From: "Lewis G Rosenthal" Received: from [68.236.178.101] (account lgrosenthal HELO [192.168.2.140]) by 2rosenthals.com (CommuniGate Pro SMTP 5.0.9) with ESMTPA id 553582 for os2-wireless_users@2rosenthals.com; Thu, 23 Nov 2006 01:33:16 -0500 Message-ID: <4565409C.9090008@2rosenthals.com> Date: Thu, 23 Nov 2006 01:33:00 -0500 Organization: Rosenthal & Rosenthal, LLC User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.9a1) Gecko/20060904 SeaMonkey/1.5a MIME-Version: 1.0 To: OS/2 Wireless Users Subject: WPA vs WPA2; TKIP vs AES Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit A quick reference for those who are totally confused... To borrow the help text from the DD-WRT firmware help (edited somewhat for brevity; my comments appear within square brakcets): WPA Pre-Shared Key [sometimes listed as WPA Personal] TKIP stands for Temporal Key Integrity Protocol, which utilizes a stronger encryption method than WEP, and incorporates Message Integrity Code (MIC) to provide protection against packet tampering. AES stands for Advanced Encryption System, which utilizes a symmetric 128-Bit block data encryption and MIC. You should choose AES if your wireless clients supports it. [The TKIP encryption is attained using the RC4 stream cipher. MIC is used instead of CRC (WEP utilizes CRC, and this is one of its weaknesses). AES was not officially supported until WPA2, so there may be some issues with routers purporting to support AES under WPA, particularly with older firmware (pre-WPA2 support).] WPA RADIUS [sometimes listed as WPA Enterprise] WPA RADIUS uses an external RADIUS server to perform user authentication. To use WPA RADIUS, enter the IP address of the RADIUS server, the RADIUS Port (default is 1812) and the shared secret from the RADIUS server. [Currently, XWLAN does not provide an 802.1X supplicant necessary to authenticate against a RADIUS server, so avoid this setting for now.] WPA2 Only WPA2 uses 802.11i to provide additional security beyond what is provided in WPA. AES is required under WPA2, and you may need additional updates to your OS and/or wireless drivers for WPA2 support. Please note WPA2/TKIP is not a supported configuration. Aditionally the WPA2 security mode is not supported under WDS. [WPA2 utilizes a 256-bit AES encryption scheme, via the Rijndael algorythm. As is always the case with passphrases, the longer, the better. While WPA2 encrypts the passphrase itself using PBKDF2 key derivation, weak passphrases (dictionary words or short sequences) can be cracked. The recommended minimum daily allowance ( ;-) ) is at least five diceware words (see http://en.wikipedia.org/wiki/Diceware) or 14 random characters, with tightest security achieved with eight diceware words or 22 random characters.] WPA2 Mixed This mode allows for mixing WPA2 and WPA clients. If only some of your clients support WPA2 mode, then you should choose WPA2 Mixed. For maximum interoperability, you should choose WPA2 Mixed/TKIP+AES. [This is good advice, if your router supports it and you are not paranoid. ;-) Note that when you see entries for TKIP+AES, this *doesn't* mean that AES works *without* TKIP *unless* you set this option; instead, it implies that the AP will *accept* TKIP only, if the client does not provide an AES-encrypted passphrase.] RADIUS RADIUS utilizes either a RADIUS server for authentication or WEP for data encryption. To utilize RADIUS, enter the IP address of the RADIUS server and its shared secret. Select the desired encryption bit (64 or 128) for WEP and enter either a passphrase or a manual WEP key. [Same notes apply here, as I mentioned above.] WEP There are two levels of WEP encryption, 64-bit (40-bit) and 128-bit [104-bit]. To utilize WEP, select the desired encryption bit, and enter a passphrase or up to four WEP key in hexadecimal format. If you are using 64-bit (40-bit), then each key must consist of exactly 10 hexadecimal characters. For 128-bit, each key must consist of exactly 26 hexadecimal characters. Valid hexadecimal characters are "0"-"9" and "A"-"F". Check your wireless clients to see which encryption level it supports. Use of WEP is discouraged due to security weaknesses, and one of the WPA modes should be used whenever possible. Only use WEP if you have clients that can only support WEP (usually older, 802.11b-only clients). [I highly recommend that you not go through the painful exercise of configuring WEP keys. 128-bit...er...104-bit WEP can be cracked in seconds with the right tools and enough traffic in the air, as compared to the agony of manually entering keys. Also, do *not* assume that if you enter a passphrase in your AP and allow it to hash the keys for you that the same hash will result when you do the same in a Wi-Fi client (some client software allows you to do this; XWLAN does not - thankfully). Quite often, the hash is different between manufacturers - or even firmware revs in the same unit, resulting in even more lost time and frustration.] I hope this helps clarify some of the newer technology we may now enjoy, thanks to the hard work of those few who do so much. -- Lewis ------------------------------------------------------------ Lewis G Rosenthal, CNA, CLP, CLE Rosenthal & Rosenthal, LLC Accountants / Network Consultants New York / Northern Virginia www.2rosenthals.com eComStation Consultants www.ecomstation.com Novell Users Int'l www.novell.com/openenterpriseserver Need a managed Wi-Fi hotspot? www.hautspot.com ------------------------------------------------------------