Wednesday, March 15, 2017

Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both?

On our Comcast Xfinity router, WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) are all different options. Choose the wrong option and you’ll have a slower, less-secure network.
The last option — both TKIP and AES — was the default on our router. That’s actually a bad choice, but just understanding the options requires some knowledge of Wi-Fi encryption standards.

AES vs. TKIP

encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.

WPA Uses TKIP and WPA2 Uses AES, But…

In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2” doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.

Wi-Fi Security Modes Explained



Confused yet? We’re not surprised. But all you really need to do is hunt down the one, most secure option in the list. For example, here are the options our Comcast Xfinity router provides:
  • Open (risky): Open Wi-Fi networks have no passphrase. You shouldn’t set up an open Wi-Fi network — seriously, you could have your door busted down by police.
  • WEP 64 (risky): The old WEP encryption standard is vulnerable and shouldn’t be used. Its name, which stands for “Wired Equivalent Privacy,” now seems like a joke.
  • WEP 128 (risky): WEP with a larger encryption key size isn’t really any better.
  • WPA-PSK (TKIP): This is basically the standard WPA, or WPA1, encryption. It’s been superseded and isn’t secure.
  • WPA-PSK (AES): This chooses the older WPA wireless protocol with the more modern AES encryption. Devices that support AES will almost always support WPA2, while devices that require WPA1 will almost never support AES encryption. This option makes very little sense.
  • WPA2-PSK (TKIP): This uses the modern WPA2 standard with older TKIP encryption. This isn’t secure, and is only a good idea if you have older devices that can’t connect to a WPA2-PSK (AES) network.
  • WPA2-PSK (AES): This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol. You should be using this option. On devices with less confusing interfaces, the option marked “WPA2” or “WPA2-PSK” will probably just use AES, as that’s a common-sense choice.
  • WPAWPA2-PSK (TKIP/AES) (recommended): Our Comcast Xfinity router recommends this free-for-all option. This enables both WPA and WPA2 with both TKIP and AES. This provides maximum compatibility with any ancient devices you might have, but also ensures an attacker can breach your network by cracking the lowest-common-denominator encryption scheme. This TKIP+AES option may also be called WPA2-PSK “mixed” mode.

Devices Manufactured Since 2006 Must Support AES

WPA2 certification became available in 2004, ten years ago. In 2006, WPA2 certification became mandatory. Any device manufactured after 2006 with a “Wi-Fi” logo must support WPA2 enctyption. That’s now eight years ago!
Your Wi-Fi enabled devices are probably newer than 8-10 years old, so you should be fine just choosing WPA2-PSK (AES). Select that option and then you can see if anything doesn’t work. If a device does stop working, you can always change it back — although you may just want to buy a new device manufactured at any time in the last eight years.

WPA and TKIP Will Slow Your Wi-Fi Down


WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!
wifi logo

On most routers we’ve seen, the options are generally WEP, WPA (TKIP), and WPA2 (AES) — with perhaps a WPA (TKIP) + WPA2 (AES) compatibility mode thrown in for good measure.
If you do have an odd sort of router that offers WPA2 in either TKIP or AES flavors, choose AES. Almost all your devices will certainly work with it, and it’s faster and more secure. It’s an easy choice, as long as you can remember AES is the good one.

No comments:

Post a Comment