TKIP or AES?

Sorry, this is double posted in bt.broadband support, now realise that
this is the best NG for this post.

XP Pro, SP3, BT Hub, Belkin Wireless G card.

I have a single user desktop and have installed the Windows WPA2
security
update:

http://support.microsoft.com/kb/893357

Have also allowed Windows to handle my wireless connection, rather than
my Belkin G wireless card utility. My BT Hub security is set to WPA2
only and I have a 63 character alpha-numeric security key.

Everything is working OK, touch wood.

Just a couple of points I'd like to get clear in my mind.

1. Bearing in mind that no laptop or other device is going to connect
wirelessly, which data encryption is best to use, AES or TKIP, and
what's the difference?

2. Although everything is working OK, I thought it depended on the
lowest common denominator. To my knowledge, my Belkin Wireless G card is
incapable of handling WPA2. Or, is it that the wireless card UTILITY is
incapable of handling WPA2?
Do I assume that the Hub handles all the security and that the Belkin
card just picks up the resulting signal?

 

I think AES is better. Or check this post.
Which is more secure wireless settings
Wireless Security Options. When setup wireless security, you may have
many options. ... Here are the options I see >> WEP , WPA and WPA2 ...
www.chicagotech.net/netforums/viewtopic.php?p=6030&sid=7fc46f53f494db7936cacd787e302378


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

 

Q1: No device needs to connect to listen to the message stream. A
reasonaby savvy lurker just downloads messages and tries to decrypt them.
If I recall correctly, it is AES.
Q2. It would be the card that is the limiting factor because encrypting
should be done in hardware for the best performance. And, you are wrong to
assume that the router handles all of the security.
As the entire message is encrypted, the router decrypts messages from the
card before sending them to the destination. The card decrypts messages
from the router before sending them up the layers of software.

Jim

 

You might look at this from the WiFi Alliance. AES is done in hardware
because of the computational requirements. As far as I know AES is
required for WPA2 while TKIP is required for WPA.

http://www.wi-fi.org/files/kc_11_WPA2_QandA_3-23-05.pdf

....and this...

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

With a sufficiently long random ASCII key both should be equally safe
for home users. Personally I use WPA2-Personal (WPA2-PSK [AES]) and like
you a 63-character random ASCII key.

--

Al Jarvi (MS-MVP Windows - Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

 

Hi
From the weakest to the strongest, Wireless security capacity is.
No Security
MAC______(Band Aid if nothing else is available).
WEP64____(Easy, to "Break" by knowledgeable people).
WEP128___(A little Harder, but "Hackable" too).
WPA-PSK__(Very Hard to Break).
WPA-AES__(Not functionally Breakable)
WPA2____ (Not functionally Breakable).
Note 1: WPA-AES the the current entry level rendition of WPA2.
Note 2: If you use WinXP and did not updated it you would have to download
the WPA2 patch from Microsoft. http://support.microsoft.com/kb/893357
The documentation of your Wireless devices (Wireless Router, and Wireless
Computer's Card) should state the type of security that is available with
your Wireless hardware.
All devices MUST be set to the same security level using the same pass
phrase.
Therefore the security must be set according what ever is the best possible
of one of the Wireless devices.
I.e. even if most of your system might be capable to be configured to the
max. with WPA2, but one device is only capable to be configured to max . of
WEP, to whole system must be configured to WEP.
If you need more good security and one device (like a Wireless card that can
do WEP only) is holding better security for the whole Network, replace the
device with a better one.
The Core differences between WEP, WPA, and WPA2 -
http://www.ezlan.net/wpa_wep.html
Jack (MVP-Networking).

 

AES is better. It is based on the rijndael block cipher whereas TKIP,
like WEP before it, is based on the RC4 stream cipher although the
implementation in WPA/TKIP is much more secure than in WEP

WPA/TKIP is for users running legacy hardware which can't handle AES.
Anything running WEP is supposedly software upgradable to WPA/TKIP
whereas WPA/AES won't work on some old gear.


Jim.

 

doesn't answer your question directly but worth reading:
http://www.itworld.com/security/57285/once-thought-safe-wpa-wi-fi-encryption-cracked

 

Q1: Will stick to AES, thanks.

Q2: Have set my comp to use WPA2 for ages now and this is what confuses
me. Not long ago I DID have my niece's laptop (with Windows WPA2 update
installed) connecting to my computer (with correct security key). She
had a relatively old Linksys USB wireless adapter, so it didn't surprise
me to see that when using Windows to "View available networks", my BT
Hub showed up as just WPA protected.

Have just looked at the spec of my Belkin Wireless G card and it states
"Features wireless 64- and 128-bit WEP encryption" (no mention of WPA
let alone WPA2). When I "View available networks" my Hub shows
"Security-enabled wireless network (WPA2)".

I'm positive that my Belkin card is older than my niece's USB adapter
and doesn't handle anything but WEP, so why is the network showing up as
WPA2 enabled?

 

Sorry, meant to add: Is it the Belkin card itself that is not WPA(2)
capable or is it the UTILITY, as I queried earlier? When you allow
Windows to handle the wireless connection surely it becomes the
utility/driver, thus allowing for higher security. As security settings
are set with the utility (in this case Windows), perhaps the card is
merely transmitting the resultant data?

 

First, your BT "Hub" is really a router. A hub is an altogether
different piece of network equipment from a router.
http://www.practicallynetworked.com/networking/bridge_types.htm

With respect to wireless security, *both* the router *and* the adapter
perform encryption and decryption. The router encrypts info that it
sends to your computer and your adapter decrypts those messages when it
receives them. And vice versa - your adapter encrypts info that you send
to the router and the router decrypts those messages.

There is some inconsistency with your description: how can you be
positive that your Belkin card is capable of only WEP if you've been
using WPA2 for ages? This does not compute.

Many WiFi products with the same product name have been substantially
changed through the use of "version" nomenclature. The main "features"
page of the product may not have been updated to reflect these changes.
Thus, your Belkin adapter almost certainly *is* WPA2 capable (if you
have been using it to connect to a WPA2 network). For example, if you
have a Belkin F5D7000 PCI wireless-G adapter, the main product page says
only "Features wireless 64- and 128-bit WEP encryption." The specs page,
however, says "WPA, WPA2, 64-bit/128-bit encryption" (of course, the
spec page also says that it's an IEEE 802.11b card when we know, by
definition, that it's IEEE 802.11g).

And, as others in the thread have noted, in order to use WPA2, you need
*both* a utility that knows about WPA2 *and* hardware that's capable of
WPA2. If you've installed the WPA2 update, then you have the correct
utility.

As far as your niece's Linksys USB adapter, the basic Linksys wireless-G
USB adapter, the WUSB54G, is now up to version 4, but even version 1 can
handle WPA (not WPA2) with the current driver. (The User Guide for
version 4 mentions something called "PSK2." I believe that's what
Linksys used to describe WPA2 (perhaps before the product was certified
by the WiFi alliance, and so couldn't use "WPA2"). So if your niece has
this version of this device, she probably can use WPA2. That term
doesn't appear in the v.1 or v.2 manuals.)

Finally, *all* devices on a wireless network must use the same level of
encryption. Thus, if your niece's hardware really can only handle WPA,
you'll have to reconfigure your router to use WPA. In this case, use
WPA-PSK (AES).
--
Lem -- MS-MVP

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

You are quite right about the Belkin, I was looking at the Features page
rather than the Spec page.

I can stop scratching my head now.

Thanks for a very detailed and comprehensive answer.

 

Thanks to all who responded to this post and especially, Lem.

 

Surely if the hardware is capable of handling AES encryption then it
is also capable of handling (AES based) CCMP authentication and key
management?

In other words, isn't WPA2-PSK (or WPA-PSK2) and WPA-PSK(AES) the
same thing?


Jim.

 

My apologies to Mr Lem and Mr Smirnoff for the error in quoting. I was
quoting Mr Lem.


Jim.