Wi-Fi Protected Access (Compact 2013)


Wi-Fi Protected Access (WPA) is a wireless security standard that is based on a subset of the IEEE 802.11i standard. WPA, when used with the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity Check (MIC) algorithm, increases the security of wireless networks over the previous standard, the Wired Equivalent Privacy (WEP) algorithm.


During development of the Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless networking standard, wireless vendors agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA). WPA has been superseded by Wi-Fi Protected Access 2.

Security in WPA

The Wi-Fi Alliance, a nonprofit association, created WPA security to offer greater security than the Wired Equivalent Privacy (WEP) algorithm provides. Unlike WEP's hexadecimal key, WPA uses a standard password system. Although WPA offers protection from most intrusions, the Wi-Fi Alliance now recommends that users switch to Wi-Fi Protected Access 2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard. Since 2006, hardware manufacturers that use the Wi-Fi trademark must support Wi-Fi Protected Access 2 (WPA2).

WPA Implementation

The following table shows the security technologies that are included in the WPA wireless security standard.

Security technology


WPA Authentication

WPA requires the use of 802.1x authentication.

For wireless networks without a Remote Authentication Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a pre-shared key. For wireless networks with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS are supported.

WPA Key Management

WPA requires the re-keying of both unicast and global encryption keys. For the unicast encryption key, the TKIP changes the key for every frame, and the change is synchronized between the wireless client and the wireless access point (AP). For the global encryption key, WPA enables the wireless AP to advertise the changed key to the connected wireless clients.

Temporal Key Integrity Protocol (TKIP)

WPA requires encryption by using TKIP. TKIP replaces WEP with an encryption algorithm that is stronger than the WEP algorithm but uses the calculation technologies present on existing wireless devices to perform encryption operations. TKIP also provides the following services:

  • Verification of the security settings after the encryption keys are determined
  • Synchronized changing of the unicast encryption key for each frame
  • Determination of a unique starting unicast encryption key for each pre-shared key authentication


WPA supports the Michael security algorithm. This algorithm calculates an 8-byte Message Integrity Code (MIC) by using the calculation technologies available on existing wireless devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte integrity check value (ICV). The MIC field is encrypted together with the frame data and the ICV.

Michael also provides replay protection by including a new frame counter in the IEEE 802.11 frame that is used to prevent replay attacks.

AES Support

WPA defines the use of Advanced Encryption Standard (AES) as an additional replacement for WEP encryption. Because AES support may not be added to existing wireless devices through a firmware update, support for AES is optional and is dependent on vendor driver support.

See Also


Wi-Fi Protected Access Authentication
Wi-Fi Protected Access 2

Other Resources