WPA vs WPA2 (802.11i): How your Choice Affects your Wireless Network Security

Your rating: None Average: 4.3 (125 votes)

A discussion of why 802.11i (WPA2) provides stronger wireless security than WiFi Protected Access (WPA) and WEP, why there is a need for a new standard and why you should use it.

We’ve already looked at why WPA is better than WEP, so why have a new 802.11i security standard? Isn’t WPA good enough?

WPA has, rightly, been admired as a masterpiece of retro engineering. It addresses the weaknesses of WEP and the result is a very secure security system that is backwardly compatible with most existing WiFi compliant equipment. WPA is a practical solution that will provide more than adequate security for most wireless network applications.

However WPA is in the end a compromise solution. It still relies on the RC4 encryption algorithm and TKIP (Temporary Key Integrity Protocol). Although unlikely, the possibility of new weaknesses being discovered still exists.

A completely new security system, avoiding the design flaws of WEP entirely, represents the best long term, scalable solution to wireless LAN security. To this end the standards committee decided to design a new security system from the ground up. This is the new 802.11i standard, also known as WPA2 by the WiFi Alliance.

What is 802.11i?

802.11i uses the concept of a Robust Security Network (RSN). In RSN wireless devices need to support additional capabilities. This requires new hardware and software drivers making a fully compliant RSN network incompatible with existing WEP equipment. In the transitional period both RSN and WEP equipment will be supported, (in fact WPA/TKIP was a solution designed to make use of older equipment) but in the longer term WEP devices will be phased out.

802.11i allows for various network implementations and can use TKIP, but by default RSN uses AES (Advanced Encryption Standard) and CCMP (Counter Mode CBC MAC Protocol) and it is this which provides for a stronger, scalable solution.

What is AES/CCMP?

Advanced Encryption Standard (AES) is the cipher system used by RSN. It is the equivalent of the RC4 algorithm used by WPA. However the encryption mechanism is much more complex and does not suffer from the problems associated with WEP. AES is a block cipher, operating on blocks of data 128bits long.

CCMP is the security protocol used by AES. It is the equivalent of TKIP in WPA. CCMP computes a Message Integrity Check (MIC) using the well known, and proven, Cipher Block Chaining Message Authentication Code (CBC-MAC) method. Changing even one bit in a message produces a totally different result.

One of the worst aspects of WEP was the management of the secret keys. Many administrators found it impractical to manage keys in larger networks. As a result WEP keys were often not changed making it easier for hackers.

RSN defines a hierarchy of limited life keys, similar to TKIP. AES/CCMP requires 512bits to accommodate all the keys, less than TKIP.

Also like TKIP master keys are not used directly, but are used to derive other keys. Fortunately the administrator only needs to provide a single master key.

Messages are encrypted using a secret key (128bits) and a 128bit block of data. The encryption process is complex, but again the administrator does not need to be aware of the intricacies of the computations. The end result is encryption that is much harder to break than even WPA.

Conclusion

802.11i is by far the strongest security system for wireless networks. The purist would argue that anything less is the equivalent of no security at all.

When the 802.11i standard is ratified RSN (WPA2) compatible equipment will begin to appear. 802.11i (WPA2) will be the most robust, scalable, and secure solution and will appeal particularly to enterprise users where key management and administration has been a major headache.

802.11i has been designed using proven technologies. Security has been designed from scratch in full consultation with the best cryptographers and stands every chance of being the solution that wireless networks need. Although no security system can ever be considered totally unbreakable, 802.11i security is a dependable solution and seems unlikely to be breached. It suffers none of the problems of older systems.

802.11i is a wireless security system that you can depend on. You can use WPA to accommodate older equipment and as that reaches the end of its useful life you can upgrade to a fully compliant RSN network.

Comments

cant conecet

new phone have conected to wirless in town but can not do so at home keeps saying disabled secared wpa/wpa2 tried everything from back off hub but wont work

Phone wifi connection issue

I just got a new phone that runs on windows. When trying to connect with my wifi router, it would say that it could not due to no pesponse from the network after entering the password. The solution was changing the router setting from WPA to WPA. After making this change I had to update my laptop with the new setting so it could connect.

WPA2

I meant to say changed from WPA to WPA2.

I'm using a Linksys 160N

I'm using a Linksys 160N wireless router (WPA) for my computers at home,all is fine, but now trying to use a wireless digital device (piano)which requires (WEP) Would I need a separate WEP wirelesss router to use both systems? Would these systems interfer with each other?

wpa vs wpa2 personal

I am using linksys wre54g v.3 as a network expander and it only supports wep and wpa-psk and our network is using wpa2 personal encryption. How can I make this work?

There is no way to attach a

There is no way to attach a device that does not support WPA2 to a WPA2 network. You would have to downgrade your network to WPA for them to interface unless you connect via wires(connect to an RJ-45 output port on the WPA2 router to the RJ-45 input port on the wre54g v.3)

Upgrade your firmware

Upgrade your firmware

inofrmation

You are just re-writing and re-writing.

WPA vs. WPA2 and change over/back

* i want to run an older XP (not Pro) laptop that is WPA on my home net.
* my home system is newer using Vista (ugh) but is encrytping WPA2.
* do i only have to change one of my security Vista (ugh) settings to WPA to make everything kumbaya?
* i hope.
* i have just exhausted all of my modem/router/www knowledge.
*

WPA

How did I get numbers and letters for WPA?

WPA vs. WPA2

Depends on the hardware rather than the Operating System. If the laptop will support WPA2, you can switch to WPA2. However, XP Home or Media Center will only work with WPA2 personal, not enterprise.

Linksys firmware

I have a WRT160N router, firmware v. 1

a) Do I need to upgrade this and if so, what do you recommend ?

b) What would you suggest to improve signal strength ?

How to switch to WPA2 802.11i ?

Hi, I'm using a Toshiba Satellite laptop 2005 model and a Linksys WRT54G wireless router. The router does not have a WPA2 option. How can I switch to WPA2 802.11i? Thanks.

get a new router that

get a new router that supports it

that router has wpa2... look

that router has wpa2... look closer its there

Mr Anonymour from 2009/11/21

When are you going to remove the plug from your butt?

sorry

I'm sorry, I didn't know you needed it back.

Mr Anonymous from 2009/10/24

Did you read any of the above article?

wpa

I am confured with wep on my desktop and I wondering should I change so my laptop would be confured with wpa so it would fit into a secured network and what happens when I'm out and looking for wi=fi, will I be able to recieve ?

How you should configure your

How you should configure your laptop really depends upon your wireless access point. If it is configured to use WEP then all of your laptop and PCs should be configured to use WEP, same for WPA. Ideally use WPA as it is more secure, but even WEP is far better than no encryption at all.

You can configure your laptop to have different wireless profiles. You can set one up for when your at home and then another for when your in your favourite cafe using their wireless. Using WPA in one place doesn't imply you have to use it everywhere. Each profile has it own settings.

Post new comment

By submitting this form, you accept the Mollom privacy policy.