# What is WPA-AES?



## streetfighter 2 (Apr 16, 2011)

*[Solved] What is WPA-AES?*







We all know the wireless networking basics, but if you don't here they are . . .


*Wifi Alliance Certificates*
 | WPA; WPA2
*Protocols*
 | WEP; TKIP; CCMP
*Encryption*
 | AES; RC4
Furthermore:
PSK = Pre-Shared Key
RSNA = 802.11i = WPA2 (used interchangeably)

WEP - Uses RC4
WPA - Mandates TKIP with RC4 (essentially a more secure wrapper for classic WEP)
WPA2 - Mandates CCMP with AES
CCM - Is specified in the AES standard


I'm using WPA with AES, which is undefined by any wifi alliance certificate.  By this line of reasoning it should be a miracle that any of my wireless devices communicate with each other-- but they all do!

Everyone seems to know that WPA-AES is more secure than (standard) WPA-TKIP, but why?  What protocol does WPA-AES use?  How did it get standardized, or rather, how are all my wireless devices and access points able to communicate without standardization?

Here's what I've found thus far, thanks to slyfox2151:
http://www.dslreports.com/forum/remark,12691890? -- Appears to indicate that WPA-AES is a hodgepodge of TKIP, WEP and AES, which evolved into CCMP-AES . . .
http://www.dd-wrt.com/wiki/index.php/WPA/WPA2 -- Appears to indicate that WPA-AES is TKIP with AES.

*Why don't you google it SF2?*
I did.  For the love of god I did!  I don't ask questions unless I've tried to solve them myself.

Thanks to anyone who can shed light on this without making me out to be a complete nincompoop.

PS.  I'd love to use WPA2 on my network, but it isn't supported by several of my wireless devices.

*Solution:*


FordGT90Concept said:


> WPA-AES is TKIP but instead of using RC4 encryption, it jury-rigs the use of AES.  TKIP is no where near as secure as CCMP.





FordGT90Concept said:


> TKIP w/ AES support (WPA-AES) was patched in to just about everything from Windows XP, to some routers (my DI-724U being one of them), to some WLAN NICs (like the Intel 2200BG).  CCMP has to be done in the hardware though because performing the cipher in software is too demanding to be practical (not to mention drivers lacking access to the data necessary to do it).  This is why WPA devices can't be upgraded to WPA2 but can be upgraded to support AES.
> 
> I think the only scenario where a driver update couldn't add that functionality is enterprise hardware where RC4 encryption was performed in the hardware and not through software.  A software update, therefore, couldn't upgrade the hardware RC4 chip to support AES.  Most consumer WLAN NICs are cheap like integrated audio so they performed the encryption on the CPU rather than on a sub-processor.


----------



## Kreij (Apr 17, 2011)

More info ... https://learningnetwork.cisco.com/thread/11207


----------



## MilkyWay (Apr 17, 2011)

In simple terms its just a type of encryption attached to WPA2
I dont actually know the ins and outs.

TKIP is another type of encryption but it can be hacked.


----------



## FordGT90Concept (Apr 17, 2011)

WPA2 requires AES support so all devices that support WPA2 should support WPA with AES.  The difference between WPA2-AES and WPA-AES is WPA doesn't require the support of Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).

WPA = Temporal Key Integrity Protocol (TKIP)
WPA2 = Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

TKIP is not a type of encryption but rather, an RC4 encrypted protocol.

WPA-AES is TKIP but instead of using RC4 encryption, it jury-rigs the use of AES.  TKIP is no where near as secure as CCMP.




streetfighter 2 said:


> PS.  I'd love to use WPA2 on my network, but it isn't supported by several of my wireless devices.


Like?  It works on everything of mine that was purchased after ~2005.


----------



## MilkyWay (Apr 17, 2011)

AES is newer than TKIP its designed to be its replacement.

WPA uses TKIP
WPA2 uses CCMP and AES

WEP is older than TKIP and its very easily hacked. Its practically outdated and unused now.

http://www.darknet.org.uk/2008/12/confused-by-wep-wpa-tkip-aes-other-wireless-security-acronyms/


----------



## FordGT90Concept (Apr 17, 2011)

CCMP replaces TKIP.

WPA2 uses CCMP, CCMP uses AES.

Around here, all ISP-installed networks are WEP.  Because of that, WEP is very common even though it should be obsolete/abandoned.


----------



## Kreij (Apr 17, 2011)

In reality it's all just a bunch of fancy bruhaha to slow down you wireless connection.
Just disable it all and tell me where you live so I can leech off your interwebz.

Or you can come here and leech off mine as my connection is so lousy that I don't bother protecting it (and no one is within about 1/4 mile of my router).


----------



## streetfighter 2 (Apr 17, 2011)

FFFUUUU---

I have like 30 windows open and I closed the one with my ridiculously long reply.... 

Anyway, many thanks for your quick help, though I'm still a bit confused.


Kreij said:


> More info ... https://learningnetwork.cisco.com/thread/11207


I actually have that site bookmarked .  I feel as if the answer I'm looking for is there but I can't find it.  You ever read something that was simple but you couldn't wrap your head around it?  I'm getting that right now and it's rather disconcerting.


FordGT90Concept said:


> The difference between WPA2-AES and WPA-AES is WPA doesn't require the support of CCMP.


This is what I'm looking for.  So to put it concisely, WPA-AES uses TKIP?  Does that not mean that WPA-AES is susceptible to the Beck-Tews and other TKIP attacks? (See EDIT below)


FordGT90Concept said:


> Like?  It works on everything of mine that was purchased after ~2005.


PSP-1000, several D600s with 2200BGs, and an old wifi adapter on my print server.  I'm old, and a lot of my hardware is likewise .


MilkyWay said:


> AES is newer than TKIP its designed to be its replacement.
> 
> WPA uses TKIP
> WPA2 uses CCMP and AES
> ...





> From *Cisco*
> _Note that TKIP is not directly comparable to AES; TKIP is an integrity check, AES is an encryption algorithm.
> 
> In the context of wireless security this actually means TKIP vs. "AES-based CCMP" (not just AES)_


So if AES is a replacement for TKIP, then how can my devices which do not support CCMP use AES?

EDIT:


FordGT90Concept said:


> *WPA-AES is TKIP but instead of using RC4 encryption, it jury-rigs the use of AES.  TKIP is no where near as secure as CCMP.*


Ah, this is the grit.  This is the stuff right here.  Exactly what I need.  You have any additional info/sources?
Thanks!


----------



## FordGT90Concept (Apr 17, 2011)

streetfighter 2 said:


> This is what I'm looking for.  So to put it concisely, WPA-AES uses TKIP.  Does that not mean that WPA-AES is susceptible to the Beck-Tews and other TKIP attacks?


Correct.  WPA, no matter what type of encryption is used, is vulnerable to TKIP attacks.




streetfighter 2 said:


> PSP-1000, several D600s with 2200BGs, and an old wifi adapter on my print server.


That sucks.  I had one 2004 laptop that didn't support WPA2 and got around it by using a D-Link USB 802.11b/g adapter.  It's not ideal but it was the only device of mine that couldn't handle WPA2.


----------



## Kreij (Apr 17, 2011)

streetfighter 2 said:


> So if AES is a replacement for TKIP, then how can my devices which do not support CCMP use AES?



The devices check for AES compatibility and if not found fallback to TKIP?


----------



## FordGT90Concept (Apr 17, 2011)

TKIP is a protocol like HTTPS.  AES and RC4 describe the encryption used on the data inside the protocol.  TKIP can carry an RC4 encrypted packet just as well as it can carry an AES packet.  AES is damn near impossible to break but that doesn't matter when TKIP has flaws that allow you to retrieve the cipher which, in turn, allow you to decrypt the packet.  CCMP threw TKIP out the window and replaced it with a new cipher encryption method based on AES rather than RC4 (used by WEP and TKIP).


----------



## CrAsHnBuRnXp (Apr 17, 2011)

streetfighter 2 said:


> I'm old, and a lot of my hardware is likewise .



Off topic, but with your avatar, I always picture you to be like a 13 year old kid. 

On a more on topic note, companies just need to stop putting support for older encryption into routers and what not so people can stop being confused about what one is better. This would also help from them getting their wireless hacked easily by not choosing an encryption method that is more vulnerable.


----------



## Kreij (Apr 17, 2011)

Well ... if I could ever get Ford to continue our work on the Ford-Kreij Universality Algorith (FKU-A) we could pitch all these posers. 
It's based on a quantum tachyon wave distortion property inherent in worm holes and other space/temporal anomolies.
But no ... he just wants to play Minecraft and Settlers 7. :shadedshu 

Anyway, I would have to assume that your devices are falling back to some other protocol/encryption method for connection if they do not support WPA-AES and still work.


----------



## streetfighter 2 (Apr 17, 2011)

FordGT90Concept said:


> That sucks.  I had one 2004 laptop that didn't support WPA2 and got around it by using a D-Link USB 802.11b/g adapter.  It's not ideal but it was the only device of mine that couldn't handle WPA2.


Well despite their age, my fleet of D600s with 2200BGs (which I got at an unbelievable price) are still running strong and get fantastic reception.  Back in the day everyone I knew was using a PCMCIA slot wifi card but I had mine builtin (using an mini-PCI slot).  The D600s also have a full sized antenna which makes their reception far better than any USB stick/PCMCIA card I've tried.  Up until a couple years ago I was getting better wifi speeds than any of my friends with their brand new macbooks. 

When those laptops die I'll replace my print server's wifi card and buy a newer PSP.


CrAsHnBuRnXp said:


> Off topic, but with your avatar, I always picture you to be like a 13 year old kid.


Intellectually I'm probably around 15.   My sense of humor pegs me at around 7.  Poop. LOL.



CrAsHnBuRnXp said:


> On a more on topic note, companies just need to stop putting support for older encryption into routers and what not so people can stop being confused about what one is better. This would also help from them getting their wireless hacked easily by not choosing an encryption method that is more vulnerable.


At first I thought this was a bad idea, but the more I think about it the more I like it.



Kreij said:


> The devices check for AES compatibility and if not found fallback to TKIP?





Kreij said:


> Anyway, I would have to assume that your devices are falling back to some other protocol/encryption method for connection if they do not support WPA-AES and still work.


I've considered that, but I have three access points from three different companies with three different chipsets.  Whats the probability that all three of them have standardized something thats not actually standardized (eg. the fallback mechanism)?

On the other hand since all of my devices support WPA, and they all support AES (with driver upgrades), then I have to assume that WPA-AES = WPA with AES over TKIP (as Ford said).


----------



## FordGT90Concept (Apr 17, 2011)

CrAsHnBuRnXp said:


> On a more on topic note, companies just need to stop putting support for older encryption into routers and what not so people can stop being confused about what one is better. This would also help from them getting their wireless hacked easily by not choosing an encryption method that is more vulnerable.


The WiFi Alliance planned to forbid supporting WEP back in 2010 but, if they did, it seems like no one cared.  I just wish they'd educate ISPs that WEP is bad (start an ad campaign or something).  It's ISPs that install most wireless networks so they are the guilty party.




Kreij said:


> But no ... he just wants to play Minecraft and Settlers 7. :shadedshu


...and Test Drive Unlimited 2, and StarCraft, and Medal of Honor so I can format, then Humble Frostbyte Bundle, Darkspore, and more Minecraft. 



Kreij said:


> Anyway, I would have to assume that your devices are falling back to some other protocol/encryption method for connection if they do not support WPA-AES and still work.


WEP = WEP w/ RC4
WPA-TKIP = TKIP w/ RC4
WPA-AES = TKIP w/ AES
WPA2-AES = CCMP w/ AES

Am I forgetting any?

AES is more secure than RC4 but RC4, itself, is quite secure (as long as the key is obscured).  The weakness in WEP is WEP and the weakness in TKIP is TKIP.  WEP is far weaker than TKIP (TKIP further obscured the key where it wasn't obscured at all in WEP).  As far as I know, no major vulnerabilities have been discovered in CCMP.




streetfighter 2 said:


> Well despite their age, my fleet of D600s with 2200BGs (which I got at an unbelievable price) are still running strong and get fantastic reception.  Back in the day everyone I knew was using a PCMCIA slot wifi card but I had mine builtin (using an mini-PCI slot).  The D600s also have a full sized antenna which makes their reception far better than any USB stick/PCMCIA card I've tried.  Up until a couple years ago I was getting better wifi speeds than any of my friends with their brand new macbooks.


802.11b/g can't hold a candle to 802.11n.  I assume those Mac Books didn't have 802.11n. XD




streetfighter 2 said:


> I've considered that, but I have three access points from three different companies with three different chipsets.  Whats the probability that all three of them have standardized something thats not actually standardized (eg. the fallback mechanism)?
> 
> On the other hand since all of my devices support WPA, and they all support AES (with driver upgrades), then I have to assume that WPA-AES = WPA with AES over TKIP (as Ford said).


TKIP w/ AES support (WPA-AES) was patched in to just about everything from Windows XP, to some routers (my DI-724U being one of them), to some WLAN NICs (like the Intel 2200BG).  CCMP has to be done in the hardware though because performing the cipher in software is too demanding to be practical (not to mention drivers lacking access to the data necessary to do it).  This is why WPA devices can't be upgraded to WPA2 but can be upgraded to support AES.

I think the only scenario where a driver update couldn't add that functionality is enterprise hardware where RC4 encryption was performed in the hardware and not through software.  A software update, therefore, couldn't upgrade the hardware RC4 chip to support AES.  Most consumer WLAN NICs are cheap like integrated audio so they performed the encryption on the CPU rather than on a sub-processor.


----------



## streetfighter 2 (Apr 17, 2011)

No one thought my image of Senor Eskimo Goldberg to illustrate my confusion over WPA/TKIP/AES was funny? 



FordGT90Concept said:


> 802.11b/g can't hold a candle to 802.11n.  I assume those Mac Books didn't have 802.11n. XD


Dunno, I can't remember.  At the time the network was only 802.11g, so it wouldn't have mattered.  Currently I only have one MIMO 802.11n access point, one MIMO 802.11g and one regular 802.11g.



FordGT90Concept said:


> AES is more secure than RC4 but RC4, itself, is quite secure (as long as the key is obscured).


This partly answers another of my questions, "WPA-AES is more secure than (standard) WPA-TKIP, but why?"

Rather, WPA-AES is marginally more secure than WPA-TKIP only because RC4 is an older encryption standard with known weaknesses (but no check-mate unless using WEP).


----------



## FordGT90Concept (Apr 17, 2011)

I think it's safe to say that TKIP is a greater vulnerability than RC4.  That is to say, AES and RC4 are equally vulnerable under TKIP because anyone attempting to attack it would go after the weakest link (TKIP) making RC4 or AES irrelevant.  Once they crack TKIP, they'll have the means to decrypt the encrypted content regardless of what type of encryption is used.


----------



## streetfighter 2 (Apr 17, 2011)

Are you saying that the accepted "wisdom", that WPA-AES is better than WPA-TKIP, is incorrect?


----------



## FordGT90Concept (Apr 17, 2011)

Technically, WPA-AES is more secure than WPA-TKIP (RC4) but in practice, that fact is irrelevant because they share the same weakness.  I would never use WPA-AES because it isn't worth the computing overhead AES adds when it is just as likely to be defeated as TKIP (RC4).


----------



## newtekie1 (Apr 17, 2011)

FordGT90Concept said:


> I just wish they'd educate ISPs that WEP is bad



The reason WEP is defaulted to in most installations is that is is compatible with everything.  You want some examples of things that I've personally as a network engineer have had to deal with? Nintendo DSes don't support anything beyond WEP, it wasn't until the DSi was released in 2008 that WPA support was implemented.  There are still a lot of wireless printers, particulary the cheap ones, that do not support WPA, or claim support for WPA but don't actually work with it.  The last lexmark printer I bought about 2 years ago, claimed to support WPA, but would not connect to any WPA network.  It just wouldn't do it.  It tossed that POS in the trash because it sucked anyway, but the point is that WEP works and that is why people use it.

I wouldn't go as far as saying WEP is bad, in fact in 90% of usage senarios it is perfectly fine.  Yes, it is hackable.  Is it as easy as some make it out to be?  No.  Is my neighbor, or my neighbor's 16 year old kid like to have the hardware to do it and the knowledge? No, despite what some want to make it seem like, they won't.

That being said, definitely use WPA/WPA2 if possible, because there is no reason not to if everything is compatible.  But most ISPs don't want to have to deal with the support calls from the people with devices that aren't compatible, so they just use WEP, and for home users that really isn't a problem.


----------



## FordGT90Concept (Apr 17, 2011)

Virtually all integrated Intel wireless chips (which are the majority of wirless networking solutions out there) are capable of hacking WEP with a third party driver installed.  Once the computer is configured to break WEP, it has a 50% chance of breaking it within 40,000 captured frames (during high activity like watching a video or downloading something, that can easily mean less than a minute).  In other words, it might as well not be "secure" at all, because it isn't.  WEP was only in place for 3 years for that very reason and WPA2 came along a year after WPA because WPA isn't that much better.

Just having a laptop and a few Google searches can net you everything you need to break into a WEP network.


ISPs also almost always use default usernames, passwords, and IPs on the router too.  In other words, if breaking into WEP wasn't easy enough, they can configure your router too to do their bidding.  Just because a few people might have problems with WPA doesn't mean that shouldn't be the standard.


----------



## newtekie1 (Apr 17, 2011)

FordGT90Concept said:


> ISPs also almost always use default usernames, passwords, and IPs on the router too. In other words, if breaking into WEP wasn't easy enough, they can configure your router too to do their bidding. Just because a few people might have problems with WPA doesn't mean that shouldn't be the standard.



ATT, the biggest ISP in my area, uses a random password printed on the router.  So physical access is required to make any changes.  Comcast doesn't provide routers anymore, just modems(and they actually prefer that you buy those yourself as well).  The modems provided by comcast do not have defualt usernames/passwords, in fact the customer can't access the modem provided by comcast anymore.  So the only way to get in is to brute force it.  Those are really the only two ISPs in my area...


----------



## FordGT90Concept (Apr 17, 2011)

The ISPs in my area, you've probably never heard of except maybe Frontier Communications Company.  It's good to know the larger tel-coms are at least trying to keep wireless networks semi-secure.


----------



## streetfighter 2 (Apr 17, 2011)

I'm pretty sure comcast has never given routers to their customers.  I had them for the last 8 out of 10 years and I was using my own router.  They gave me a Motorola modem that was surprisingly easy to hack, but whats the point?  If I changed anything on the modem they'd find out about it and I'd get sued, literaly.  Also with comcast you have to clone your MAC address or they'll throttle the piss out of you.  I really do hope someone pokes them in the eye.

When I switched to Verizon they did provide me a router, but only because I needed one with a coax terminal.  The Verizon router has a backdoor that they can use to update the firmware on me, daffy bastards.  The Verizon router was pre-configured with 64-bit WEP and the l/p on the router was "admin"/"password1".



newtekie1 said:


> Is my neighbor, or my neighbor's 16 year old kid like to have the hardware to do it and the knowledge? No, despite what some want to make it seem like, they won't.


Famous last words.


----------



## FordGT90Concept (Apr 17, 2011)

streetfighter 2 said:


> The Verizon router was pre-configured with 64-bit WEP and the l/p on the router was "admin"/"password1".


That takes all of 20 seconds to break.


----------



## newtekie1 (Apr 17, 2011)

FordGT90Concept said:


> The ISPs in my area, you've probably never heard of except maybe Frontier Communications Company.  It's good to know the larger tel-coms are at least trying to keep wireless networks semi-secure.



ATT might even have switched to using WPA by default as well, though I never really pay much attention, I just disable it and use a real router.

I'm just glad Linksys/Cisco finally stopped  shipping wireless routers with no wireless security at all...:shadedshu



streetfighter 2 said:


> I'm pretty sure comcast has never given routers to their customers.



They give their business customers routers, but they aren't wireless, and they don't even support port forwarding properly.


----------



## streetfighter 2 (Apr 17, 2011)

I've read on a few forums that the Linksys' implementation of WPA-AES attempts to authenticate using CCMP then falls back to TKIP.  Which would mean that Kreij, despite his notable mental handicap , may have been correct.

Unfortunately I can't find any legit sources . . .


----------



## newtekie1 (Apr 27, 2011)

FordGT90Concept said:


> The ISPs in my area, you've probably never heard of except maybe Frontier Communications Company.  It's good to know the larger tel-coms are at least trying to keep wireless networks semi-secure.



Sorry for dragging up an older thread, but I just wanted to confirm that AT&T has in fact switched to using WPA-TKIP/WPA2-AES as the default settings on the wireless routers they provide their customers.  I just did a U-Verse install this morning, and the router was set to WPA/WPA2 protection directly out of the box from AT&T.

I'm not sure if it is the same with their standard service, since the standard service customers are still provided with an older style modem/router that might still default to WEP.


----------

