Menu
homeTelephone

What type of encryption is aes tkip. WPA encryption - revealing secrets

TKIP and AES are two alternative encryption types that are used in the WPA and WPA2 security modes. In the wireless network security settings of routers and access points, you can choose one of three encryption options:

  • TKIP;
  • TKIP+AES.

If you select the latter (combined) option, clients will be able to connect to the access point using either of the two algorithms.

TKIP or AES? What's better?

Answer: for modern devices, the AES algorithm is definitely more suitable.

Use TKIP only if you have problems choosing the first one (it sometimes happens that when using AES encryption, the connection with the access point is interrupted or not established at all. Usually this is called equipment incompatibility).

What is the difference

AES is a modern and more secure algorithm. It is compatible with the 802.11n standard and provides high data transfer speeds.

TKIP is deprecated. It has a lower level of security and supports data transfer rates of up to 54 Mbit/s.

How to switch from TKIP to AES

Case 1. The access point operates in TKIP+AES mode

In this case, you just need to change the encryption type on client devices. The easiest way to do this is to delete the network profile and connect to it again.

Case 2: The access point uses only TKIP

In this case:

1. First, go to the web interface of the access point (or router, respectively). Change the encryption to AES and save the settings (read more below).

2. Change the encryption on client devices (more details in the next paragraph). And again, it’s easier to forget the network and connect to it again by entering the security key.

Enabling AES encryption on the router

Using D-Link as an example

Go to the section Wireless Setup.

Click the button Manual Wireless Connection Setup.

Set security mode WPA2-PSK.

Find an item Cipher Type and set the value AES.

Click Save Settings.

Using TP-Link as an example

Open section Wireless.

Select an item Wireless Security.

In field Version select WPA2-PSK.

In field Encryption select AES.

Click the button Save:

Change the wireless encryption type in Windows

Windows 10 and Windows 8.1

These OS versions do not have a . Therefore, there are three options for changing encryption.

Option 1. Windows itself will detect a mismatch in network settings and prompt you to re-enter the security key. In this case, the correct encryption algorithm will be installed automatically.

Option 2. Windows will not be able to connect and will offer to forget the network by displaying the corresponding button:

After this, you will be able to connect to your network without problems, because... her profile will be deleted.

Option 3. You will have to delete the network profile manually via the command line and only then connect to the network again.

Follow these steps:

1 Launch Command Prompt.

2 Enter the command:

Netsh wlan show profiles

to display a list of saved wireless network profiles.

3 Now enter the command:

Netsh wlan delete profile "your network name"

to delete the selected profile.

If the network name contains a space (for example "wifi 2"), put it in quotes.

The picture shows all the described actions:

4 Now click on the wireless network icon in the taskbar:

5 Select a network.

6 Click Connect:

7 Enter your security key.

Windows 7

Everything is simpler and clearer here.

1 Click the wireless network icon in the taskbar.


3 Click on the link Wireless Network Management:

4 Right-click on the profile of the desired network.

5 Select Properties:

Attention! At this step you can also click Delete network and just connect to it again! If you decide to do this, you don't need to read any further.

6 Go to the tab Safety.

Many routers provide the following security standards as options: WPA2-PSK (TKIP), WPA2-PSK (AES) and WPA2-PSK (TKIP/AES). Make the wrong choice and you'll end up with a slower and less secure network.

The WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access) and WPA2 (Wi-Fi Protected Access II) standards, which you will be offered to choose from when setting up your wireless network security settings, are the main information security algorithms. WEP is the oldest of them and the most vulnerable, as many weaknesses have been discovered in it over the course of its use. WPA offers better security, but is also reportedly susceptible to hacking. WPA2, currently an evolving standard, is currently the most common security option. TKIP (Temporal Key Integrity Protocol) and AES (Advanced Encryption Standard) are two different types of encryption that can be used in the WPA2 standard. Let's see how they differ and which one is best for you.

AES vs. TKIP

TKIP and AES are two different encryption standards that can be used on Wi-Fi networks. TKIP is an older encryption protocol, introduced at one time by the WPA standard to replace the extremely unreliable WEP algorithm. In fact, TKIP is very similar to the WEP encryption algorithm. TKIP is no longer considered a reliable security method and is not currently recommended. In other words, you shouldn't use it.

AES is a more secure encryption protocol introduced by the WPA2 standard. AES is not some dull, this or that standard designed specifically for Wi-Fi networks. This is a serious global encryption standard, adopted even by the US government. For example, when you encrypt a hard drive using TrueCrypt, it may use the AES encryption algorithm to do so. AES is a widely accepted standard that provides near-total security, but its potential weaknesses include potential susceptibility to brute-force attacks (which are counteracted by the use of fairly complex passphrases) and security weaknesses associated with other aspects of WPA2.

A shortened version of the security is TKIP, an older encryption protocol used by the WPA standard. AES for Wi-Fi is a newer encryption solution used in the new and secure WPA2 standard. In theory, this could be the end of it. But in practice, depending on your router, simply selecting WPA2 may not be enough.

Although WPA2 uses AES for optimal security, it can also use TKIP where backward compatibility with previous generations of devices is required. In this situation, devices that support WPA2 will connect in accordance with WPA2, and devices that support WPA will connect in accordance with WPA. That is, "WPA2" does not always mean WPA2-AES. However, on devices without explicitly specifying the "TKIP" or "AES" options, WPA2 is usually synonymous with WPA2-AES.
The abbreviation “PSK” in the full name of these options stands for “pre-shared key” - your passphrase (cipher key). This distinguishes personal standards from WPA-Enterprise, which uses a RADIUS server to issue unique keys on large corporate or government Wi-Fi networks.

Security Options for Wi-Fi Network

Even more difficult? Nothing surprising. But all you really need to do is find the one option in your device's worklist that provides the most protection. Here is the most likely list of options for your router:

  • Open (risky): There are no passphrases on open Wi-Fi networks. You shouldn't install this option - seriously, you could give the police a reason to come visit you.
  • WEP 64 (risky): The old WEP protocol standard is easily vulnerable and you should not use it.
  • WEP 128 (risky): This is the same as WEP, but with an increased encryption key length. In fact, it is no less vulnerable than WEP 64.
  • WPA-PSK (TKIP): The original version of the WPA protocol is used here (essentially WPA1). It is not completely secure and has been replaced by WPA2.
  • WPA-PSK (AES): This uses the original WPA protocol, replacing TKIP with the more modern AES encryption standard. This option is offered as a temporary measure, but devices that support AES will almost always support WPA2, while devices that require WPA will almost never support AES. So this option doesn't make much sense.
  • WPA2-PSK (TKIP): This uses the modern WPA2 standard with the older TKIP encryption algorithm. This option is not secure, and its only advantage is that it is suitable for older devices that do not support the WPA2-PSK (AES) option.
  • WPA2-PSK (AES): This is the most commonly used security option. It uses WPA2, the latest encryption standard for Wi-Fi networks, and the latest AES encryption protocol. You should use this option. On some devices you'll see an option called simply "WPA2" or "WPA2-PSK", which in most cases means using AES.
  • WPAWPA2-PSK (TKIP/AES): Some devices offer - and even recommend - this mixed option. This option allows you to use both WPA and WPA2 - with both TKIP and AES. This ensures maximum compatibility with any ancient devices you may have, but also gives hackers the opportunity to break into your network by breaking into the more vulnerable WPA and TKIP protocols.

    • WPA2 certification has been in effect since 2004 and became mandatory in 2006. Any device with a "Wi-Fi" logo manufactured after 2006 must support the WPA2 encryption standard.

    Since your Wi-Fi-capable device is likely under 11 years old, you can feel comfortable simply choosing the WPA2-PSK (AES) option. By installing this option, you can also check the functionality of your device. If the device stops working, you can always return or exchange it. Although, if security is a big concern to you, you can simply buy a new device that was manufactured no earlier than 2006.

    WPA and TKIP slow down your Wi-Fi network

    The WPA and TKIP options chosen for compatibility purposes can also slow down the Wi-Fi network. Many modern Wi-Fi routers that support 802.11n or newer, faster standards will throttle down to 54 Mbps if you set them to WPA or TKIP to ensure compatibility with hypothetical older devices.

    By comparison, when using WPA2 with AES, even 802.11n supports speeds of up to 300 Mbps, while 802.11ac offers a theoretical maximum speed of 3.46 Gbps under optimal (read: ideal) conditions.
    On most routers, as we've seen, the list of options typically includes WEP, WPA (TKIP) and WPA2 (AES) - and perhaps a mixed WPA (TKIP) + WPA2 (AES) maximum compatibility mode option thrown in with the best of intentions .
    If you have a fancy type of router that offers WPA2 with either TKIP or AES, choose AES. Almost all your devices will definitely work with it, moreover, faster and more securely. AES is a simple and rational choice.

To protect your Wi-Fi network and set a password, you must select the type of wireless network security and encryption method. And at this stage, many people have a question: which one to choose? WEP, WPA, or WPA2? Personal or Enterprise? AES or TKIP? What security settings will best protect your Wi-Fi network? I will try to answer all these questions within the framework of this article. Let's consider all possible authentication and encryption methods. Let's find out which Wi-Fi network security parameters are best set in the router settings.

Please note that security type, or authentication, network authentication, security, authentication method are all the same thing.

Authentication type and encryption are the main security settings for a wireless Wi-Fi network. I think that first we need to figure out what they are, what versions there are, their capabilities, etc. After which we will find out what type of protection and encryption to choose. I’ll show you using the example of several popular routers.

I highly recommend setting up a password and protecting your wireless network. Set the maximum level of protection. If you leave the network open, without protection, then anyone can connect to it. This is primarily unsafe. And also an extra load on your router, a drop in connection speed and all sorts of problems with connecting different devices.

Wi-Fi network protection: WEP, WPA, WPA2

There are three protection options. Of course, not counting "Open" (No protection).

  • WEP(Wired Equivalent Privacy) is an outdated and insecure authentication method. This is the first and not very successful method of protection. Attackers can easily access wireless networks that are protected using WEP. There is no need to set this mode in the settings of your router, although it is present there (not always).
  • WPA(Wi-Fi Protected Access) is a reliable and modern type of security. Maximum compatibility with all devices and operating systems.
  • WPA2– a new, improved and more reliable version of WPA. There is support for AES CCMP encryption. At the moment, this is the best way to protect a Wi-Fi network. This is what I recommend using.

WPA/WPA2 can be of two types:

  • WPA/WPA2 - Personal (PSK) This is the normal authentication method. When you only need to set a password (key) and then use it to connect to a Wi-Fi network. The same password is used for all devices. The password itself is stored on the devices. Where you can view it or change it if necessary. It is recommended to use this option.
  • WPA/WPA2 - Enterprise- a more complex method that is mainly used to protect wireless networks in offices and various establishments. Allows for a higher level of protection. Used only when a RADIUS server is installed to authorize devices (which gives out passwords).

I think we have figured out the authentication method. The best thing to use is WPA2 - Personal (PSK). For better compatibility, so that there are no problems connecting older devices, you can set the WPA/WPA2 mixed mode. This is the default setting on many routers. Or marked as "Recommended".

Wireless Network Encryption

There are two ways TKIP And AES.

It is recommended to use AES. If you have older devices on your network that do not support AES encryption (but only TKIP) and there will be problems connecting them to the wireless network, then set it to "Auto". TKIP encryption type is not supported in 802.11n mode.

In any case, if you install strictly WPA2 - Personal (recommended), then only AES encryption will be available.

What protection should I install on my Wi-Fi router?

Use WPA2 - Personal with AES encryption. Today, this is the best and safest way. This is what the wireless network security settings look like on ASUS routers:

And this is what these security settings look like on routers from TP-Link (with old firmware).

You can see more detailed instructions for TP-Link.

Instructions for other routers:

If you don’t know where to find all these settings on your router, then write in the comments, I’ll try to tell you. Just don't forget to specify the model.

Since older devices (Wi-Fi adapters, phones, tablets, etc.) may not support WPA2 - Personal (AES), in case of connection problems, set the mixed mode (Auto).

I often notice that after changing the password or other security settings, devices do not want to connect to the network. Computers may receive the error "The network settings saved on this computer do not meet the requirements of this network." Try deleting (forgetting) the network on the device and connecting again. I wrote how to do this on Windows 7. But in Windows 10 you need .

Password (key) WPA PSK

Whatever type of security and encryption method you choose, you must set a password. Also known as WPA key, Wireless Password, Wi-Fi network security key, etc.

Password length is from 8 to 32 characters. You can use letters of the Latin alphabet and numbers. Also special characters: - @ $ # ! etc. No spaces! The password is case sensitive! This means that "z" and "Z" are different characters.

I do not recommend setting simple passwords. It is better to create a strong password that no one can guess, even if they try hard.

It is unlikely that you will be able to remember such a complex password. It would be nice to write it down somewhere. It’s not uncommon for Wi-Fi passwords to be simply forgotten. I wrote in the article what to do in such situations: .

If you need even more security, you can use MAC address binding. True, I don’t see the need for this. WPA2 - Personal paired with AES and a complex password is quite enough.

How do you protect your Wi-Fi network? Write in the comments. Well, ask questions :)

WPA encryption involves using a secure Wi-Fi network. In general, WPA stands for Wi-Fi Protected Access, that is, protected access to Wi-Fi.

Most system administrators know how to configure this protocol and know a lot about it.

But ordinary people can also learn a lot about what WPA is, how to configure it and how to use it.

True, on the Internet you can find many articles on this subject, from which it is impossible to understand anything. Therefore, today we will speak in simple language about complex things.

A little theory

So, WPA is a protocol, technology, program that contains a set of certificates used when transmitting a Wi-Fi signal.

To put it simply, this technology allows you to use various authentication methods to protect your Wi-Fi network.

This could be an electronic key, which is also a special certificate of the right to use this network (we’ll talk about this later).

In general, with the help of this program, only those who have the right to do so will be able to use the network and that’s all you need to know.


For reference: Authentication is a security measure that allows you to establish the identity of a person and his right to access the network by comparing his reported and expected data.

For example, a person can be authenticated by placing their finger on a fingerprint scanner. If he simply enters his login and password, this is only authorization.

But a fingerprint allows you to check whether this person is really logging in, and not someone took his data and entered with their help.

Rice. 1. Fingerprint scanner on your smartphone

So, computer networks also use certain methods to confirm that the device that has the right to access the network is receiving access.

WPA has its own set of such methods. We will talk about them further, but before that we will clarify a few important points.

What you need to know about WPA?

  1. This technology can not be used by all devices, but only by those that support it at the software level. That is, if the manufacturer has included a WPA support feature in the device, then it can be used.
  2. WPA is a legacy of WEP, another technology that did not have authentication as such.
  3. WPA uses special keys that are sent to all devices that will be allowed to connect to the network. And then everything is simple:
  • the signal reaches the new device and requests a key from it;
  • if the device gives the key, it connects to the network;
  • and if it does not, a signal about this is sent to the central device and the connection does not occur.

If you have ever worked with Cisco Pocket Tracer (a network building simulator from this company), then you can understand the principle of operation of this technology if you look at Figure 2.

Warning! Basically, if you have never worked with Cisco Pocket Tracer, don't bother. And without this diagram everything will be clear to you.

There is a LAP - a device that performs remote control and transmits a signal to the client, that is, a computer that uses a Wi-Fi signal.

And also in the diagram there is a WLC - wireless local network controller. On the right is the authentication server.

Connecting all this is a regular Switch (a device that simply connects various network devices). The key is sent from the controller to the authentication server and stored there.

When a client tries to connect to a network, it must transmit to the LAP a key that it knows. This key goes to the authentication server and is compared with the desired key.

If the keys match, the signal propagates freely to the client.

Rice. 2. Example WPA scheme in Cisco Pocket Tracer

Components of WPA

As we said above, WPA uses special keys that are generated every time you try to start transmitting a signal, that is, turn on Wi-Fi, and also change every time.

WPA includes several technologies that help generate and transmit these same keys.

The figure below shows the general formula, which includes all the components of the technology under consideration.

Rice. 3. Formula with WPA ingredients

Now let's look at each of these components separately:

  • 1X is a standard that is used to generate that same unique key, with the help of which authentication takes place in the future.
  • EAP is the so-called Extensible Authentication Protocol. It is responsible for the format of messages with which keys are transmitted.
  • TKIP is a protocol that made it possible to expand the key size to 128 bytes (previously, in WEP, it was only 40 bytes).
  • MIC is a mechanism for checking messages (in particular, they are checked for integrity). If messages do not meet the criteria, they are sent back.

It is worth saying that now there is already WPA2, which, in addition to all of the above, also uses CCMP and AES encryption.

We won't talk about what it is now, but WPA2 is more secure than WPA. That's all you really need to know.

One more time from the very beginning

So, you have Wi-Fi. The network uses WPA technology.

To connect to Wi-Fi, each device must provide a user certificate, or, more simply, a special key issued by the authentication server.

Only then will he be able to use the network. That's all!

Now you know what WPA is. Now let's talk about what is good and what is bad about this technology.

Advantages and disadvantages of WPA encryption

The advantages of this technology would include the following:

  1. Enhanced data transmission security (compared to WEP, its predecessor, WPA).
  2. Tighter Wi-Fi access control.
  3. Compatible with a large number of devices that are used to organize a wireless network.
  4. Centralized security management. The center in this case is the authentication server. Due to this, attackers are not able to gain access to hidden data.
  5. Enterprises can use their own security policies.
  6. Easy to set up and continue to use.

Of course, this technology also has disadvantages, and they are often quite significant. In particular, this is what we are talking about:

  1. A TKIP key can be cracked in a maximum of 15 minutes. This was stated by a group of specialists in 2008 at the PacSec conference.
  2. In 2009, specialists from Hiroshima University developed a method for hacking any network that uses WPA in one minute.
  3. Using a vulnerability called Hole196 by experts, you can use WPA2 with your own key, and not with the one required by the authentication server.
  4. In most cases, any WPA can be cracked using a simple search of all possible options (brute force), as well as using the so-called dictionary attack. In the second case, the options are used not in a chaotic order, but according to the dictionary.

Of course, to take advantage of all these vulnerabilities and problems, you must have special knowledge in the field of building computer networks.

All this is inaccessible to most ordinary users. Therefore, you don’t have to worry too much about someone gaining access to your Wi-Fi.

Rice. 4. Burglar and computer

About setting up WPA encryption

For the user, the setup looks very simple - he selects WPA technology to encrypt the password with which he will connect to the network.

More precisely, it uses WPA-PSK, that is, WPA with a password rather than a key. To do this, he goes into the router settings, finds the type of network authentication there and sets a password.

In more detail, this procedure is performed as follows:

  1. To go to the router settings, in your browser, enter 192.168.0.1 or 192.168.1.1 in the address bar. If you have not changed anything in this window, then the login and password will be the same - “admin” and “admin”.
  2. Next, find the item regarding the authentication method. For example, if you are using an Asus RT-N12, this item is located in the “Advanced Settings” section and in the “Wireless” subsection (this is in the menu on the left). WPA is selected next to the “Authentication Method” inscription.
  3. Important parameters also include “WPA Pre-Shared Key”, that is, the password for connecting to the network and “SSID”, that is, the name of the network.

Rice. 5. Router settings window

As you can see in Figure 5, there is also a “WPA Encryption” field. Typically these two parameters (and the "Authentication Method") are specified together.

The “Encryption” parameter refers to the encryption type. There are only two types that are used in conjunction with WPA - TKIP and AES.

Combinations of these two types are also used.

As for choosing the type of encryption, here are the instructions for you on this topic:

  1. If the security of your network is really important to you, use AES. However, do not use any combinations with TKIP.
  2. If you are using legacy devices that do not support WPA2, it is better to use TKIP.
  3. TKIP is also quite suitable for a home network. This will create less load on the network, but will also reduce its security.

There can be no other advice in this case. TKIP has weaker security and that says it all.

Actually, that's all that can be said about WPA encryption.

We said above that this technology has quite a lot of vulnerabilities. Below you can see how they are used to hack a network.

When I first set up my home Wi-Fi router, I made a serious mistake: I chose the wrong encryption protocol. As a result, my point was hacked the next day, even with an 8-digit password. I realized this only after a few weeks, and before that I was content with slow loading pages and interruptions in streaming video. And this is only half the question: if confidential information and work documents are transferred through an unsecured connection, they can “go” into the wrong hands. Do you want to avoid such problems? It is enough to select the optimal encryption protocol.

WEP 64 and WEP 128

The worst thing you can do when setting up a router is to install WEP encryption. It cannot guarantee even a minimum level of security: they can hack your point in a matter of minutes. And not only to take advantage of the free Internet, but also to obtain personal data.

WPA-PSK (TKIP) and

Another encryption protocol that I do not recommend choosing: security, frankly speaking, is not 100%. Especially if you chose the TKIP encryption type.

WPA2-AES vs WPA2-TKIP

The WPA2 protocol version is the most current option. When the question arises about the type of encryption, choose WPA2-AES - it will provide maximum protection for your Wi-Fi network and data security. In comparison, the TKIP encryption type is considered less secure. But if you have an outdated device and