Re: WPA2-TKIP was: A Question about WRT600N wireless router..

On 23/09/2009 14:56, John Navas wrote:
On Wed, 23 Sep 2009 01:22:30 -0700 (PDT), berk<bayareaberk@xxxxxxxxx>
wrote in
<e3e1236c-b22b-4754-b81b-6ea2d3478b9e@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>:

On Sep 21, 3:42 pm, Jeff Liebermann<je...@xxxxxxxxxx> wrote:
<snip>.

2. There is no such thing as WPA2-TKIP. WPA2 always uses AES
encryption.

How would this be towards better understanding?:

There is no such thing as WPA2-TKIP;
There is WPA2-AES and WPA-AES+TKIP, but no 'TKIP' by itself.

"Understanding the updated WPA and WPA2 standards"
<http://blogs.zdnet.com/Ou/?p=67>

The encryption piece of WPA and WPA2 mandates the use of TKIP or,
because it’s considered to be more secure than TKIP, preferably AES
encryption. From an encryption standpoint, WPA leaves AES optional
while WPA2 mandates both TKIP and AES capability.
It does not mandate the use of TKIP with WPA2.
Your ref doc uses the wifi alliance as the creators:-
"The WPA and WPA2 standards were created by the Wi-Fi Alliance industry group that promotes interoperability and security for the wireless LAN industry."
From the WiFi Alliance:-
"WPA2 is today's generation of Wi-Fi security. It is founded on two key protocols: (1) Advanced Encryption Standard (AES), the encryption protocol used by the United States and other governments to protect confidential and classified information, and by the enterprise to secure WLANs, and (2) IEEE 802.1X, a standard widely used in corporate networks to provide robust authentication and sophisticated network access control features. WPA2 is based on IEEE 802.11i and provides 128-bit AES-based encryption. It also provides mutual authentication with Pre-Shared Key (PSK; in Personal mode) and with IEEE 802.1X / EAP (in Enterprise mode). In 2004 the Wi-Fi Alliance introduced WPA2 certification. In 2006 WPA2 certification became mandatory for all Wi‑Fi CERTIFIED equipment submitted for certification."
<http://www.wi-fi.org/knowledge_center_overview.php?docid=4582>

Although AES is preferred from a security standpoint, other important
issues are (1) what the equipment actually supports and (2) amount of
overhead.

AES will usually have less overhead than TKIP with AES hardware support
(at both ends of the radio link), but more overhead with only software
support. Unfortunately, often the only way to tell is to actually test
the equipment.

Some equipment (and DD-WRT) support TKIP+AES with automatic fallback,
but, unfortunately, "a chain is only as strong as its weakest link", and
this essentially obviates the security advantage of AES unless WPA2 is
forced.


.

Quantcast