WPA was developed in response to the flaws in WEP, and it's a much better security protocol than its predecessor. Unlike WEP, WPA uses a 48-bit initialization vector and a 128-bit encryption key. More importantly, however, WPA uses what's called the Temporary Key Integrity Protocol (TKIP). Whereas WEP recycles the same key for encrypting all the packets flowing across the network, WPA's TKIP changes the encryption key every single time a packet is transmitted. This, combined with the use of longer keys, prevents a hacker from compromising a router simply by passively observing a large enough set of packet transmissions.
The WPA2 standard is a 2004 update to the WPA specification that includes support for a US government-approved encryption protocol called Advanced Encryption Standard (AES). (AES can also now be used with WPA, though the presence of this option will probably depend on how recently your router received a firmware update.) Unlike WPA, WPA2 was not explicitly developed with backwards compatibility in mind; older routers that are capable of handling WPA encryption via TKIP may not be able to use WPA2, as WPA2 mandates both AES and TKIP compatibility. If possible, you should use WPA2 instead of WPA.
WPA2 is more secure, but lacks the backwards compatibility of WPA
There are two security levels built into WPA and WPA2, WPA Personal (or WPA-PSK) and WPA Enterprise. WPA-Personal uses a preshared authentication key between all the systems on a network. This means that the network is potentially vulnerable to dictionary-based attacks if strong passwords are not used. Home networks don't have much to worry about here, provided your authentication key isn't something along the lines of "cat."
Enterprise-level WPA implementations make use of a separate RADIUS (Remote Authentication Dial In User Service) server. In this case, the adapter attempts to connect to the wireless access point, which then demands a set of credentials. The access point forwards this request and any associated information to the RADIUS server. The RADIUS server then checks these credentials against its own stored data. At this point, the RADIUS server can authenticate the user's login, deny it, or return a request for further information in the form of a second password or equivalent source.
RADIUS servers are typically reserved for enterprise-level deployment, where they provide both an additional level of security and an increased level of control over how network resources are allocated on a per-user level. As such, they fall outside the realm of what most home users are likely to encounter.
Once you understand the terminology, the basics of wireless security fall firmly into place. If you want a secure configuration, use the WPA protocol in combination with a strong passkey. Past that point, we're mostly splitting hairs. AES-based WPA2 is more secure than TKIP-based WPA, but either solution is light-years beyond WEP.
The WPA2 standard is a 2004 update to the WPA specification that includes support for a US government-approved encryption protocol called Advanced Encryption Standard (AES). (AES can also now be used with WPA, though the presence of this option will probably depend on how recently your router received a firmware update.) Unlike WPA, WPA2 was not explicitly developed with backwards compatibility in mind; older routers that are capable of handling WPA encryption via TKIP may not be able to use WPA2, as WPA2 mandates both AES and TKIP compatibility. If possible, you should use WPA2 instead of WPA.
WPA2 is more secure, but lacks the backwards compatibility of WPA
There are two security levels built into WPA and WPA2, WPA Personal (or WPA-PSK) and WPA Enterprise. WPA-Personal uses a preshared authentication key between all the systems on a network. This means that the network is potentially vulnerable to dictionary-based attacks if strong passwords are not used. Home networks don't have much to worry about here, provided your authentication key isn't something along the lines of "cat."
Enterprise-level WPA implementations make use of a separate RADIUS (Remote Authentication Dial In User Service) server. In this case, the adapter attempts to connect to the wireless access point, which then demands a set of credentials. The access point forwards this request and any associated information to the RADIUS server. The RADIUS server then checks these credentials against its own stored data. At this point, the RADIUS server can authenticate the user's login, deny it, or return a request for further information in the form of a second password or equivalent source.
RADIUS servers are typically reserved for enterprise-level deployment, where they provide both an additional level of security and an increased level of control over how network resources are allocated on a per-user level. As such, they fall outside the realm of what most home users are likely to encounter.
Once you understand the terminology, the basics of wireless security fall firmly into place. If you want a secure configuration, use the WPA protocol in combination with a strong passkey. Past that point, we're mostly splitting hairs. AES-based WPA2 is more secure than TKIP-based WPA, but either solution is light-years beyond WEP.
Comments