Menu
homeExcel

Encryption type tkip or aes. WiFi Encryption Type - Which One to Choose, WEP or WPA2-PSK Personal-Enterprise to Protect Network Security

Recently, many “revealing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies used. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).

Basics

Any interaction between an access point (network) and a wireless client is based on:
  • Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
  • Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.

The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:

  • Open- a so-called open network in which all connected devices are authorized immediately
  • Shared- the authenticity of the connected device must be verified with a key/password
  • EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server
The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, the encryption algorithm used must match and, accordingly, the encrypted connection must be correctly established. The encryption algorithms are:
  • None- no encryption, data is transmitted in clear text
  • WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
  • CKIP- proprietary replacement for Cisco's WEP, early version of TKIP
  • TKIP- Improved WEP replacement with additional checks and protection
  • AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in guest access systems such as providing Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often, such a connection is combined with additional verification on the Captive Portal by redirecting the user HTTP request to an additional page where you can request confirmation (login-password, agreement with the rules, etc.).

Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).

Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each working client in this moment. This key can be periodically updated during operation without breaking the connection, and an additional component is responsible for its generation - the authorization server, and almost always this is a RADIUS server.

All possible safety parameters are summarized in this plate:

Property Static WEP Dynamic WEP WPA WPA 2 (Enterprise)
Identification User, computer, WLAN card User, computer
User, computer
User, computer
Authorization
Shared key

EAP

EAP or shared key

EAP or shared key

Integrity

32-bit Integrity Check Value (ICV)

32-bit ICV

64-bit Message Integrity Code (MIC)

CRT/CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES

Encryption

Static key

Session key

Per-packet key via TKIP

CCMP (AES)

Key distribution

One-time, manual

Pair-wise Master Key (PMK) segment

Derived from PMK

Derived from PMK

Initialization vector

Text, 24 bits

Text, 24 bits

Advanced vector, 65 bit

48-bit packet number (PN)

Algorithm

RC4

RC4

RC4

AES

Key length, bits

64/128
64/128
128
up to 256

Required infrastructure

No

RADIUS

RADIUS

RADIUS

While WPA2 Personal (WPA2 PSK) is clear, an enterprise solution requires further consideration.

WPA2 Enterprise



Here we are dealing with an additional set of different protocols. On the client side, a special software component, the supplicant (usually part of the OS) interacts with the authorization part, the AAA server. This example shows the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:

  • Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
  • Cisco Secure Access Control Server (ACS) 4.2, 5.3- configured via a web interface, sophisticated in functionality, allows you to create distributed and fault-tolerant systems, expensive
  • FreeRADIUS- free, configured using text configs, not convenient to manage and monitor

In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transfer additional parameters to the access point (for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is container-based, meaning that the actual authorization mechanism is left to internal protocols. At the moment, the following have received any significant distribution:
  • EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted within the TLS tunnel between the supplicant and the RADIUS server
  • EAP-TLS(Transport Layer Security). Uses a public key infrastructure (PKI) to authorize the client and server (subject and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates on each wireless device, so is only suitable for a managed corporate environment. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
  • EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
  • PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, such a tunnel is authorized using the well-known MSCHAPv2 protocol.
  • PEAP-GTC(Generic Token Card) - similar to the previous one, but requires one-time password cards (and the corresponding infrastructure)

All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using Group Policy in Windows). Additionally, EAP-TLS requires an individual client certificate. The client's authenticity is verified both by a digital signature and (optionally) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with the ProSet utility, which expands the available list. Cisco AnyConnect Client does the same.

How reliable is it?

After all, what does it take for an attacker to hack your network?

For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different directions, it is not easy to block it. If you have the appropriate client adapters that allow you to listen to the air, network traffic is visible in the same way as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV time and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.

Of course, you can try to guess the PSK key or password for one of the EAP methods. Common attacks against these methods are not known. You can try to use social engineering methods, or

WPA encryption involves using a secure Wi-Fi network. In general, WPA stands for Wi-Fi Protected Access, that is, protected access to Wi-Fi.

Most system administrators know how to configure this protocol and know a lot about it.

But ordinary people can also learn a lot about what WPA is, how to configure it and how to use it.

True, on the Internet you can find many articles on this subject, from which it is impossible to understand anything. Therefore, today we will speak in simple language about complex things.

A little theory

So, WPA is a protocol, technology, program that contains a set of certificates used when transmitting a Wi-Fi signal.

To put it simply, this technology allows you to use various authentication methods to protect your Wi-Fi network.

This could be an electronic key, which is also a special certificate of the right to use this network (we’ll talk about this later).

In general, with the help of this program, only those who have the right to do so will be able to use the network and that’s all you need to know.


For reference: Authentication is a security measure that allows you to establish the identity of a person and his right to access the network by comparing his reported and expected data.

For example, a person can be authenticated by placing their finger on a fingerprint scanner. If he simply enters his login and password, this is only authorization.

But a fingerprint allows you to check whether this person is really logging in, and not someone took his data and entered with their help.

Rice. 1. Fingerprint scanner on your smartphone

So, computer networks also use certain methods to confirm that the device that has the right to access the network is receiving access.

WPA has its own set of such methods. We will talk about them further, but before that we will clarify a few important points.

What you need to know about WPA?

  1. This technology can not be used by all devices, but only by those that support it at the software level. That is, if the manufacturer has included a WPA support feature in the device, then it can be used.
  2. WPA is a legacy of WEP, another technology that did not have authentication as such.
  3. WPA uses special keys that are sent to all devices that will be allowed to connect to the network. And then everything is simple:
  • the signal reaches the new device and requests a key from it;
  • if the device gives the key, it connects to the network;
  • and if it does not, a signal about this is sent to the central device and the connection does not occur.

If you have ever worked with Cisco Pocket Tracer (a network building simulator from this company), then you can understand the principle of operation of this technology if you look at Figure 2.

Warning! Basically, if you have never worked with Cisco Pocket Tracer, don't bother. And without this diagram everything will be clear to you.

There is a LAP - a device that performs remote control and transmits a signal to the client, that is, a computer that uses a Wi-Fi signal.

And also in the diagram there is a WLC - wireless local network controller. On the right is the authentication server.

Connecting all this is a regular Switch (a device that simply connects various network devices). The key is sent from the controller to the authentication server and stored there.

When a client tries to connect to a network, it must transmit to the LAP a key that it knows. This key goes to the authentication server and is compared with the desired key.

If the keys match, the signal propagates freely to the client.

Rice. 2. Sample WPA scheme in Cisco Pocket Tracer

Components of WPA

As we said above, WPA uses special keys that are generated every time you try to start transmitting a signal, that is, turn on Wi-Fi, and also change every time.

WPA includes several technologies that help generate and transmit these same keys.

The figure below shows the general formula, which includes all the components of the technology under consideration.

Rice. 3. Formula with WPA ingredients

Now let's look at each of these components separately:

  • 1X is a standard that is used to generate that same unique key, with the help of which authentication takes place in the future.
  • EAP is the so-called Extensible Authentication Protocol. It is responsible for the format of messages with which keys are transmitted.
  • TKIP is a protocol that made it possible to expand the key size to 128 bytes (previously, in WEP, it was only 40 bytes).
  • MIC is a mechanism for checking messages (in particular, they are checked for integrity). If messages do not meet the criteria, they are sent back.

It is worth saying that now there is already WPA2, which, in addition to all of the above, also uses CCMP and AES encryption.

We won't talk about what it is now, but WPA2 is more secure than WPA. That's all you really need to know.

One more time from the very beginning

So, you have Wi-Fi. The network uses WPA technology.

To connect to Wi-Fi, each device must provide a user certificate, or, more simply, a special key issued by the authentication server.

Only then will he be able to use the network. That's all!

Now you know what WPA is. Now let's talk about what is good and what is bad about this technology.

Advantages and disadvantages of WPA encryption

The advantages of this technology would include the following:

  1. Enhanced data transmission security (compared to WEP, its predecessor, WPA).
  2. Tighter Wi-Fi access control.
  3. Compatible with a large number of devices that are used to organize a wireless network.
  4. Centralized security management. The center in this case is the authentication server. Due to this, attackers are not able to gain access to hidden data.
  5. Enterprises can use their own security policies.
  6. Easy to set up and continue to use.

Of course, this technology also has disadvantages, and they are often quite significant. In particular, this is what we are talking about:

  1. A TKIP key can be cracked in a maximum of 15 minutes. This was stated by a group of specialists in 2008 at the PacSec conference.
  2. In 2009, specialists from Hiroshima University developed a method for hacking any network that uses WPA in one minute.
  3. Using a vulnerability called Hole196 by experts, you can use WPA2 with your own key, and not with the one required by the authentication server.
  4. In most cases, any WPA can be cracked using a simple search of all possible options (brute force), as well as using the so-called dictionary attack. In the second case, the options are used not in a chaotic order, but according to the dictionary.

Of course, to take advantage of all these vulnerabilities and problems, you must have special knowledge in the field of building computer networks.

All this is inaccessible to most ordinary users. Therefore, you don’t have to worry too much about someone gaining access to your Wi-Fi.

Rice. 4. Burglar and computer

About setting up WPA encryption

For the user, the setup looks very simple - he selects WPA technology to encrypt the password with which he will connect to the network.

More precisely, it uses WPA-PSK, that is, WPA with a password rather than a key. To do this, he goes into the router settings, finds the type of network authentication there and sets a password.

In more detail, this procedure is performed as follows:

  1. To go to the router settings, in your browser, enter 192.168.0.1 or 192.168.1.1 in the address bar. If you have not changed anything in this window, then the login and password will be the same - “admin” and “admin”.
  2. Next, find the item regarding the authentication method. For example, if you are using an Asus RT-N12, this item is located in the “Advanced Settings” section and in the “Wireless” subsection (this is in the menu on the left). WPA is selected next to the “Authentication Method” inscription.
  3. Important parameters also include “WPA Pre-Shared Key”, that is, the password for connecting to the network and “SSID”, that is, the name of the network.

Rice. 5. Router settings window

As you can see in Figure 5, there is also a “WPA Encryption” field. Typically these two parameters (and the "Authentication Method") are specified together.

The “Encryption” parameter refers to the encryption type. There are only two types that are used in conjunction with WPA - TKIP and AES.

Combinations of these two types are also used.

As for choosing the type of encryption, here are the instructions for you on this topic:

  1. If the security of your network is really important to you, use AES. However, do not use any combinations with TKIP.
  2. If you are using legacy devices that do not support WPA2, it is better to use TKIP.
  3. TKIP is also quite suitable for a home network. This will create less load on the network, but will also reduce its security.

There can be no other advice in this case. TKIP has weaker security and that says it all.

Actually, that's all that can be said about WPA encryption.

We said above that this technology has quite a lot of vulnerabilities. Below you can see how they are used to hack a network.

Undoubtedly, many computer users who work with the Internet (and not only) have heard of the term AES. What kind of system this is, what algorithms it uses and what it is used for, a fairly limited circle of people have any idea. By and large, the average user doesn’t need to know this. Nevertheless, let’s consider this cryptographic system, without delving too deeply into complex mathematical calculations and formulas, so that it can be understood by anyone.

What is AES encryption?

Let's start with the fact that the system itself is a set of algorithms that make it possible to hide the initial appearance of some data transmitted, received by the user, or stored on a computer. Most often it is used in Internet technologies when it is necessary to ensure complete confidentiality of information, and refers to the so-called symmetric encryption algorithms.

The AES encryption type involves the use of the same key, which is known to both the sending and the receiving side, to convert information into a secure form and reverse decoding, in contrast to symmetric encryption, which involves the use of two keys - private and public. Thus, it is easy to conclude that if both parties know the correct key, the encryption and decryption process is quite simple.

A little history

AES encryption was first mentioned back in 2000, when the Rijndael algorithm won the competition to select a successor to the DES system, which has been a standard in the United States since 1977.

In 2001, the AES system was officially adopted as the new federal data encryption standard and has since been used everywhere.

Types of AES encryption

It included several intermediate stages, which were mainly associated with increasing the length of the key. Today there are three main types: AES-128 encryption, AES-192 and AES-256.

The name speaks for itself. The digital designation corresponds to the length of the key used, expressed in bits. In addition, AES encryption is a block type that works directly with blocks of information of a fixed length, encrypting each of them, in contrast to stream algorithms that operate on single characters of a clear message, converting them into encrypted form. In AES, the block length is 128 bits.

In scientific terms, the same algorithms that AES-256 encryption uses imply operations based on a polynomial representation of operations and codes when processing two-dimensional arrays (matrices).

How it works?

The operating algorithm is quite complex, but includes the use of several basic elements. Initially, a two-dimensional matrix, transformation cycles (rounds), a round key, and initial and reverse substitution tables are used.

The data encryption process consists of several stages:

  • calculation of all round keys;
  • byte substitution using the main S-Box table;
  • shift in shape using different quantities (see figure above);
  • mixing data within each column of the matrix (form);
  • addition of the form and the round key.

Decryption is performed in the reverse order, but instead of the S-Box table, the reverse setting table, which was mentioned above, is used.

To give an example, if you have a 4-bit key, the search will require only 16 stages (rounds), that is, you need to check all possible combinations, starting with 0000 and ending with 1111. Naturally, such protection can be cracked quite quickly. But if we take larger keys, 16 bits will require 65,536 stages, and 256 bits will require 1.1 x 10 77. And as stated by American experts, it will take about 149 trillion years to select the correct combination (key).

What to use in practice when setting up a network: AES or TKIP encryption?

Now let's move on to using AES-256 when encrypting transmitted and received data in wireless networks.

As a rule, in any there are several parameters to choose from: AES only, TKIP only and AES+TKIP. They are applied depending on the protocol (WEP or WEP2). But! TKIP is a legacy system because it is less secure and does not support 802.11n connections with data rates greater than 54 Mbps. Thus, the conclusion about the priority use of AES together with the WPA2-PSK security mode suggests itself, although both algorithms can be used in pairs.

Issues of reliability and security of AES algorithms

Despite the loud statements of experts, AES algorithms are theoretically still vulnerable, since the very nature of encryption has a simple algebraic description. This was noted by Nils Fergusson. And in 2002, Josef Pieprzyk and Nicolas Courtois published a paper substantiating a potential XSL attack. True, it caused a lot of controversy in the scientific world, and some considered their calculations to be erroneous.

In 2005, it was suggested that the attack could use third-party channels, not just mathematical calculations. Moreover, one of the attacks calculated the key after 800 operations, and the other obtained it after 2 32 operations (in the eighth round).

Without a doubt, today this system could be considered one of the most advanced, if not for one thing. Several years ago, a wave of virus attacks swept across the Internet, in which an encryption virus (and also ransomware), penetrating computers, completely encrypted data, demanding a tidy sum of money for decryption. At the same time, the message noted that encryption was carried out using the AES1024 algorithm, which, until recently, was believed to not exist in nature.

Whether this is true or not, even the most famous anti-virus software developers, including Kaspersky Lab, were powerless when trying to decrypt the data. Many experts admitted that the notorious one, which at one time infected millions of computers around the world and destroyed important information on them, turned out to be baby talk in comparison with this threat. In addition, I Love You was more aimed at multimedia files, and the new virus only gained access to confidential information of large corporations. However, no one can say clearly that AES-1024 encryption was used here.

Conclusion

To summarize, in any case, we can say that AES encryption is by far the most advanced and secure, regardless of what key length is used. It is not surprising that this particular standard is used in most cryptosystems and has quite broad prospects for development and improvement in the foreseeable future, especially since it may be very likely to combine several types of encryption into one (for example, the parallel use of symmetric and asymmetric or block and stream encryption).

    Before reading this material, it is recommended that you read the previous articles in the series:
  • We build a network with our own hands and connect it to the Internet, part one - building a wired Ethernet network (without a switch, in the case of two computers and with a switch, as well as in the presence of three or more machines) and organizing Internet access through one of the network computers, on which has two network cards and the Windows XP Pro operating system is installed.
  • Part two: setting up wireless equipment in a peer-to-peer network - issues of organizing a network are discussed when using only wireless adapters.

In the previous article, only a few words were devoted to encryption in wireless networks; it was promised to cover this issue in a separate article. Today we are fulfilling our commitment :)

First, a little theory.

Encryption of data in wireless networks receives so much attention due to the very nature of such networks. Data is transmitted wirelessly using radio waves, generally using omnidirectional antennas. Thus, everyone hears the data - not only the person to whom it is intended, but also the neighbor living behind the wall or the “interested person” staying with a laptop under the window. Of course, the distances over which wireless networks operate (without amplifiers or directional antennas) are small - about 100 meters in ideal conditions. Walls, trees and other obstacles greatly dampen the signal, but this still does not solve the problem.

Initially, only the SSID (network name) was used for protection. But, generally speaking, this method can be called protection with a big stretch - the SSID is transmitted in clear text and no one is stopping an attacker from eavesdropping on it and then substituting the desired one in his settings. Not to mention that (this applies to access points) the broadcast mode for the SSID can be enabled, i.e. it will be force-broadcast to everyone listening.

Therefore, there was a need for data encryption. The first such standard was WEP - Wired Equivalent Privacy. Encryption is carried out using a 40 or 104-bit key (stream encryption using the RC4 algorithm on a static key). And the key itself is a set of ASCII characters with a length of 5 (for a 40-bit) or 13 (for a 104-bit key) characters. The set of these characters is translated into a sequence of hexadecimal digits, which are the key. Drivers from many manufacturers allow you to enter hexadecimal values ​​(of the same length) directly instead of a set of ASCII characters. Please note that the algorithms for converting from ASCII character sequences to hexadecimal key values ​​may vary between different manufacturers. Therefore, if your network uses heterogeneous wireless equipment and you are unable to configure WEP encryption using an ASCII key phrase, try entering the key in hexadecimal format instead.

But what about manufacturers’ statements about support for 64 and 128-bit encryption, you ask? That's right, marketing plays a role here - 64 is more than 40, and 128 is 104. In reality, data encryption occurs using a key length of 40 or 104. But in addition to the ASCII phrase (static component of the key), there is also such a thing as Initialization Vector - IV - initialization vector. It serves to randomize the rest of the key. The vector is selected randomly and changes dynamically during operation. In principle, this is a reasonable solution, since it allows you to introduce a random component into the key. The vector length is 24 bits, so the total key length ends up being 64 (40+24) or 128 (104+24) bits.

Everything would be fine, but the encryption algorithm used (RC4) is currently not particularly strong - if you really want, you can find a key by brute force in a relatively short time. But still, the main vulnerability of WEP is associated precisely with the initialization vector. The IV is only 24 bits long. This gives us approximately 16 million combinations - 16 million different vectors. Although the figure “16 million” sounds quite impressive, everything in the world is relative. In real work, all possible key options will be used in a period from ten minutes to several hours (for a 40-bit key). After this, the vectors will begin to repeat. An attacker only needs to collect a sufficient number of packets by simply listening to the wireless network traffic and find these repetitions. After this, selecting the static component of the key (ASCII phrase) does not take much time.

But that is not all. There are so-called “unstable” initialization vectors. The use of such vectors in a key allows an attacker to almost immediately begin to select the static part of the key, rather than wait several hours, passively accumulating network traffic. Many manufacturers build into the software (or hardware of wireless devices) a check for such vectors, and if similar ones are found, they are silently discarded, i.e. do not participate in the encryption process. Unfortunately, not all devices have this function.

Currently, some wireless equipment manufacturers offer “extended versions” of the WEP algorithm - they use keys longer than 128 (more precisely 104) bits. But in these algorithms only the static component of the key is increased. The length of the initialization vector remains the same, with all the ensuing consequences (in other words, we only increase the time for selecting a static key). It goes without saying that WEP algorithms with extended key lengths may not be compatible between different manufacturers.

Did you scare me well? ;-)

Unfortunately, when using the 802.11b protocol, you cannot select anything other than WEP. More precisely, some (minority) manufacturers supply various implementations of WPA encryption (using software methods), which is much more stable than WEP. But these “patches” are incompatible even within the equipment of the same manufacturer. In general, when using 802.11b equipment, there are only three ways to encrypt your traffic:

  • 1. Using WEP with a maximum key length (128 bits or higher), if the equipment supports cyclic change of keys from the list (up to four keys in the list), it is advisable to activate this change.
  • 2. Using the 802.1x standard
  • 3. Using third-party software to organize VPN tunnels (encrypted data streams) over a wireless network. To do this, a VPN server (usually with pptp support) is installed on one of the machines, and VPN clients are configured on the others. This topic requires separate consideration and is beyond the scope of this article.

802.1x uses a bunch of several protocols for its work:

  • EAP (Extensible Authentication Protocol) - protocol for extended authentication of users or remote devices;
  • TLS (Transport Layer Security) is a transport layer security protocol, it ensures the integrity of data transmission between the server and the client, as well as their mutual authentication;
  • RADIUS (Remote Authentication Dial-In User Server) - authentication server for remote clients. It provides user authentication.

The 802.1x protocol provides authentication to remote clients and provides them with temporary keys to encrypt data. The keys (in encrypted form) are sent to the client for a short period of time, after which a new key is generated and sent. The encryption algorithm has not changed - the same RC4, but frequent key rotation makes it very difficult to crack. This protocol is supported only in operating systems (from Microsoft) Windows XP. Its big disadvantage (for the end user) is that the protocol requires a RADIUS server, which most likely will not exist on a home network.

Devices that support the 802.11g standard support the improved encryption algorithm WPA - Wi-Fi Protected Access. By and large, this is a temporary standard designed to fill the security niche until the arrival of the IEEE 802.11i protocol (the so-called WPA2). WPA includes 802.1X, EAP, TKIP and MIC.

Among the unexamined protocols, TKIP and MIC appear here:

  • TKIP (Temporal Key Integrity Protocol) is the implementation of dynamic encryption keys, plus, each device on the network also receives its own Master key (which also changes from time to time). Encryption keys are 128 bits long and are generated using a complex algorithm, and the total number of possible key options reaches hundreds of billions, and they change very often. However, the encryption algorithm used is still RC4.
  • MIC (Message Integrity Check) is a packet integrity check protocol. The protocol allows you to discard packets that were “inserted” into the channel by a third party, i.e. did not go from a valid sender.

The large number of advantages of the TKIP protocol does not cover its main disadvantage - the RC4 algorithm used for encryption. Although there have been no reported cases of TKIP-based WPA hacking as of now, who knows what the future will bring? Therefore, now the use of the AES (Advanced Encryption Standard) standard, which is replacing TKIP, is becoming increasingly popular. By the way, in the future WPA2 standard there is a mandatory requirement to use AES for encryption.

What conclusions can be drawn?

  • if there are only 802.11g devices on the network, it is better to use WPA-based encryption;
  • if possible (if supported by all devices), enable AES encryption;

Let's move on to directly setting up encryption on devices. I'm using the same wireless adapters as in the previous article:

Cardbus adapter Asus WL-100g is installed on the laptop. The card management interface is a utility from ASUS (ASUS WLAN Control Center).

External adapter with USB interface ASUS WL-140. The adapter is controlled through the interface built into Windows XP (Zero Wireless Configuration). This card is 802.11b, so it does not support WPA.

PCI interface board Asus WL-130g. The control interface is implemented from (the chipset manufacturer of this PCI card).

ASUS WLAN Control Center - ASUS WL-100g

Let's start by setting up encryption in the ASUS WLAN Control Center management interface. All settings are concentrated in the section Encryption. First, select the authentication type ( Network Authentication), we have three types available: Open System, Shared Key and WPA.

1. WEP encryption.

Open System/Shared Key types are subsets of the authentication algorithm built into WEP. Open System mode is insecure and is strongly discouraged from being enabled when Shared Key can be activated. This is due to the fact that in Open System mode, to enter a wireless network (association with another station or access point), it is enough to know only the network SSID, and in Shared Key mode, you also need to set a WEP encryption key common to the entire network.

Next, select Encryption - WEP, key size - 128 bits (it’s better not to use a 64-bit key at all). We select the key format, HEX (entering the key in hexadecimal form) or generating a key from an ASCII sequence (do not forget that generation algorithms may differ among manufacturers). We also take into account that the WEP key (or keys) must be the same on all devices on the same network. You can enter up to four keys in total. The last item is to select which key will be used (Default Key). IN in this case There is another way - to start using all four keys sequentially, which increases security. (compatibility only for devices from the same manufacturer).

2. WPA encryption.

If supported on all devices (usually 802.11g devices), it is highly recommended to use this mode instead of the outdated and vulnerable WEP.

Typically, wireless devices support two WPA modes:

  • Standard WPA. It is not suitable for us, since it requires a RADIUS server on the network (and it only works in conjunction with an access point).
  • WPA-PSK - WPA with support for Pre Shared Keys (pre-defined keys). And this is what is needed - the key (the same for all devices) is manually set on all wireless adapters and the primary authentication of stations is carried out through it.

You can select TKIP or AES as encryption algorithms. The latter is not implemented on all wireless clients, but if it is supported by all stations, then it is better to stick with it. Wireless Network Key is the same general Pre Shared Key. It is advisable to make it longer and not use a word from the dictionary or a set of words. Ideally, it should be some kind of gobbledygook.

After clicking the Apply (or Ok) button, the specified settings will be applied to the wireless card. At this point, the procedure for setting up encryption on it can be considered complete.

Control interface implemented by Ralink - Asus WL-130g

The setup is not very different from the already discussed interface from ASUS WLAN CC. In the interface window that opens, go to the tab Profile, select the desired profile and click Edit.

1. WEP encryption.

Encryption is configured in the tab Authentication and Security. If WEP encryption is activated, select Shared in Authentication type(i.e. shared key).

Select the encryption type - WEP and enter up to four ASCII or hexadecimal keys. The key length cannot be set in the interface; a 128-bit key is immediately used.

2. WPA encryption.

If in Authentication type select WPA-None, then we will activate WPA shared key encryption. Select the encryption type ( Encryption) TKIP or AES and enter the shared key ( WPA Pre-Shared Key).

This concludes the configuration of encryption in this interface. To save settings in your profile, just click the button Ok.

Zero Wireless Configuration (Windows built-in interface) - ASUS WL-140

ASUS WL-140 is an 802.11b card, so it only supports WEP encryption.

1. WEP encryption.

In the settings of the wireless adapter, go to the tab Wireless network. Next, select our wireless network and press the button Tune.

In the window that appears, activate Data encryption. We also activate Network authentication, disabling this item will enable “Open System” type authentication, i.e. any client will be able to connect to the network knowing its SSID.

Enter the network key (and repeat it in the next field). We check its index (ordinal number), usually it is equal to one (i.e. the first key). The key number must be the same on all devices.

The key (network password), as the operating system tells us, must contain 5 or 13 characters or be entered entirely in hexadecimal. Once again, please note that the algorithm for converting a key from symbolic to hexadecimal may differ between Microsoft and manufacturers of their own interfaces for managing wireless adapters, so it would be more reliable to enter the key in hexadecimal (i.e., numbers from 0 to 9 and letters from A to F).

There is also a flag in the interface responsible for Automatic key provisioning, but I don't know exactly where it will work. The help section says that the key can be hardwired into the wireless adapter by its manufacturer. In general, it is better not to activate this feature.

At this point, the encryption setup for the 802.11b adapter can be considered complete.

By the way, about the help built into the OS. Most of what is said here and more can be found in Help and Support Center, which has a good help system, you just need to enter keywords and click on the green search arrow.

2. WPA encryption.

Having examined the encryption settings using the example of the 802.11b ASUS WL-140 adapter, we did not touch upon the WPA settings in Windows, since the card does not support this mode. Let's consider this aspect using the example of another adapter - ASUS WL-100g. The ability to configure WPA in Windows XP appears with the installation of Service Pack version 2 (or the corresponding updates located on the Microsoft website).

Service Pack 2 greatly expands the functionality and convenience of wireless network settings. Although the main menu items have not changed, new ones have been added.

Encryption is configured in the standard way: first select the wireless adapter icon, then press the button Properties.

Go to the bookmark Wireless network and choose which network we will configure (usually there is only one). Click Properties.

In the window that appears, select WPA-None, i.e. WPA with pre-shared keys (if you select Compatible, then we will enable the WEP encryption configuration mode, which has already been described above).

Select AES or TKIP (if all devices on the network support AES, then it is better to select it) and enter the WPA key twice (the second in the confirmation field). Preferably something long and difficult to pick up.

After clicking on Ok the WPA encryption setup can also be considered complete.

In conclusion, a few words about the wireless network setup wizard that appeared with Service Pack 2.

In the properties of the network adapter, select the button Wireless network.

In the window that appears, click on Set up a wireless network.

Here they tell us where we ended up. Click Further.

Choose Set up a wireless network. (If you select Add, then you can create profiles for other computers on the same wireless network).

In the window that appears, set the network SSID, activate WPA encryption, if possible, and select the method for entering the key. You can leave the generation to the operating system or enter the keys manually. If the first is selected, then a window will pop up asking you to enter the required key (or keys).

  • In a text file, for subsequent manual entry on other machines.
  • Saving the profile on a USB flash drive for automatic entry on other machines with Windows XP with integrated Service Pack version 2.

If the Flash saving mode is selected, then in the next window you will be prompted to insert Flash media and select it from the menu.

If manual saving of parameters was selected, then after pressing the button Type

... a text file with the parameters of the configured network will be displayed. Please note that random and long (i.e. good) keys are generated, but TKIP is used as the encryption algorithm. The AES algorithm can later be enabled manually in the settings, as described above.

Total

We have finished setting up encryption on all wireless adapters. Now you can check whether computers can see each other. How to do this was described in the second part of the “do-it-yourself networks” series (we proceed similarly to the method when encryption was not enabled on the network).

If we are in trouble and not all computers see each other, then we check the general settings of the adapters:

  • The authentication algorithm must be the same for everyone (Shared Keys or WPA);
  • The encryption algorithm must be the same for everyone (WEP-128bit, WPA-TKIP or WPA-AES);
  • The key length (in the case of WEP encryption) must be the same for all stations on the network (the usual length is 128bit);
  • The key itself must be the same at all stations on the network. If WEP is used, then a possible reason is the use of an ASCII key and the network uses heterogeneous equipment (from different manufacturers). Try entering the key in hexadecimal notation.

Wi-Fi encryption - which protocol to choose?

I bought myself a new router and decided to configure it myself. Everything is set up - the Internet and wireless network are working. A question arose, because radio waves (Wi-Fi in my case) propagate not only within my apartment. Accordingly, they can be intercepted. In theory. The router has a wireless network encryption setting. I assume that it is precisely to exclude interception and “eavesdropping”. The question is, which of the encryption protocols available in my router should I choose? Available: WPE, WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, WPS. Which Wi-Fi encryption should I use in my case?


norik | 16 February 2015, 10:14
I will omit descriptions of any outdated Wi-Fi encryption protocols. Therefore, I will describe only those that make sense to use. If the protocol is not described here, then either it is exotic or you do not need it.

WPA and WPA2 (Wi-Fi Protected Access) - available on all routers. The most popular and widespread protocol. It is also one of the most modern. IMHO - the best choice for home and small office. However, it is also quite suitable for large offices, except that it makes sense to make authorization more complicated. Its password length is up to 63 bytes, so if you crack it by guessing, you can turn gray earlier. Of course, you need to choose WPA2 if it is supported by all devices on the network (only very old gadgets do not understand it).

What's really valuable is that multiple encryption algorithms can be used within this service. Among them: 1. TKIP - I do not recommend it, since it is quite possible to find a hole.
2. CCMP - much better.
3. AES - I like it the most, but it is not supported by all devices, although it is included in the WPA2 specification.

WPA2 also provides two initial authentication modes. These modes are PSK and Enterprise. WPA Personal, also known as WPA PSK, means that all users will log into the wireless network with a single password entered on the client side at the time of connecting to the network. Great for home, but problematic for a large office. It will be difficult to change the password for everyone every time when another employee who knows it quits.

WPA Enterprise requires a separate server with a set of keys. For a home or office with 6 machines, this is cumbersome, but if there are 3 dozen wireless devices in the office, then you can take care.

Actually, this exhausts the choice of Wi-Fi encryption at the moment. The remaining protocols either do not have encryption or a password at all, or have holes in the algorithms that only the very lazy would not get into. I recommend the WPA2 Personal AES combination for home use. For large offices - WPA2 Enterprise AES. If there is no AES, then you can get by with TKIP, but then there is still the possibility of packets being read by an outsider. There is an opinion that WPA2 TKIP was never hacked, unlike WPA TKIP, but it was protected...