12.22.05

Which wireless encryption to choose

Posted in Article at 11:30 am by Techie

In this article, I don’t want to go in depth; I just want to answer the basic question: Which wireless encryption should I use? Even as more and more people are setting up wireless connectivity for their networks, few realize the additional security risk they are adding. This is further compounded by the different choices that are available — can the average user, given the documentation that comes with their wireless router, understand the difference between the different protocols as well as the consequences of their choices? Probably not.

The first step to setting up wireless is admitting that there is a problem with letting people onto your network. Chances are, if you copy files between computers, send email, instant message, or browse the web, you generally want to presume that such information is private. While to the average user this might seem to be the case when on a network, even the only modestly tech savvy individual knows this is not true.

Wireless networking compounds this issue by providing the possibility of letting anyone with a wireless card access to your network. The way to keep random people off your network is with security — this is where encryption comes in. Unfortunately, wireless networking rolled out on the consumer end first, which made it a test bed for the security measures it implemented. This resulted in flawed implementations at the start.

Take WEP for instance. If this is your only option, then use it. If, for instance, your network contains 802.11b cards, you refuse to upgrade, and you’re dead set on getting everything wirelessly networked, you might as well enable it. Just don’t harbor any illusions that your network is secure. It’s not. As most implementations of WEP can be cracked in just minutes, this only adds a layer of nuisance — hopefully your neighbor down the road has an unsecured network that people will use instead. WEP: It’s better than nothing, but just barely.

Enter WPA. Finally, wireless hardware companies realized that security just might be important for sharing your home network wirelessly with the neighborhood. WPA was designed to address WEP’s vulnerabilities, and thus, WPA-TKIP was born. Unfortunately, while much stronger than WEP, WPA was built upon the WEP infrastructure, meaning that for a variety of reasons, WPA-TKIP is not entirely secure either. While much more secure than WEP, WPA-TKIP suffers from some other potential vulnerabilities. Most wireless hardware released today supports WPA-TKIP. If you have to choose between only WEP and WPA-TKIP, it’s a no-brainer — pick WPA-TKIP.

However, there is currently a third option: WPA2. WPA2-AES is currently the strongest and most secure encryption you can readily get on the consumer level. Realizing the flaws of the previous two protocols, network engineers went back to the drawing board, developing a secure protocol from the ground up. If this is an option, then definitely use it. Another option I sometimes see is WPA2-AES+TKIP — this is for backwards compatibility, mixing support for both WPA-TKIP and WPA2-AES. If you have to support legacy WPA-TKIP hardware, then this is an option; just be aware that you’ll be allowing all the vulnerabilities of WPA-TKIP onto your network. You’ve been warned.

Oh, you might see “PSK” thrown around a lot when discussing wireless encryption. That just stands for Pre-Shared Key. Chances are you’re using it, regardless of which encryption you pick. (How else would you authorize computers onto your wireless network?) If you’re consumer-level, you should probably also ignore RADIUS — that’s an authentication server run by some corporations, and most likely, you’re not running it.

So there you go, the quick run down. If you can use WPA2-AES, use it, and rest easy (for now). WPA2-AES+TKIP is okay, but definitely not as good as WPA2-AES. WPA-TKIP will do if those aren’t available, but does have some vulnerabilities. Only as a last resort should you use WEP, as it’s only marginal security. Hopefully, no vulnerabilities will be found in WPA2-AES for some time.

12 Comments »

  1. James Shand said,

    July 21, 2006 at 2:34 pm

    Thank you, thank you, thank you!!!!! I purchased my first wireless router, and the encryption instructions were, (to me), encrypted!!!. Your article was direct, answered my questions perfectly and gave me the information I need to set up my wireless network. Keep up the good work. Jim Shand

  2. Blinded By Tech » Verizon’s Dangerous Internet Setup said,

    July 28, 2006 at 10:23 am

    [...] Wireless networking uses WEP. This one is unacceptable. Wireless networking is on, with encryption set to WEP. I believe they might have set a WEP key, with the key printed on a sticker on the bottom of the unit, but WEP must die. It’s not secure. It only gives the illusion of security to the less tech-savvy. WPA was available, but not WPA2. (Read why I care.) [...]

  3. stormy said,

    August 28, 2006 at 4:39 am

    thanks so much for d info.. straight 2 the point n easily understood… :) keep up good work.. finally got my WiFI secured with the max security available.. WPA2-PSK.. :) danke very much..

  4. Oscar said,

    November 6, 2007 at 7:36 pm

    Since PSK is mentioned, it should also be mentioned that weak PSK:s are susceptible to dictionary attacks.

    If you really want a secure wi-fi network with PSK authentication, you need to use a PSK of at least 12 characters, preferably 20 characters or more. Also don’t use any words that might be found in word lists (or combinations of such words).

  5. oldguy said,

    January 23, 2008 at 11:46 am

    Hi,
    I agree with the comments. But, the PCMCIA adaptor I use (Realtek 8180 on a Thinkpad A21m), even with the latest driver, doesn’t support WPA, so I am stuck sending out a WEP signal (at home). So, to minimize my risk, I use MAC filtering (my router needs the MAC address of the devices connecting to it), and I have set all the denial of service items I found on my router (a Gigafast WF-719 CAPR). I also set the power output of the signal to the lowest level that still allows me to connect to the router wherever I need it. This allows me to use the old laptop around the house, and my kids can connect their Wii to the net. So far so good and it beats buying a new PCMCIA adaptor for an old laptop.

  6. Barbara Engel said,

    March 6, 2008 at 6:04 pm

    I’m a wireless novice. How do I know if my computer has WPA2-AES capabilities?

  7. Rimsky said,

    April 23, 2008 at 2:20 am

    Referring to oldguy’s message, I also have a Realtek 8180 PCMCIA card. I use WPA-PSK via a Netgear DG834G router and, until recently, it worked fine. Then I decided to rebuild the old laptop which uses the wireless card and now I can’t connect when WPA is turned on. Without encryption it works fine. I have downloaded the latest drivers but with no luck. In fact, Realtek’s wireless management software doesn’t even include a WPA option.

    This is very odd as it definitely worked pre rebuild.

    Any ideas anyone?

  8. Techie said,

    April 23, 2008 at 9:33 am

    Rimsky: are you sure you were using WPA before? Realtek 8180 chipsets appear to only support WEP.

  9. Rimsky said,

    April 26, 2008 at 12:45 pm

    Yes, I’m sure WPA was enabled on the router. I’ve had a scout around forums and some other people seem to be able to use WPA with with the 8180 chipsets, eg. http://www.realgeek.com/forums/cant-connect-wireless-network-4102.html.

  10. Rimsky said,

    April 28, 2008 at 5:28 am

    Further to my last message, I downloaded the latest Realtek driver and UI (I thought I already had) and now it works ok – definitely in WPA mode!

  11. dj.si (London, UK) said,

    September 6, 2008 at 7:17 am

    Though my Zyxel router has wireless capability, I’d never seen the need to use it …until recently. But before enabling it I wanted to find out how to be sure that it would be secure, since I’d heard about WEP, WPA and WPA2 but hadn’t previously had the need to understand them. This was one of the first articles Google found, and I must say it’s been very helpful – it’s concise, and clearly explains the 3 options. Thank you!

    For anyone who may be interested, my home wireless network is now operational with the most secure WPA2-PSK/AES, using a Zyxel Prestige 660HW-61 router and a Zyxel G-162 CardBus wireless card in my laptop, having downloaded (from Zyxel support) and installed P-660HW-61_3.40(PE.11)C0.zip and G-162_V3.0.1_Windows98SE_WindowsME_Windows2000_WindowsXP__Standard.zip respectively.

  12. Richard Sobchinsky said,

    January 1, 2011 at 2:24 pm

    Hey, this is good stuff. I had to look at what my router offered and I’m going to us WPA2-AES for sure.
    Thank you,
    rich

Leave a Comment

Bad Behavior has blocked 2087 access attempts in the last 7 days.