0. Wireless Security Protocols - Overview

Wireless security protocols are essential frameworks and technologies used to protect data transmitted over wireless networks. They provide mechanisms for ensuring confidentiality, integrity, and authentication of wireless communications. Over time, as technology and hacking techniques have evolved, so too have wireless security protocols, from early, flawed standards like WEP to advanced, robust solutions like WPA3. This overview introduces the key wireless security protocols and how they protect wireless networks.

0.1 Importance of Wireless Security Protocols

Wireless security protocols are crucial for securing Wi-Fi networks, ensuring that only authorized devices can access the network, and protecting data from being intercepted or tampered with. Without these protocols, networks are vulnerable to attacks, such as eavesdropping, data theft, and unauthorized access.

• Confidentiality: Ensures that transmitted data remains private and cannot be read by unauthorized parties.
• Integrity: Protects data from being altered during transmission.
• Authentication: Verifies that devices trying to connect to the network are authorized.

0.2 Key Wireless Security Protocols

Several wireless security protocols have been developed to protect wireless networks. These protocols differ in encryption methods, key management, and resistance to attacks. The most common wireless security protocols are:

• WEP (Wired Equivalent Privacy): An outdated and insecure protocol that has been replaced by more advanced protocols.
• WPA (Wi-Fi Protected Access): Introduced to address the flaws in WEP, offering better security through TKIP (Temporal Key Integrity Protocol).
• WPA2 (Wi-Fi Protected Access 2): A significant improvement over WPA, using AES encryption for stronger security.
• WPA3 (Wi-Fi Protected Access 3): The latest and most secure protocol, offering features like Simultaneous Authentication of Equals (SAE) and forward secrecy.
• 802.1X: A framework used for enterprise-level security, providing strong authentication mechanisms for wireless networks.
• OWE (Opportunistic Wireless Encryption): A protocol designed for encrypting open (public) Wi-Fi networks without passwords.

0.3 Evolution of Wireless Security Protocols

Wireless security protocols have evolved in response to increasing threats and vulnerabilities discovered in earlier protocols. Below is a brief timeline of key protocols:

• 1997 - WEP: Introduced as part of the original 802.11 standard but quickly found to have significant weaknesses.
• 2003 - WPA: Released as an interim solution with better encryption and key management features.
• 2004 - WPA2: Fully replaced WPA, introducing AES encryption for higher security.
• 2018 - WPA3: Brought significant improvements, addressing vulnerabilities in WPA2 and adding modern security features.

The transition from WEP to WPA and then WPA2/WPA3 reflects the need for stronger security in the face of evolving attacks on wireless networks.

0.4 Threats Addressed by Wireless Security Protocols

Wireless networks face a range of security threats, which these protocols are designed to mitigate:

• Eavesdropping: Attackers intercept and read unencrypted data.
• Man-in-the-Middle (MITM) Attacks: Attackers insert themselves between two devices to intercept or alter communication.
• Replay Attacks: Attackers capture and retransmit data packets to impersonate a legitimate device.
• Brute-Force Attacks: Attackers attempt to guess passwords or keys to gain access to the network.
• De-authentication Attacks: Attackers force devices to disconnect from the network by sending spoofed de-authentication frames.

Wireless security protocols address these threats through encryption, authentication, and key management techniques, ensuring that only authorized users can access the network and that transmitted data remains protected.

0.5 Best Practices for Using Wireless Security Protocols

To maximize the security of wireless networks, it's essential to follow best practices when configuring and using wireless security protocols:

• Use WPA3: Whenever possible, use WPA3 as it offers the highest level of security.
• Strong Passwords: Ensure that networks using WPA2-Personal or WPA3-Personal have strong, unique passwords to protect against brute-force attacks.
• Disable WEP and WPA: Older protocols like WEP and WPA should be avoided due to known vulnerabilities.
• Keep Firmware Updated: Regularly update router and device firmware to protect against newly discovered vulnerabilities.
• Use 802.1X for Enterprise Networks: For enterprise-level networks, use WPA3-Enterprise or WPA2-Enterprise with 802.1X to ensure that each device is individually authenticated.

1. Evolution of Wi-Fi Security

In addition to WPA, WPA2, and WPA3, there are other wireless security protocols that have played significant roles in the evolution of Wi-Fi security. These protocols vary in strength, encryption methods, and vulnerabilities. In this section, we'll discuss several protocols not covered in previous sections, including WEP, 802.1X, and OWE.

1.1 Wired Equivalent Privacy (WEP)

WEP (Wired Equivalent Privacy) was one of the earliest security protocols for wireless networks. It aimed to provide a similar level of security as wired networks, but it was quickly found to be insecure due to weaknesses in its encryption methods and key management.

• Initial Release: 1997, as part of the original IEEE 802.11 standard.
• Encryption Standard: Uses RC4 stream cipher with a 40-bit or 104-bit encryption key.
• IV (Initialization Vector): A 24-bit IV was used, but the short length made it vulnerable to replay attacks.

1.1.1 Vulnerabilities of WEP

WEP is widely regarded as insecure today due to several key vulnerabilities:

• Key Reuse: WEP uses static encryption keys, making it easy for attackers to capture and analyze enough packets to decipher the key.
• Short IV: The 24-bit IV used in WEP can repeat within a short period, allowing attackers to predict key streams and decrypt traffic.
• Weak Encryption: The RC4 cipher used in WEP is vulnerable to known attacks, particularly related to how keys are generated and reused.

Due to these weaknesses, WEP is considered obsolete and should not be used in modern networks.

1.2 802.1X Authentication

802.1X is an IEEE standard used for network access control, providing authentication for devices seeking to join a network. It is widely used in conjunction with WPA2 and WPA3-Enterprise for enterprise-grade wireless security. Unlike WEP and WPA-Personal, which rely on shared keys, 802.1X provides individual authentication for each device.

• Components: The three key components of 802.1X authentication are the supplicant (client device), authenticator (e.g., Wi-Fi access point), and authentication server (e.g., RADIUS server).
• Authentication Protocols: Commonly used with EAP (Extensible Authentication Protocol) methods such as EAP-TLS, EAP-TTLS, or PEAP (Protected EAP).

1.2.1 EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

EAP-TLS is one of the most secure authentication methods under 802.1X. It uses public key infrastructure (PKI) for mutual authentication between the client and the server.

• Mutual Authentication: Both client and server must present digital certificates for authentication, ensuring a highly secure connection.
• Encryption: Uses TLS encryption for data transmitted between the client and the server.
• Complex Implementation: Requires a certificate authority (CA) for issuing and managing certificates, making it more complex to implement than PSK-based systems.

1.2.2 EAP-TTLS (Tunneled Transport Layer Security)

EAP-TTLS is a more flexible version of EAP-TLS that allows the use of legacy authentication methods (such as username/password) within a secure TLS tunnel.

• Flexible Authentication: Supports a variety of authentication methods inside the TLS tunnel.
• Server Certificate Only: Unlike EAP-TLS, only the server requires a digital certificate, making deployment simpler for clients.

1.3 Opportunistic Wireless Encryption (OWE)

Opportunistic Wireless Encryption (OWE) is a relatively new security protocol designed for open networks where no password is required. OWE automatically encrypts data between the client and the access point, providing confidentiality and protecting users from eavesdropping on public Wi-Fi networks.

• No Password Required: OWE secures open networks without requiring a shared password or key.
• Automatic Encryption: Encrypts communication between the client and access point using Diffie-Hellman key exchange.
• Protection for Public Networks: Ensures that data transmitted over public networks (such as in cafes or airports) is protected, even though the network is "open."

1.3.1 How OWE Works

OWE relies on Diffie-Hellman key exchange to establish an encrypted connection between the client and the access point. Each client gets a unique encryption key, ensuring that traffic between clients is isolated and protected.

• Client-Specific Keys: Each device gets its own encryption key, preventing other devices on the same open network from intercepting traffic.
• Secure Encryption: Uses strong cryptographic algorithms to ensure data confidentiality.

OWE is particularly useful in public Wi-Fi scenarios where traditional WPA2 or WPA3 might not be feasible due to the requirement of passwords.

1.4 Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup (WPS) was introduced to simplify the process of connecting devices to a secure wireless network, especially for home users. WPS allows users to connect devices by pressing a button on the router or entering a PIN, without needing to manually enter the wireless network password. However, it has known security vulnerabilities.

• Purpose: Simplify the process of connecting devices to a WPA2 or WPA3 network.
• PIN-Based Method: Devices can be connected by entering an 8-digit PIN generated by the router.
• Push-Button Method: Users can press a button on the router to allow devices to join the network without entering the password.

1.4.1 WPS Vulnerabilities

Despite its convenience, WPS has several security weaknesses that make it vulnerable to brute-force attacks:

• PIN-Based Vulnerability: The 8-digit PIN used in WPS is easily brute-forced because the first 4 digits and last 4 digits are verified separately, significantly reducing the number of possible combinations.
• Security Recommendation: WPS should be disabled on modern routers to prevent unauthorized access through brute-force attacks.

1.5 Robust Security Network (RSN)

RSN is a security protocol designed for IEEE 802.11 networks, providing the framework for establishing secure wireless communication using modern encryption standards like AES and dynamic key management protocols. It forms the basis for WPA2 and WPA3.

• RSN Information Element (RSN IE): Defines the security features available on the network, including encryption algorithms and authentication methods.
• Dynamic Key Management: RSN supports dynamic key exchange, such as the four-way handshake used in WPA2 and WPA3.
• Support for AES: RSN mandates the use of strong encryption, such as AES, for securing data transmissions.

1.5.1 Four-Way Handshake in RSN

The four-way handshake is a key exchange protocol used in RSN to establish encryption keys between the client and the access point. This ensures that each session has a unique encryption key, improving security and preventing eavesdropping or replay attacks.

• Session Keys: The handshake generates unique encryption keys for each session.
• Replay Protection: Includes a nonce to prevent replay attacks where attackers attempt to reuse previously transmitted data.

2. WPA

Wireless security protocols are essential to ensure the confidentiality, integrity, and availability of data transmitted over wireless networks. One of the key protocols in wireless security is WPA (Wi-Fi Protected Access).

2.1 Overview of WPA

WPA (Wi-Fi Protected Access) was introduced in 2003 as a security protocol to address the vulnerabilities found in WEP (Wired Equivalent Privacy). It was designed to offer enhanced protection through stronger encryption methods and better authentication mechanisms.

• Initial Release: 2003
• Purpose: Secure wireless communication by improving on WEP's flaws
• Encryption Standard: Uses TKIP (Temporal Key Integrity Protocol) initially

2.2 Key Components of WPA

2.2.1 Temporal Key Integrity Protocol (TKIP)

TKIP was introduced to replace WEP's weak encryption mechanisms. It dynamically generates new encryption keys for each data packet, preventing attacks that exploit static keys.

• Dynamic Key Generation: Each packet gets a unique encryption key.
• 48-bit IV (Initialization Vector): Longer IVs prevent replay attacks.
• Message Integrity Check (MIC): Detects tampering with data packets.

2.2.2 802.1X Authentication

WPA also introduced 802.1X authentication, which provides an additional layer of protection by requiring each device to authenticate before joining the network.

• Authentication Server: Communicates with a RADIUS (Remote Authentication Dial-In User Service) server for centralized authentication.
• Supplicant: The client (e.g., a laptop or smartphone) requesting access.
• Authenticator: Typically the wireless access point controlling the access.

2.3 WPA vs WPA2

While WPA was a significant improvement over WEP, it was designed as an interim solution until a more robust protocol, WPA2, could be developed. WPA2 replaced TKIP with AES-based CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol), offering stronger encryption and integrity checks.

• WPA: Uses TKIP for encryption, with 802.1X or Pre-shared key (PSK) authentication.
• WPA2: Introduces AES (Advanced Encryption Standard) and CCMP, providing better security and performance.
• Compatibility: WPA2 is backward compatible with WPA, but WPA should be avoided in favor of WPA2 for stronger security.

2.4 WPA Security Features

2.4.1 Encryption and Key Management

WPA uses dynamic key management to ensure that each session's data is encrypted with a unique key. This prevents attackers from gaining access to data by using the same key across multiple packets.

TKIP is the encryption protocol in WPA. It includes:

• Per-Packet Key Mixing: Ensures different encryption keys for each packet.
• Rekeying Mechanism: Regularly updates session keys to prevent key reuse.

2.4.2 Message Integrity Check (MIC)

The MIC feature in WPA verifies that the data has not been tampered with during transmission. This ensures data integrity by calculating a checksum and verifying it at the receiving end.

2.4.3 Protection Against Replay Attacks

WPA's 48-bit IV and dynamic key generation mechanisms prevent replay attacks, where an attacker intercepts and reuses old messages.

2.5 WPA Vulnerabilities and Attacks

While WPA greatly improved security, it is still vulnerable to certain types of attacks:

• TKIP Weaknesses: TKIP has known vulnerabilities, particularly against cryptographic attacks.
• Dictionary Attacks: If PSK (Pre-shared Key) is used, weak passwords can be exploited by attackers using dictionary attacks.

2.5.1 TKIP-Based Attacks

Because TKIP was designed as a temporary fix, it still has some weaknesses, such as susceptibility to key recovery attacks. These attacks exploit flaws in how TKIP handles rekeying and key mixing.

2.5.2 WPA Cracking Techniques

Common attacks against WPA involve brute-force or dictionary attacks on the PSK. If the password is weak, attackers can capture the handshake between the client and the access point, then attempt to decrypt it offline.

2.6 Transition to WPA2

Given the vulnerabilities in WPA, WPA2 is recommended for modern networks. It uses stronger encryption (AES) and provides better protection against many types of attacks, including those targeting WPA's TKIP mechanism. WPA2 is widely adopted and is now considered the minimum standard for secure wireless communications.

3. WPA2

WPA2 (Wi-Fi Protected Access 2) is the successor to WPA and was introduced in 2004. It is designed to provide stronger security for wireless networks by improving upon the vulnerabilities and weaknesses found in WPA. WPA2 uses more advanced encryption standards and offers robust protection for modern wireless communications.

3.1 Key Features of WPA2

WPA2 introduces several key enhancements over WPA, particularly in the areas of encryption and authentication.

• Encryption Standard: WPA2 mandates the use of AES (Advanced Encryption Standard) for encrypting data, replacing TKIP used in WPA.
• Integrity Protection: WPA2 employs CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) for data integrity and confidentiality.
• Backward Compatibility: WPA2 can support devices running WPA to ensure compatibility.

3.2 Key Components of WPA2

3.2.1 AES Encryption

AES (Advanced Encryption Standard) is a symmetric encryption algorithm used in WPA2. It offers strong protection by using 128-bit, 192-bit, or 256-bit keys, making it resistant to brute-force attacks.

• Block Cipher: AES encrypts data in 128-bit blocks, providing fast and secure encryption.
• Key Length: Supports multiple key sizes (128-bit, 192-bit, 256-bit) for varying levels of security.
• Advanced Security: Considered secure for both consumer and enterprise-level use.

3.2.2 CCMP Protocol

CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is the encryption protocol used in WPA2. It is based on AES and provides both confidentiality (by encrypting data) and integrity (by verifying that data has not been altered).

• Confidentiality: Ensures that data remains private through AES encryption.
• Integrity: Prevents unauthorized tampering by verifying data using a Message Authentication Code (MAC).
• Nonce-Based: Each packet includes a nonce to prevent replay attacks.

3.3 WPA2 Authentication Methods

3.3.1 WPA2-Personal (Pre-Shared Key, PSK)

WPA2-Personal is designed for home and small office networks, where a pre-shared key (PSK) is used for authentication. The same key is shared by all devices on the network, simplifying the authentication process but introducing potential security risks if the key is weak or shared with untrusted users.

• Authentication Method: Pre-shared key (PSK).
• Encryption Key: The PSK is used to derive the encryption keys.
• Security Risk: Vulnerable to brute-force or dictionary attacks if the PSK is weak.

3.3.2 WPA2-Enterprise (802.1X Authentication)

WPA2-Enterprise is used in enterprise environments where stronger, more scalable authentication is required. It uses 802.1X authentication in combination with an external RADIUS server to authenticate each user individually.

• Authentication Method: 802.1X with EAP (Extensible Authentication Protocol).
• Authentication Server: A RADIUS server manages the authentication process.
• User-Specific Access: Each user has unique credentials, preventing unauthorized access if one user's credentials are compromised.

3.4 WPA2 Security Features

3.4.1 Advanced Encryption with AES

WPA2’s use of AES ensures that all data is encrypted with a secure, government-grade encryption standard. AES is significantly more secure than the TKIP protocol used in WPA.

3.4.2 Replay Protection

CCMP in WPA2 includes replay protection by using a nonce for each packet. The unique nonce prevents attackers from capturing and replaying packets to gain unauthorized access or disrupt the network.

3.4.3 Strong Data Integrity

By using a Message Authentication Code (MAC), WPA2 ensures that each packet’s integrity is checked, making it difficult for attackers to tamper with data without detection.

3.5 WPA2 Vulnerabilities and Attacks

Despite its improved security, WPA2 is not immune to attacks, particularly in poorly configured networks or with weak passwords.

• Dictionary Attacks on WPA2-Personal: If a weak PSK is used, attackers can capture the four-way handshake and use a dictionary or brute-force attack to crack the key.
• KRACK Attack (Key Reinstallation Attack): In 2017, a vulnerability was discovered in the WPA2 handshake process, allowing attackers to manipulate key installations and intercept traffic. Although patches were released, unpatched systems remain vulnerable.
• RADIUS Misconfiguration in WPA2-Enterprise: Improperly configured RADIUS servers can expose the network to attacks, allowing unauthorized users to gain access.

3.5.1 WPA2-PSK Attacks

Attackers often exploit weak passwords in WPA2-PSK (Personal) networks. By capturing the four-way handshake between the device and access point, an attacker can attempt to crack the key offline. Using strong, complex passwords significantly reduces the risk of this type of attack.

3.5.2 KRACK Attack

KRACK (Key Reinstallation Attack) takes advantage of a flaw in WPA2's four-way handshake process, allowing attackers to reinstall encryption keys. This can result in traffic decryption, packet injection, and data manipulation. While patches have been released, networks must be updated to prevent this attack.

3.6 WPA3: The Successor to WPA2

In response to the vulnerabilities found in WPA2, WPA3 was introduced in 2018 as the next-generation wireless security protocol. WPA3 addresses the weaknesses in WPA2, particularly in the areas of password security and protection against brute-force attacks.

• Simultaneous Authentication of Equals (SAE): A more secure key exchange mechanism that replaces the PSK method, reducing the risk of dictionary attacks.
• Forward Secrecy: WPA3 provides forward secrecy, ensuring that even if an encryption key is compromised, past sessions remain secure.
• Protected Management Frames (PMF): WPA3 mandates the use of PMF, protecting network management traffic from interception and tampering.

4. WPA3

WPA3 (Wi-Fi Protected Access 3) is the latest security protocol for wireless networks, introduced in 2018 by the Wi-Fi Alliance. It addresses the vulnerabilities of WPA2 and brings significant improvements to the security and privacy of wireless communications, particularly for modern devices and networks. WPA3 is designed to provide more robust protections, even when users use weak passwords or when attackers attempt to exploit known vulnerabilities in previous protocols.

4.1 Key Enhancements in WPA3

WPA3 introduces several new security features that significantly improve the safety and privacy of wireless communications:

• Simultaneous Authentication of Equals (SAE): A new key exchange protocol that replaces the Pre-Shared Key (PSK) method used in WPA2.
• Forward Secrecy: Prevents attackers from decrypting past communications, even if they obtain future session keys.
• Protected Management Frames (PMF): Mandatory in WPA3, providing enhanced protection against eavesdropping and spoofing of management traffic.
• Enhanced Protection for Public Networks: WPA3 provides individualized data encryption, even in open networks without passwords.

4.2 Key Features of WPA3

4.2.1 Simultaneous Authentication of Equals (SAE)

SAE is a secure password-based authentication protocol introduced in WPA3. It replaces the PSK mechanism of WPA2 and uses a more robust key exchange process, making it much harder for attackers to crack the encryption, even with weak passwords.

• Resists Brute-Force Attacks: SAE prevents dictionary attacks by limiting the number of guesses attackers can make when attempting to crack the password.
• Key Exchange Security: SAE uses a Diffie-Hellman-like key exchange to ensure that both parties generate a unique, shared key for each session.
• Personal Devices Security: WPA3-Personal networks leverage SAE to protect against offline password-cracking attempts.

4.2.2 Forward Secrecy

Forward Secrecy ensures that the compromise of a session key does not compromise the confidentiality of past communications. Even if an attacker obtains the session key used in a specific communication session, they cannot decrypt data from previous sessions.

• Protection Against Retrospective Decryption: Past communications remain safe, even if current keys are exposed.
• Ensures Long-Term Data Security: Each session key is unique, limiting the impact of key theft.

4.2.3 Protected Management Frames (PMF)

WPA3 mandates the use of Protected Management Frames (PMF), ensuring that important management communications, such as network disassociation or de-authentication requests, are encrypted and authenticated.

• Prevents Spoofing: Protects users from de-authentication and disassociation attacks, where attackers force clients off the network.
• Improves Network Stability: Ensures that management traffic is securely transmitted, reducing the risk of interference.

4.3 WPA3 Modes

4.3.1 WPA3-Personal

WPA3-Personal is designed for home and small office environments, providing more secure authentication methods and protection against password-based attacks.

• Password-Based Authentication: Uses SAE for secure key exchange, even with weak passwords.
• Enhanced Password Security: Prevents offline dictionary attacks, as the authentication handshake cannot be easily captured for brute-force attempts.

4.3.2 WPA3-Enterprise

WPA3-Enterprise is designed for use in enterprise environments where large-scale wireless security is required. It provides enhanced protection for sensitive data and offers additional security configurations.

• Authentication with 802.1X: Uses EAP (Extensible Authentication Protocol) and an external RADIUS server for user authentication.
• 192-bit Security Suite: WPA3-Enterprise supports an optional 192-bit security mode, offering stronger encryption and integrity checks for highly sensitive data, making it suitable for government and industrial applications.

4.4 WPA3 Security Features

4.4.1 Enhanced Open (Wi-Fi without Passwords)

WPA3 introduces "Enhanced Open," which provides encryption for open networks (networks without passwords). It uses Opportunistic Wireless Encryption (OWE) to automatically encrypt communications between the device and the access point, offering better privacy in public Wi-Fi environments like cafes and airports.

• Individualized Data Encryption: Encrypts traffic between the user device and the access point, even without a password.
• Seamless for Users: No need for users to enter a password, but still benefits from encrypted data transmission.

4.4.2 Improved Device Security

WPA3 improves security for devices with limited or no display interfaces, such as IoT (Internet of Things) devices. The protocol simplifies secure network onboarding for such devices.

• Device Provisioning Protocol (DPP): Simplifies and secures the process of adding devices to a WPA3 network, replacing the often insecure WPS (Wi-Fi Protected Setup).
• IoT Security: Offers more secure methods for connecting smart devices, such as cameras, thermostats, and smart locks, to Wi-Fi networks.

4.5 WPA3 Vulnerabilities and Attacks

While WPA3 offers significant improvements in security, some vulnerabilities have been discovered since its introduction.

• Dragonblood Attack: In 2019, researchers discovered vulnerabilities in WPA3's SAE (Simultaneous Authentication of Equals) key exchange mechanism, dubbed "Dragonblood." These vulnerabilities could allow attackers to carry out side-channel and brute-force attacks. Patches have since been released to mitigate these vulnerabilities.
• Implementation Weaknesses: As with any security protocol, the way WPA3 is implemented in different devices and software can introduce vulnerabilities. Regular firmware updates are necessary to maintain security.

4.5.1 Dragonblood Vulnerability

Dragonblood refers to a set of vulnerabilities discovered in WPA3's SAE handshake. These weaknesses allow attackers to perform downgrade attacks, where they force devices to use weaker WPA2 protocols, or side-channel attacks that could reveal the password used during the key exchange.

• Side-Channel Attack: Exploits flaws in SAE's password-based key exchange to gain information about the password.
• Downgrade Attack: Forces devices to fall back to WPA2, which may be more vulnerable to known attacks.
• Fixes and Patches: Firmware updates have been released to address Dragonblood vulnerabilities, and it is essential to keep devices updated.

4.6 WPA3 vs WPA2

WPA3 offers several improvements over WPA2, addressing many of the weaknesses found in the older protocol. However, both protocols remain widely used today.

• WPA3: Uses SAE for password authentication, provides forward secrecy, and mandates PMF, offering more security than WPA2.
• WPA2: Still widely used but relies on PSK and is more vulnerable to brute-force and KRACK attacks.
• Recommendation: WPA3 is recommended for new networks, but WPA2 is often still supported for backward compatibility.