dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
364759
share rss forum feed


RezaH

@nrockv01.md.comcast.

WPA TKIP or AES?

I've read a couple articles about WPA, and they don't seem to mention whcih is the better. My router gives the option for TKIP or AES. Which is more secure/doesn't slow down the transfer rate as much?



DoC_DaR

join:2004-05-22
Middleburg, FL

Linksys WRT54GS v2.0 stats show that AES has 0 overhead where TKIP and WEP both take a toll. This would be because WEP and TKIP are software driven and AES is hardware driven. Also AES is said to be more secure but TKIP is also very secure.



flw
Security Is Like An Onion, It Has Layers
Premium
join:2004-01-04

said by DoC_DaR:

Linksys WRT54GS v2.0 stats show that AES has 0 overhead where TKIP and WEP both take a toll. This would be because WEP and TKIP are software driven and AES is hardware driven. Also AES is said to be more secure but TKIP is also very secure.
Even in unencrypted packets there is overhead. AES (is not a wifi standard)I assume you mean either WPA2 or WPA-PSK and WEP/TKIP both have overhead. WPA2 requires alot more processing power due to this, which is why most AP units cannot be software upgraded, as they can not handle the overhead and encryption/decryption.

MOST OVERHEADSo for overhead WPA-Radius or WPA-PSK has the most overhead which is why it requires a more powerful AP processor/chipsets and memory.

LEAST OVERHEADWEP has the least overhead even with TKIP to an upgraded key management protocal.

Due to current speeds of hardware, overhead is much less noticable to the user than in the past. This is unless your doing large file transfers regularly or video streaming.

Even then, depending on your type of connection to the Internet, the weakest link (slowest link) all the above may make all this a mute point, since your speed on the net is slowed down below your internal network speed. Then it would make no difference at all.

Now which is more secure, that is simple.

1. WPA w/Radius Server
2. WAP w/pre-shared key
3. WEP w/any add on security features turn on.

Note:

1. All must be configured properly or the list can change.
2. WEP uses RC4 stream very fast cipher from RSA and TKIP.
3. WPA2 or 802.11i uses several methods from AES-CCMP and TKIP. See below for more.

From: »www.openxtra.co.uk/

WPA2

The length of the IV has been increased from 24bits to 48bits. Rollover of the counter is eliminated. Reuse of keys is less likely.

In addition IVs are now used as a sequence counter, the TSC (TKIP Sequence Counter), protecting against replaying of data, a major vulnerability in WEP.

Weak IV values are susceptible to attack WPA avoids using known weak IV values. A different secret key is used for each packet, and the way the key is scrambled with the secret key is more complex.

Master Keys are never used directly in WPA, unlike WEP. A hierarchy of keys is used, all derived from the Master. Cryptographically this is a much more secure practice.

Secure key management is built-in to WPA, so key management isn't an issue with WPA like WEP.

Message integrity checking is ineffective in WEP message integrity. WPA uses a Message Integrity Check (MIC) called, Michael! Due to the hardware constraints the check has to be relatively simple. In theory there is a one in a million chance of guessing the correct MIC. In practice any changed frames would first need to pass the TSC and have the correct packet encryption key even to reach the point where Micheal comes into operation. As further security Michael can detect attacks and performs countermeasures to block new attacks.
--
"Keep your friends close and your enemies even closer" »www.byronil.org


DoC_DaR

join:2004-05-22
Middleburg, FL

Let me clarify. I am aware of the fact that overhead exist in all PC communication. See the OSI model for true clarification. What I was referring to was a speed test on a wrt54g router where aes (wpa2-psk) had 0 additional overhead when compared to no security in the same router. 15% overhead when using wep and 17% overhead when using tkip (wpa-psk). This is due to wpa2 being hardware driven. The most secure, as you stated, requires more hardware and configuration than most will set up at home.



DoC_DaR

join:2004-05-22
Middleburg, FL

Got wep wrong. Wep penalty is 10%, wpa-psk tkip 17%, wpa-psk aes is virtually 0. See »www.tomsnetworking.com/Reviews-1···GS-8.php The original question only asked wpa-psk aes or tkip. This is my answer to that question.



janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
reply to RezaH

AES is more secure. I don’t know what the relative overhead is.
--
Jim Anderson


Tom Mc

join:2004-06-17
reply to RezaH

AES appears the most secure.

I don't know about local file sharing (which I choose not to do), but for Internet downloading with my Road Runner cap of 5mbs, there has been no loss of speed using AES on my P4M 2.0ghz laptop.



flw
Security Is Like An Onion, It Has Layers
Premium
join:2004-01-04
reply to RezaH

Seems many are hung up on AES vs WAP which is not comparable. Why? Because the cipher type and strength is only one of serveral aspects that lead to overhead and strength of any complete protocal for wifi.

You need to compare WEP VS WPA VS WPA2/802.11i. This includes various different cipher types, key handling methods, different authentication methods, and some with completely different hardware requirements as well as possible add on hardware (like a Radius Server either part of the AP or separate server).

The comparison above is like comparing a bone from your one of your toe with your entire body. Not apple to apple but apple to a leaf.

AES is not more secure than WEP. AES is a stronger cipher than RC4, plain and simple. That's a apples to apples comparison.


Tom Mc

join:2004-06-17
reply to RezaH

In my WRT54G router (and I suspect many (or most) others), the options are WEP or WPA, with WPA having two sub-options of TKIP and AES. So, I think this is why people generally ask the reasonable question of which is better: TKIP or AES; it is widely understood that WPA is better than WEP. In reference to such questions, the answer is AES.


pepperxn

join:2001-02-21
reply to RezaH

AES is more secure. AES is done using hardware, while TKIP is done using software, so there's less overhead using AES. How secure is AES? The NSA uses AES for top secret files. They have to use at least AES-128 for secret information, and at least AES-192 (to 256) for top secret information. It's that secure.

WPA TKIP was taken from a snapshot of the incomplete 802.11i standard. In the final 802.11i standard (also called WPA2) AES is used.



DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA

said by pepperxn:

AES is more secure. AES is done using hardware, while TKIP is done using software, so there's less overhead using AES. How secure is AES? The NSA uses AES for top secret files. They have to use at least AES-128 for secret information, and at least AES-192 (to 256) for top secret information. It's that secure.

WPA TKIP was taken from a snapshot of the incomplete 802.11i standard. In the final 802.11i standard (also called WPA2) AES is used.
The issue that many people have with AES is the fact that NSA designed the cipher. I am not one of those people.

It is also worth pointing out that NSA uses other "proprietary" ciphers when it feels that is required.
--
How can I improve my WiFi signal?

Tom Mc

join:2004-06-17

said by DaDogs:

The issue that many people have with AES is the fact that NSA designed the cipher. I am not one of those people.

It is also worth pointing out that NSA uses other "proprietary" ciphers when it feels that is required.
The NSA did not design AES. See »tinyurl.com/a8buv


DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA

said by Tom Mc:

said by DaDogs:

The issue that many people have with AES is the fact that NSA designed the cipher. I am not one of those people.

It is also worth pointing out that NSA uses other "proprietary" ciphers when it feels that is required.
The NSA did not design AES. See »tinyurl.com/a8buv
What do you know? I should have studied up on that one. I guess it is not authorized for classified information either as was claimed elsewhere in this thread.
--
How can I improve my WiFi signal?


Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

said by DaDogs:

I guess it is not authorized for classified information either as was claimed elsewhere in this thread.
I'm not sure about how recently updated that page is. It says 2001 at the bottom.

said by »www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf :

(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.
I'm pretty sure the NSA approved it sometime in 2003.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB

B
Premium,MVM
join:2000-10-28

It was a whole publicly held contest among cryptographers -- I think the eventual product was to be called AES regardless of the actual cipher that won.

Schneier gave some interesting running commentary during the contest, even though his own entry eventually lost. Just Google it or hit »www.schneier.com . The current AES is actually "Rijndael".

-- B
--
In a realm outside causality and function


DabberDan

join:2004-11-15
Canada

1 edit

The built in WIFI adapter in my laptop has this choice from a list: WPA2 Personal / AES-CCMP.

This would indicate that I'm able to do 802.11i right?
»www.techweb.com/encyclopedia/def···AES-CCMP

Is it safe to assume that consummer products at the moment are able to do 802.11i?

At the moment, I have my ISP's modem that has an integrated WIFI router. It has WPA /AES as an option, but I cannot make it work. Plus, the ISP only supports WEP. My plan is to buy a consummer WIFI router that enables 802.11i... this make sense?



jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by DabberDan:

The built in WIFI adapter in my laptop has this choice from a list: WPA2 Personal / AES-CCMP.

This would indicate that I'm able to do 802.11i right?
»www.techweb.com/encyclopedia/def···AES-CCMP

Is it safe to assume that consummer products at the moment are able to do 802.11i?

At the moment, I have my ISP's modem that has an integrated WIFI router. It has WPA /AES as an option, but I cannot make it work. Plus, the ISP only supports WEP. My plan is to buy a consummer WIFI router that enables 802.11i... this make sense?
The whole encryption issue is independent of the ISP and the modem - so there's no such thing as saying "the ISP only supports WEP". Encryption is something that is implemented between the Access Point (be it an AP or a wireless router) and the wireless node. The encryption is designed to make the radio signal difficult to intercept and decode. By the time the signal gets to the modem/ISP equipment, it is already in the form of packets. The packets may be "in the clear" or encrypted with SSL or other security protocols - but this is independent of the WEP/WPA/WPA2/AES jargon that is associated with WIFI.

In general, when determining what protocols and security levels are supported at your end, that is based on the version of the hardware and firmware of your router, AP, and wireless node. That information is usually available from the vendor's site, or from knowledgeable users in forums such as these.

B
Premium,MVM
join:2000-10-28


I interpreted him or her to be saying that his or her ISP would only provide tech support, on that modem/router/AP supplied by the ISP, for users of the WEP protocol, and no other security features of that ISP-owned device.

Which, if true, is insane, on the ISP's part.

-- B
--
In a realm outside causality and function



jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by B:

I interpreted him or her to be saying that his or her ISP would only provide tech support, on that modem/router/AP supplied by the ISP, for users of the WEP protocol, and no other security features of that ISP-owned device.

Which, if true, is insane, on the ISP's part.

-- B
I wasn't aware that ISP's provided any equipment beyond the point of the modem. But I agree that ISP's generally do not provide support for wireless setups unless you get a tech that does it out of the goodness of his/her heart.

B
Premium,MVM
join:2000-10-28


I know a lot of the DSL modems now have wired router/switches, so it's not too surprising if there are wireless models too. They call them "residential gateways".

All I know in this case is that the poster wrote "I have my ISP's modem that has an integrated WIFI router."

-- B
--
In a realm outside causality and function



jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by B:

I know a lot of the DSL modems now have wired router/switches, so it's not too surprising if there are wireless models too. They call them "residential gateways".

All I know in this case is that the poster wrote "I have my ISP's modem that has an integrated WIFI router."

-- B
Upon re-reading, you appear correct - that the ISP has provided a gateway which integrates the modem and router functions. In this case, my initial advice (to check for hardware version and firmware upgrades from the vendor site) still is relevant. I would be surprised (unless the router is an 802.11b vintage) if it only supported WEP.

And if the ISP is indeed offering gateway devices, then I would imagine the ISP would be required to support all valid security settings.

Perhaps DabberDan See Profile could identify his ISP and gateway model/firmware???

DabberDan

join:2004-11-15
Canada

1 edit

said by jeisenberg:

said by B:

I know a lot of the DSL modems now have wired router/switches, so it's not too surprising if there are wireless models too. They call them "residential gateways".

All I know in this case is that the poster wrote "I have my ISP's modem that has an integrated WIFI router."

-- B
Upon re-reading, you appear correct - that the ISP has provided a gateway which integrates the modem and router functions. In this case, my initial advice (to check for hardware version and firmware upgrades from the vendor site) still is relevant. I would be surprised (unless the router is an 802.11b vintage) if it only supported WEP.

And if the ISP is indeed offering gateway devices, then I would imagine the ISP would be required to support all valid security settings.

Perhaps DabberDan See Profile could identify his ISP and gateway model/firmware???
Wow, just got in at work this morning and saw alot of replies. Here goes...

My ISP is Sympatico (Bell). The device is a modem with an integrated Wifi router (4 ports). I was using 802.11g to connect to it. Tiny box that sits on my desk at the moment.

It's a custom thing. When I log into the administration console, it's not like the other routers that I have played with. The interface has Bell logos and rather than having defined sections, it has hyperlinked questions that bring to to the specific section. (ie. How do I see if my network is working? How do I change my network settings?) It's definitally geared for beginners.

At the moment, I have no idea what the firmware or model it is. I know the firmware info is available. However, I'm not sure about the model.

The device supports both WEP and WPA. But when I called tech support, they said that they only supported WEP (even though the device also does WPA).

So, I decided to still use WPA and AES. However, I can't connect to the router if it's setup in that fashion. I have to put it at the other option (TKI?). My plan is to get rid of it and buy a Linksys for example.

My other questions was that my Intel® PRO/Wireless 2915ABG driver has WPA2 Personal / AES-CCMP available. Can I assume that if the router does AES that this will work? So far, I have the impression I should ditch my Intel software and use the one provided by Windows?


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

4 edits

said by DabberDan:

My other questions was that my Intel® PRO/Wireless 2915ABG driver has WPA2 Personal / AES-CCMP available. Can I assume that if the router does AES that this will work? So far, I have the impression I should ditch my Intel software and use the one provided by Windows?
Since WPA2 (802.11i) is backward compatible with WPA (802.11g), the wireless card should talk to the router provided both are configured for WPA/Personal or WPA2/Personal (I'm assuming you don't have access to a server, so "Personal" is the correct choice for setup) using a common passphrase.

I'll also hazard a guess that the wireless card may have the option to set up as a WPA/Personal protected node. If such a choice is available, compatibility to the gateway device would be easier to maintain.

Edited to add link to relevant guides

Some research indicates that the Siemens Speedstream 6300 is most likely the modem/router you are using. Documentation for configuration of the modem using the web interface can be downloaded using a link found on this other thread in broadband reports:

»Efficient Networks Forum FAQ

In addition to the Siemens guide above, Intel has an update published 8/23/2005 for your Intel® PRO/Wireless 2915ABG adapter, providing you are using Windows 2000 or newer operating system. Here's the link for that new software...

»downloadfinder.intel.com/scripts···tID=1784

DabberDan

join:2004-11-15
Canada

said by jeisenberg:

said by DabberDan:

My other questions was that my Intel® PRO/Wireless 2915ABG driver has WPA2 Personal / AES-CCMP available. Can I assume that if the router does AES that this will work? So far, I have the impression I should ditch my Intel software and use the one provided by Windows?
Since WPA2 (802.11i) is backward compatible with WPA (802.11g), the wireless card should talk to the router provided both are configured for WPA/Personal or WPA2/Personal (I'm assuming you don't have access to a server, so "Personal" is the correct choice for setup) using a common passphrase.

I'll also hazard a guess that the wireless card may have the option to set up as a WPA/Personal protected node. If such a choice is available, compatibility to the gateway device would be easier to maintain.

Edited to add link to relevant guides

Some research indicates that the Siemens Speedstream 6300 is most likely the modem/router you are using. Documentation for configuration of the modem using the web interface can be downloaded using a link found on this other thread in broadband reports:

»Efficient Networks Forum FAQ

In addition to the Siemens guide above, Intel has an update published 8/23/2005 for your Intel® PRO/Wireless 2915ABG adapter, providing you are using Windows 2000 or newer operating system. Here's the link for that new software...

»downloadfinder.intel.com/scripts···tID=1784
Efficient, I should have known... Knowing this, I'm assuming that I'd still be better off with a Linksys (or any other manufacturer) wireless router right? The only reason I'm saying this is because I cannot run WPA2/Personal/AES on my laptop at the moment.

I looked at the user manuals that you provided. Even in the manual, they mention AES as an option, but nothing in regards to its configuration.

As for the Intel drivers, I updated them a few weeks ago. I have the latest version. What do folks in here do in regards to their wireless driver, use the Windows one or the chipset manufacturer's driver?

When creating a new connection to a WAP, I have the choice of WPA/Personal and WPA2/Personal with TKI? and AES-CCMP. I wasn't able to find the protected node option anywhere (driver and software).

Thank you for your help!


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by DabberDan:

When creating a new connection to a WAP, I have the choice of WPA/Personal and WPA2/Personal with TKI? and AES-CCMP. I wasn't able to find the protected node option anywhere (driver and software).

Thank you for your help!
When I said "protected node", I was referring to a wireless node, protected by encryption. It was not meant to describe one of the encryption options.

If you have the choice of WPA or WPA2, choose WPA. That is the method that is supported by both pieces of your equipment.

B
Premium,MVM
join:2000-10-28

2 edits
reply to jeisenberg

said by jeisenberg:

Since WPA2 (802.11i) is backward compatible with WPA (802.11g), the wireless card should talk to the router
Nitpick: that contrast is unfortunate... 802.11i and 802.11g, as I'm sure you know, are not comparable. The former is known as "WPA2" and is intended to replace WEP and improve on enterprise utility for WPA. The latter is merely a 54 Mbps wireless protocol that may itself be set to use 802.11i for encryption and authentication.

»www.wi-fiplanet.com/news/article.php/3373441

-- B

P.S. You probably just meant "compatible with WPA (as one might find in an older 802.11g router or access point)"
--
In a realm outside causality and function


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by B:

said by jeisenberg:

Since WPA2 (802.11i) is backward compatible with WPA (802.11g), the wireless card should talk to the router
Nitpick: that contrast is unfortunate... 802.11i and 802.11g, as I'm sure you know, are not comparable. The former is known as "WPA2" and is intended to replace WEP and improve on enterprise utility for WPA. The latter is merely a 54 Mbps wireless protocol that may itself be set to use 802.11i for encryption and authentication.

»www.wi-fiplanet.com/news/article.php/3373441

-- B

P.S. You probably just meant "compatible with WPA (as one might find in an older 802.11g router or access point)"
You are correct - I was referring to compatibility with the prior WPA standard. Reference to the 802.11 g/i was in reference to the equipment the user had - and which encryption methods were available to them.

jaygajay

join:2005-09-27

2 edits
reply to RezaH

So somebody just get to the point already. WPA or WPA2 or WPA2-Auto. Then secondly TKIP or AES and last but not least with PSK or EAP. There is 12 combinbations here. Which one of them is the worst and which one is the best.

1) WPA TKIP PSK
2) WPA TKIP EAP
3) WPA AES PSK
4) WPA AES EAP

5) WPA2 TKIP PSK
6) WPA2 TKIP EAP
7) WPA2 AES PSK
8) WPA2 AES EAP

9) WPA2-Auto TKIP PSK
10)WPA2-Auto TKIP EAP
11)WPA2-Auto AES PSK
12)WPA2-Auto AES EAP

And what if you don't have a RADIUS server?


DavidJWood
Premium
join:2001-10-12
UK

1 recommendation

If you have a RADIUS server, configure the RADIUS server appropriately and use EAP. If you don't have a RADIUS server suitable for WAP, you have to use PSK, so use PSK.

If all devices support WPA2, use WPA2 (which implies AES). If some devices support WPA2 and some WPA, use WPA2-Auto (if I understand correctly that that is the mixed mode). If no devices support WPA2, use WPA.

If all devices support AES, use AES, otherwise use TKIP.

In other words, EAP is preferred over PSK, WPA2 over WPA2-Auto over WPA, and AES over TKIP. However, there may be characteristics of some wireless equipment that prohibits the use of preferred settings.

I have an appropriately configured RADIUS server, so I use EAP. My AP and one wireless device only supports WPA TKIP, so that's what I'm using.

It must be emphasised that there's not, at this time, believed to be any exploit for WPA-PSK using TKIP if the PSK has sufficient entropy (more than 20 characters, not made up of dictionary words). The only known attack is a dictionary attack, which applies to all PSK forms of WPA and WPA2.

The threshold to enable EAP is high - acquiring and configuring a RADIUS server is not for beginners. Some wireless AP equipment contains a built in RADIUS server, but this is rare.

MAC filtering, disabling SSID broadcasts, disabling or restricting a DHCP server and the use of small subnets are all flawed as far as contributing to wireless security goes. In each case, they may bring significant inconvenience, management overhead and/or the risk of malfunction. Properly configured WPA is sufficient to ensure security.

The strongest wireless security at this time is probably WPA2 AES using an EAP method involving a physical token containing security features such as a smartcard. However, smartcard based authentication outside large corporate systems is extremely rare; the use of digital certificates that do not involve smartcards or similar is more common. Both my VPN and wireless network RADIUS setups use certificates (I'm using EAP-TLS for the wireless network).

David


DabberDan

join:2004-11-15
Canada

2 edits

Okay, I was checking things out on the home front and here's what I have:

- 802.11g router that has WPA-PSK with AES encryption.
- Wifi adapter using manufacturer drivers that shows AES-CCMP as an option

I don't have a choice to use WPA-TKIP because if I use WPA-CCMP I cannot connect to the router. I will try the built in Windows driver to see if I get different results.

*Edit*
I tried the Windows client and it worked. WPA-AES that is. I read/heard that Windows client is better than the manufacturer's client??