WPA
Wi-Fi Protected Access
The 2003 emergency replacement for broken WEP — using TKIP (Temporal Key Integrity Protocol) to fix WEP's IV reuse and forgery flaws while running on existing hardware. WPA was always a stopgap; it is now deprecated. Use WPA2-AES or WPA3 instead.
When WEP was publicly broken in 2001, the Wi-Fi Alliance needed a rapid fix that could be deployed via firmware updates to existing hardware — the full WPA2 redesign (IEEE 802.11i) was still years away. WPA with TKIP was the result: it kept RC4 as the cipher but added three critical improvements over WEP. Per-packet key mixing derived a unique encryption key for each packet, preventing IV reuse. The Michael MIC (Message Integrity Code) detected packet forgery. A sequence counter blocked replay attacks. These improvements made WPA vastly better than WEP — but TKIP's reliance on RC4 remained a long-term liability.
WPA vs WEP vs WPA2
| Property | WEP | WPA (TKIP) | WPA2 (CCMP) |
|---|---|---|---|
| Cipher | RC4 | RC4 + TKIP | AES-128 |
| Key management | Static key | Per-packet key mixing | CCMP key hierarchy |
| Integrity check | CRC-32 (forgeable) | Michael MIC | CBC-MAC |
| IV size | 24-bit | 48-bit | 48-bit (PN) |
| Status | Broken | Deprecated (2012) | Secure (recommended minimum) |
| Hardware req. | Original 802.11 | WEP hardware (firmware) | New AES hardware needed |
WPA-Personal vs WPA-Enterprise
WPA-Personal (PSK) uses a single pre-shared passphrase for all devices. Simple, but sharing one key across all users means a single compromise requires changing the key for everyone. WPA-Enterprise (802.1X) authenticates each user individually via a RADIUS server — username/password or client certificate. Each session gets unique encryption keys derived from the authentication exchange. Enterprise mode is the standard for corporate and university Wi-Fi: individual credential revocation, per-user traffic isolation, and no shared secret to leak. The distinction between Personal and Enterprise modes applies to WPA, WPA2, and WPA3.
Frequently Asked Questions
Why was WPA introduced if it still used RC4?
WPA was an emergency fix for existing WEP hardware via firmware update — WPA2 (AES) wasn't ready yet. TKIP improved on WEP by adding per-packet key mixing, the Michael MIC, and a sequence counter, while reusing RC4 hardware. It was a pragmatic stopgap, never intended as a permanent solution.
Is WPA still secure enough to use?
No. TKIP was broken by the Beck-Tews attack (2008) and Ohigashi-Morii attack (2009). The Wi-Fi Alliance deprecated TKIP in 2012; IEEE deprecated WPA in 2014. If your router only offers WPA, it's too old — replace it. Use WPA2-AES minimum; WPA3 where supported.
What is WPA-Enterprise vs WPA-Personal?
Personal (PSK): one shared passphrase for all devices — simple, used at home. Enterprise (802.1X): individual credentials per user via a RADIUS server, unique session keys, per-user revocation. Enterprise is standard for corporate and university Wi-Fi. The distinction applies equally to WPA2 and WPA3.