Mailing List os2-wireless_users@2rosenthals.com Archived Message #1820

From: "Lewis G Rosenthal" <os2-wireless_users@2rosenthals.com> Full Headers
Undecoded message
Subject: WPA vs WPA2; TKIP vs AES
Date: Thu, 23 Nov 2006 01:33:00 -0500
To: OS/2 Wireless Users <os2-wireless_users@2rosenthals.com>

A quick reference for those  who are totally confused...

To borrow the help text from the DD-WRT firmware help (edited somewhat for brevity; my comments appear within square brakcets):

WPA Pre-Shared Key [sometimes listed as WPA Personal]
   TKIP stands for Temporal Key Integrity Protocol, which utilizes a
   stronger encryption method than WEP, and incorporates Message
   Integrity Code (MIC) to provide protection against packet tampering.
   AES stands for Advanced Encryption System, which utilizes a
   symmetric 128-Bit block data encryption and MIC. You should choose
   AES if your wireless clients supports it. [The TKIP encryption is
   attained using the RC4 stream cipher. MIC is used instead of CRC
   (WEP utilizes CRC, and this is one of its weaknesses). AES was not
   officially supported until WPA2, so there may be some issues with
   routers purporting to support AES under WPA, particularly with older
   firmware (pre-WPA2 support).]

WPA RADIUS [sometimes listed as WPA Enterprise]
   WPA RADIUS uses an external RADIUS server to perform user
   authentication. To use WPA RADIUS, enter the IP address of the
   RADIUS server, the RADIUS Port (default is 1812) and the shared
   secret from the RADIUS server. [Currently, XWLAN does not provide an
   802.1X supplicant necessary to authenticate against a RADIUS server,
   so avoid this setting for now.]

WPA2 Only
   WPA2 uses 802.11i to provide additional security beyond what is
   provided in WPA. AES is required under WPA2, and you may need
   additional updates to your OS and/or wireless drivers for WPA2
   support. Please note WPA2/TKIP is not a supported configuration.
   Aditionally the WPA2 security mode is not supported under WDS. [WPA2
   utilizes a 256-bit AES encryption scheme, via the Rijndael
   algorythm. As is always the case with passphrases, the longer, the
   better. While WPA2 encrypts the passphrase itself using PBKDF2 key
   derivation, weak passphrases (dictionary words or short sequences)
   can be cracked. The recommended minimum daily allowance ( ;-) ) is
   at least five diceware words  (see
   http://en.wikipedia.org/wiki/Diceware) or 14 random characters, with
   tightest security achieved with eight diceware words or 22 random
   characters.]

WPA2 Mixed
   This mode allows for mixing WPA2 and WPA clients. If only some of
   your clients support WPA2 mode, then you should choose WPA2 Mixed.
   For maximum interoperability, you should choose WPA2 Mixed/TKIP+AES.
   [This is good advice, if your router supports it and you are not
   paranoid. ;-) Note that when you see entries for TKIP+AES, this
   *doesn't* mean that AES works *without* TKIP *unless* you set this
   option; instead, it implies that the AP will *accept* TKIP only, if
   the client does not provide an AES-encrypted passphrase.]

RADIUS
   RADIUS utilizes either a RADIUS server for authentication or WEP for
   data encryption. To utilize RADIUS, enter the IP address of the
   RADIUS server and its shared secret. Select the desired encryption
   bit (64 or 128) for WEP and enter either a passphrase or a manual
   WEP key. [Same notes apply here, as I mentioned above.]

WEP
   There are two levels of WEP encryption, 64-bit (40-bit) and 128-bit
   [104-bit]. To utilize WEP, select the desired encryption bit, and
   enter a passphrase or up to four WEP key in hexadecimal format. If
   you are using 64-bit (40-bit), then each key must consist of exactly
   10 hexadecimal characters. For 128-bit, each key must consist of
   exactly 26 hexadecimal characters. Valid hexadecimal characters are
   "0"-"9" and "A"-"F". Check your wireless clients to see which
   encryption level it supports.

   Use of WEP is discouraged due to security weaknesses, and one of the
   WPA modes should be used whenever possible. Only use WEP if you have
   clients that can only support WEP (usually older, 802.11b-only clients).

   [I highly recommend that you not go through the painful exercise of
   configuring WEP keys. 128-bit...er...104-bit WEP can be cracked in
   seconds with the right tools and enough traffic in the air, as
   compared to the agony of manually entering keys. Also, do *not*
   assume that if you enter a passphrase in your AP and allow it to
   hash the keys for you that the same hash will result when you do the
   same in a Wi-Fi client (some client software allows you to do this;
   XWLAN does not - thankfully). Quite often, the hash is different
   between manufacturers - or even firmware revs in the same unit,
   resulting in even more lost time and frustration.]

I hope this helps clarify some of the newer technology we may now enjoy, thanks to the hard work of those few who do so much.

--
Lewis
------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Accountants / Network Consultants
 New York / Northern Virginia           www.2rosenthals.com
eComStation Consultants                  www.ecomstation.com
Novell Users Int'l       www.novell.com/openenterpriseserver
Need a managed Wi-Fi hotspot?               www.hautspot.com
------------------------------------------------------------


Subscribe: Feed, Digest, Index.
Unsubscribe
Mail to ListMaster