature. This will create an isolated network segment through which guests can access the internet but won't be able to scan your local network or access network-attached storage (NAS) devices or printers.
What should I do if my device can't connect to the network?
First, check that you entered the password correctly, taking into account the case of the letters. If the password is correct, try "forgetting the network" in the WiFi settings on your device and reconnecting. Sometimes, rebooting the router or temporarily disabling MAC filtering, if configured, helps.
Is it possible to hack WPA3?
Currently, the WPA3 protocol is considered extremely secure. Theoretical attacks are only possible with physical access to the device or using very weak passwords in Transition Mode, but brute-force cracking of the encryption is virtually impossible.
Why is MAC filtering needed?
This is a whitelisting method that allows access only to devices with specific physical addresses. However, this is weak protection, as MAC addresses are easily spoofed (cloned). Use this as a supplemental measure, not as a primary one.