WiFi is the most secure and the least secure network technology there is. Or is it that WiFi is the easiest to implement and the hardest to implement? Or perhaps that WiFi is the most user-friendly and the least user-friendly network technology?

In my opinion, all of the statements above are true. If implemented correctly, WiFi is the most secure network technology there is (well, let us compare it to common WWAN networks such as cellular, WiMAX, etc and 802.3 wired networks). A discussion on this topic could fill up a book, so we will just take it for granted ☺.

However, there is a price to pay for security. The most secure, 802.11 WPA2-Enterprise (802.1X port based security) offers the highest level of security. It requires managing and easy access to both infrastructure as well as end client devices to work, though. It requires appropriate network infrastructure. And it requires time and qualified personnel for implementation and maintenance.

On the other hand, there is an option of an open (in the full sense of the word) network with WiFi. An end user just clicks on the available open network and gets connected. Even “better”, most operating systems will kindly offer the option to remember the network, so when the end user connects again (turns the PC back on) he will be connected to the network automagicaly.

There is also an option of using WPA2-PSK (I will not cover WEP and WPA security protocol in this blog entry) with TKIP and AES encryption. While AES encryption is preferable and “more” secure, 128 bit TKIP (RC4 based) has not yet been broken. From the encryption standpoint WPA2-PSK can only be broken by dictionary attacks (short, simple passphrases). When using strong passphrase, WPA2-PSK is unbreakable to date. The problem with WPA2-PSK is that anybody that wants to connect to the network has to have the passphrase. This is okay for SOHO networks, but presents a big challenge to enterprise networks (has to be changed regularly, difficult to prevent passphrase leaking, etc.). Once potential attackers get hold of the passphrase, all they have to do is to capture the 4 way handshake and they can begin decrypting data in real time).

If we apply this to the verticals we can see that the WPA2-PSK is good for SOHO verticals, WPA2-enterprise for big government, enterprise networks and open and unprotected access is good for nothing (this authors humble opinion). Do not confuse captive portal in combination with open access a security feature because it is not. Note that with 802.1X another problem occurs. The ability to maintain connectivity when roaming gets compromised, especially maintaining real time applications such as VoIP. While with normal WPA2-PSK a client roams within 50ms the roaming with 802.1X is much longer.

So what about schools, hotels (the whole hospitality sector), smaller hot-spot operators, restaurants, bars, and even small to middle sized business? Implementing 802.1X to these verticals is both pricy and impractical. Providing WPA2-PSK is not enough. What about secure fast roaming?

Enter the WPA2-PPSK.

PPSK stands for Personal Pre-Shared Key or Private Pre-Shared Key. This technology is implemented by two vendors, Ruckus Wireless (as Dynamic-PSK™) and Aerohive Networks (Private Pre-Shared Key™).

So what it does is combine the security of 802.1X (not quite but close enough) and the simplicity and performance of WPA2-PSK. If WPA2-PSK had to be shared among everybody in the network and thus creating a single point of attack, the PPSK allows for a unique passphrase of every end client (device and/or user) in the network. Therefore, if the passphrase is compromised, attackers have to locate the end user/client (first difficulty) and capture correct 4-way handshake to be able to decrypt the data payload. But they do so only for this unique client.

PPSK, while based on the standard, is a proprietary (different) implementation of two companies, Aerohive Networks and Ruckus Wireless and have some similarities and differences. A little birdy told me that because the PPSK (in generic term) has been patented that there could be some legal battle between the two concerning PPSK. If it turns out to be true, this would be a shame.

Ruckus Wireless implements its Dynamic PSK in combination with their Zero IT technology. First time users connect to a wired port and authenticates via captive portal with their unique login credentials. The credentials are checked against ZoneDirector (controller) or AAA server. Once authenticated, the user downloads the temporary applet to their PC, Mac, iPhone, etc. Dynamic PSK creates a 63 byte encryption key (unique for each user) while Zero IT application configures the client device for the WLAN network. Once finished, the end client device is tied with this unique key and ZoneDirector (Dynamic PSK authenticates user machine and not the user. If user authentication is mandatory, there is a second step available, the Web Authentication). The beauty of ZeroIT method is that the end user is unaware of the passphrase and cannot compromise it by conventional methods.

If the end device is not supported by the ZeroIT (Linux, terminal devices, etc), the dynamic keys can be created in batches and stored to a spreadsheet for manual configuration. Dynamic keys have a configurable life time. When they expire, the whole process must be repeated.

In my experience, ZeroIT is more suitable for enterprise and education as initial configuration still has to be performed. With batch key creating, the key can be given to the end customer on receipt (bars, restaurants…) or on a coupon (hospitality sector).

Aerohive implementation of PPSK is similar. While they do not have the automatic provisioning available they do have few features unavailable with Ruckus Wireless: manual setting of expiration of individual PSK, automatic mailing of generated keys to single user or bulk users, role based PSK (dynamic VLAN, Firewall, Tunneling and QoS policies).

Which is better? I do not know. Each has its advantages but both are unique in WLAN world and are a great option for authentication when 802.1X and WPA2-PSK just don’t cut. Here is the comparison chart of WPA2-PPSK for convenience: