# TKIP vs AES



## hat (Dec 9, 2010)

I currently use AES encryption, as it's the only one that hasn't been cracked (WEP and TKIP being the alternatives). Apparantly, WEP is generic and can be hacked into by just about anyone who cares to know how. TKIP has been recently cracked, but how easy is it to get in to?

This is for my home wireless network. I'm not too worried about getting hacked, even if I left it unsecured. 

*I do broadcast my SSID. I didn't for quite some time, but it always seemed to bring up connectivity issues. My mom has a laptop for work and she takes it all over the place and there's a list of previously accessed wireless networks in that thing about a mile long, but she does come here and use my network sometimes. For some reason, with SSID broadcasting disabled, I had to re-configure the settings for my network so she could get access. Nothing would change on my end. For this reason I leave SSID broadcasting on to avoid this issue.

*I have a MAC address filter set up. Only my mom's desktop, which stays here, and my mom's laptop can access my network, regardless if someone knows the password or not. This leads me to believe that even if I left my network unsecured, I wouldn't actually get anyone accessing my network: the worst anyone could do is packet sniffing.

Looking at AES and TKIP, it looks like TKIP is a lot less resource intensive than AES. I want to use the less resource intensive TKIP encryption so as to not swamp my router with the intensive AES encryption. As previously mentioned, I know TKIP has been hacked, but how easy is it to get in to?

tl;dr I want to use TKIP instead of AES because it's less resource intensive, but should I be worried about the decreased security?


----------



## streetfighter 2 (Dec 9, 2010)

hat said:


> tl;dr I want to use TKIP instead of AES because it's less resource intensive, but should I be worried about the decreased security?



I'm not personally.  It depends how paranoid you are though.

http://arstechnica.com/tech-policy/...e-wifi-crack-puts-further-pressure-on-wpa.ars

I tend to think of wireless security on a more fundamental level:
Are there a lot of people in range of your wireless network?
Are you in an area likely to be wardriven?
Do you transact a lot of sensitive and unencrypted data on the network?
Do you like pistachios salted or not?


----------



## hat (Dec 9, 2010)

streetfighter 2 said:


> Are there a lot of people in range of your wireless network?


I live in an apartment complex.


streetfighter 2 said:


> Are you in an area likely to be wardriven?


Folks is poor around here... and we're starting to see signs of the "creeping death"... that is, the ghetto is spilling over into this neighborhood. I guess people would be looking for free internet around here, but there's also tons of unsecured networks, so I reckon those people would target the unsecured networks rather than mine.


streetfighter 2 said:


> Do you transact a lot of sensitive and unencrypted data on the network?


Not really. I'm more worried about somebody packet sniffing a credit card number from a Paypal transaction and other things of that nature. The only shared files I have on my network are literally my "dc" folder (holds WCG and FAH on one machine) and my Quake folder (same machine, makes for easy modification of files through network file sharing).


streetfighter 2 said:


> Do you like pistachios salted or not?


Definately salted when I get them, but I havn't had any in some time.


----------



## IggSter (Dec 9, 2010)

I wouldn't be worried about someone sniffing your credit card details as in most cases that connection is encrytped also, so even if someone manages to break into your wifi, they would only see an encrypted data stream.

One of the best counters is actually to refresh your wifi key on a weekly basis - a bit of a PITA to change the clients but worth the effort IMHO.

Another suggestion would be to use some form or 3rd party authentication (if your router supports it) such as TACACS or RADIUS.

http://freeradius.org/


----------



## garyinhere (Dec 9, 2010)

hat said:


> Not really. I'm more worried about somebody packet sniffing a credit card number from a Paypal transaction and other things of that nature



The easiest way to get around this imo and this is also what i do, is to go to wal-mart and purchase a visa prepaid credit card. It will only have the amount of money on it that you load to it. I leave mine empty until ready to make a purchase on new egg. You can also tie the card into your PP account and if it gets compromised just cut it up and buy another... I've been using the same card for over a year with no worries about my info being stolen! Plus you don't run into credit card debt because you can only spend what you load on it


----------



## mrhuggles (Dec 9, 2010)

erm, i think that AES might not be as bad as you think, generally it uses hardware acceleration, it shouldn't be slower unless your hardware uses a purely software implementation, like if it didnt support it but support was later haxed in via a patch or something? maybe... thats why WPA2 is so much faster than WPA usually, WPA was more of a software thing and then WPA2 was a nice hardware change, am i wrong about that? im pretty sure i read it somewhere...


----------



## slyfox2151 (Dec 9, 2010)

turning off SSID broadcast does nothing at all to stop hackers. it just stops it from being displayed on windows... a simple program will still see the SSID.



good luck breaking into a WPA network....
mac address blocking wont stop a hacker... he will just change his mac address to be the same as the laptop and bam.. he has internet.


----------



## hat (Dec 9, 2010)

mrhuggles said:


> erm, i think that AES might not be as bad as you think, generally it uses hardware acceleration, it shouldn't be slower unless your hardware uses a purely software implementation, like if it didnt support it but support was later haxed in via a patch or something? maybe... thats why WPA2 is so much faster than WPA usually, WPA was more of a software thing and then WPA2 was a nice hardware change, am i wrong about that? im pretty sure i read it somewhere...



Resource intensive on the router, I meant.



slyfox2151 said:


> turning off SSID broadcast does nothing at all to stop hackers. it just stops it from being displayed on windows... a simple program will still see the SSID.
> 
> 
> 
> ...



How would he get my MAC address?


----------



## mrhuggles (Dec 9, 2010)

is it really resource intense? i cant notice a difference on my WHR-HP-GN, thats 400mhz tho, but also i couldn't tell any difference on my old WRT54G v2 and that was only 200mhz, generally on the WRT54G i used openWRT and on the WHR-HP-GN i use DD-WRT


----------



## slyfox2151 (Dec 9, 2010)

hat said:


> Resource intensive on the router, I meant.
> 
> 
> 
> How would he get my MAC address?



the laptop would send out its mac address when its connected to the router.


----------



## AsRock (Dec 9, 2010)

hat said:


> Resource intensive on the router, I meant.
> 
> 
> 
> How would he get my MAC address?



I used a program called Wireless Monitor as it was the only one i could find that worked with my lappy  and that would give you peoples mac addresses.  All so it will show you the SSID's too.


----------



## Fourstaff (Dec 9, 2010)

From what I know, if you set a simple protection it will deter most from stealing your internets, if you set a strong protection it will prevent that bored kid over the corner from gaining access, and nothing will stop a determined hacker. 

Bottom line: dont worry too much.


----------



## qubit (Dec 9, 2010)

@hat: Why not use WPA2? This has not been hacked into AFAIK

@streetfighter 2: I like my pistachios salted. This is terribly important.


----------



## Mussels (Dec 9, 2010)

pro tip: cut back the signal strength, and they cant hack it.


if router has no options to do that, use tinfoil over the routers aerial XD



btw i see some confusion: the actual encryption methods available are:


None:
WEP: basically none 
WPA aka WPA1: tougher to crack, but can be done given time (days of packet sniffing/forced injection)
WPA2 (tough)

AES and TKIP are just sub settings for those. WPA2 with TKIP is the best, iirc.


MAC addy blocks are worthless, as you can spoof the mac addy you see sending the data when you do the sniffing. it wont even slow a hacker down.


----------



## RejZoR (Dec 9, 2010)

I can't think of any reason not to use AES. Routers are designed to use it and i can asure you you can't tell a difference between unencrypted router and a router using AES. So, just AES and live a peaceful life.


----------



## streetfighter 2 (Dec 9, 2010)

Mussels said:


> btw i see some confusion: the actual encryption methods available are:
> 
> 
> None:
> ...



I see some confusion-- The actual encryption methods are:
AES
RC4

Wi-Fi Alliance Certifications:
WPA
WPA2

The protocols:
WEP -> Uses RC4
TKIP - Mandatory in WPA & WPA2 spec -> Uses RC4 (AES is not mandatory in the spec)
CCMP - Mandatory in WPA2 spec -> Uses AES


----------



## newtekie1 (Dec 9, 2010)

Use TKIP, hell use WEP. Yes they are both easily hackable but most won't even bother because they can just drive a few doors down and find an unsecured access point and get on that.  You aren't a company so your wireless network is a low target.

And MAC filtering is probably the most useless protection ever.  It is insanely easy to spoof a MAC address, and they don't even have to crack the encryption to figure out what MAC address the packets are coming from.


----------



## RejZoR (Dec 9, 2010)

That's not true. Even if you're just an individual, it's still smart to use max possible security.
Either you don't want anyone to sniff your online shopping info or worse, download for example child pr0n through your connection. In the end you'll be prosecuted. So don't take wireless security too easily. Just use WPA2 AES and just forget about any possible worries.


----------



## kuroikenshi (Dec 9, 2010)

Rather related to this... im a bit perturbed at the amount of wireless devices that can connect to wireless network ONLY if the SSID is being broadcasted.

Why can't they work in the ability to connect to that network even if its not being broadcasted? 

Also granted that some of these encryptions are easy to break, for the most part having SOME type of security is enough of a deterient from most people who just want a quick easy access to the internet.


----------



## qubit (Dec 9, 2010)

streetfighter 2 said:


> I see some confusion-- The actual encryption methods are:
> AES
> RC4
> 
> ...



I see that I was obviously one of the confused. Cleared that up nicely for me now.


----------



## newtekie1 (Dec 10, 2010)

RejZoR said:


> That's not true. Even if you're just an individual, it's still smart to use max possible security.
> Either you don't want anyone to sniff your online shopping info or worse, download for example child pr0n through your connection. In the end you'll be prosecuted. So don't take wireless security too easily. Just use WPA2 AES and just forget about any possible worries.



No not really.  As I said, MAC address filtering is just a waste of time and CPU power on a router, because it is so easily spoofed.

And TKIP will keep everyone off your network.

Having maximum security at the expenense of a slower connection due to an overloaded router isn't smart for an individual.  The kiddy porn people aren't wasting time cracking security, they are just using the free connections that are already available to them.


----------



## RejZoR (Dec 10, 2010)

What slowdown? I can't see any and i'm gaming online, downloading a lot and all. Maybe you'd notice it if you have many systems connected and you'd be using full LAN. But most of ppl use it to connect laptops wirelessly. AES is just a logical option and i really can't see a single reason not to use it. It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?


----------



## Fourstaff (Dec 10, 2010)

RejZoR said:


> What slowdown?



His hardware is probably way weaker than yours, so you might not feel it but he will certainly get some performance boost.


----------



## newtekie1 (Dec 10, 2010)

RejZoR said:


> What slowdown? I can't see any and i'm gaming online, downloading a lot and all. Maybe you'd notice it if you have many systems connected and you'd be using full LAN. But most of ppl use it to connect laptops wirelessly. AES is just a logical option and i really can't see a single reason not to use it. It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?



Most consumer level routers can not handle TKIP or AES without effecting the connection speed, AES being worse and showing a more noticeable affect.  This only really applies if you have a connection that is faster than 30Mb/s though, and once you get up that high you aren't going to notice the difference unless you really pay attention.  Most people won't be able to tell a 50Mb/s connection from a 20Mb/s connection.  Pages to them will load instantly with either, so it will seem to be the same.  The gaming online aspect doesn't really show that you aren't seeing any slowdown, because games don't need much faster than a 5Mb/s connection, the latency is more important there.

And your anology is a little exagerated.  You make it sound like TKIP is easily broken, that  is far from the case.  In fact it is still extremely difficult to crack and needs some seriously powerful hardware to do it.  I believe the people that did it had to use a cluster of high end computer to pull it off.  It isn't something that some guy driving down the road with a laptop is going to be able to pull off.



Fourstaff said:


> His hardware is probably way weaker than yours, so you might not feel it but he will certainly get some performance boost.



Or my connection is faster than his...


----------



## streetfighter 2 (Dec 10, 2010)

RejZoR said:


> It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?


I'm sorry to point it out, but this is a wildly inaccurate analogy...  Unless this is the wooden stick you're talking about:






Have a look for yourself: http://arstechnica.com/tech-policy/...e-wifi-crack-puts-further-pressure-on-wpa.ars



> _These two [TKIP] attacks can certainly present problems, but they do not threaten the overall encryption of the wireless stream._



If someone was a fairly proficient programmer (and if properly motivated) they could write an exploit for TKIP and be limited to injecting tiny packets.  In a few weeks they might be able to do some minor damage, but nothing that could truly compromise the network. No one has confirmed the ability to retrieve the WPA key.


----------



## Ross211 (Dec 10, 2010)

newtekie1 said:


> No not really.  As I said, MAC address filtering is just a waste of time and CPU power on a router, because it is so easily spoofed.



MAC filtering is very easy to spoof because MAC addresses are transmitted in the clear in every frame, so drive-by hackers can easily learn them and send frames that appear to come from one of the hosts already on the access point.  

It's easy to use free linux packages like aircrack-ng to sniff out the MAC address of every host connected to a specified access point.  You can then use other software packages to create "artificial" frames that will have the MAC of a connected host even though you're sending it from a different MAC.  

Edit - hat, I'd recommend avoiding MAC filtering.

I think wireless will always be flawed because of how it uses CSMA/CA, this is just my silly opinion though.  Essentially, every additional wireless client on an access point will lower each current hosts bandwidth by 50%.  Wireless is sucky, IMO.


----------



## newtekie1 (Dec 10, 2010)

Ross211 said:


> Essentially, every additional wireless client on an access point will lower each current hosts bandwidth by 50%. Wireless is sucky, IMO.



Not necessarily true.  They share bandwidth, so saying that ever additional client that connects to the access point lowered each current hosts bandwidth by 50% would be like saying anyone that connected to the same router lowers the each person badwidth by 50%.  The bandwidth is shared, not pre-divided.  So if 10 people are connected, but only one person is doing a file transfer, then that person gets pretty close to 100% of the bandwidth.  It is only halved if two people are doing file transfers at the same time.


----------



## hat (Dec 12, 2010)

MAC address filtering eats up resources? I wasn't aware it was a form of active protection, I thought the router just did a check on the MAC address to see if it gets found in the list and if not boots the attempted connection. Since it seems so easy to crack, I'll get rid of it since it eats resources.

I'm not worried about my connection speed slowing down. I'm worried about the router getting swamped with computations involved with wireless security, coupled with running a torrent or two, while someone is on my server and I'm playing another game. Even though I'm not saturating my bandwidth (I control my torrent speed so as to not lag everyone to death, including myself if I'm playing a game at the same time), the router gets overloaded and lags out. That's why I'm trying to shave off resource intensive tasks, so I can free up resources for other things.

Router in question is a Netgear WGR614v9. It has a 240MHz CPU and 8MB RAM. Some of you may recall that I was messing around with different router software to run on a Pentium 4 box I have, but I decided to move away from that. While I would never have to worry about lagging that router, it's just impractical to have a machine like that acting as a router. It's far larger, hotter, noisier and more of a power consumer than the tiny computers specifically designed to act as routers, such as my Netgear model. Additionally, I had to hook up a separate switch and access point, so I had 3 devices, one of them insanely overkill for the given task, where my Netgear router is all 3 in one and far more practical.


----------



## newtekie1 (Dec 12, 2010)

hat said:


> I'm not worried about my connection speed slowing down. I'm worried about the router getting swamped with computations involved with wireless security



That is the problem though, when the router's CPU start to get overloaded, it starts to affect the connection speed.

And MAC address filtering can be very CPU intensive.  Yes, it only has to look at the MAC and compare it to the allowed table, but it has to do that for every packed of data recieved from the wireless connection, so that is a lot of work.


----------



## hat (Dec 12, 2010)

newtekie1 said:


> That is the problem though, when the router's CPU start to get overloaded, it starts to affect the connection speed.
> 
> And MAC address filtering can be very CPU intensive.  Yes, it only has to look at the MAC and compare it to the allowed table, but it has to do that for every packed of data recieved from the wireless connection, so that is a lot of work.



Interesting... well, I've axed it then, since it seems so easy to hack and it eats resources. Currently I'm running it with SSID broadcasting on (it would be off, but shit tends to break when I have it off), AES, and no MAC filter.


----------



## newtekie1 (Dec 12, 2010)

hat said:


> Interesting... well, I've axed it then, since it seems so easy to hack and it eats resources. Currently I'm running it with SSID broadcasting on (it would be off, but shit tends to break when I have it off), AES, and no MAC filter.



You should be good.  That is more than enough security and shouldn't swamp the routers CPU.


----------



## FordGT90Concept (Dec 14, 2010)

WPA = TKIP
WPA2 = AES

I use WPA2 if all devices are capable of WPA2; otherwise, I use WPA.  Older devices can claim they support WPA2 but they really don't in practice (especially routers).

Never use WEP.  With a computer set up to break WEP, WEP can be broken in less than 2 minutes.


----------



## newtekie1 (Dec 14, 2010)

FordGT90Concept said:


> WPA = TKIP
> WPA2 = AES
> 
> I use WPA2 if all devices are capable of WPA2; otherwise, I use WPA.  Older devices can claim they support WPA2 but they really don't in practice (especially routers).
> ...



Not true.  TKIP and AES can both be used with either WPA or WPA2, and there is very little difference between the two.  For example, you can use AES with WPA, or you can use TKIP with WPA2.  WPA2 only indicates complete compliance with the 802.11i standard.

Mainly the big difference is WPA=CCMP Optional and WPA2=CCMP Required.


----------



## Flak (Dec 14, 2010)

Comparing TKIP and AES is similar to comparing apples
and oranges. One is a key mgt protocol (okay -- it is now
called a 'data confidentiality protocol), the other (AES)
is an encryption method. You should compare AES with
DES (and triple-DES).

TKIP (Temporal Key Integrity Protocol) is a key management
protocol. It deals with how the symmetric 'session' key
or keys are initially created, changed over time, etc.

TKIP is not used in WPA2 except in backwards compatible
WPA mode by APs to support legacy WPA/TKIP clients. WPA2
in native mode uses CCMP (Counter-Mode/CBC-MAC Protocol)
as a 'data confidentiality' method instead of TKIP.

AES (Advanced Encryption System) is a variable bit
length symmetric digital encryption algorithm. It was
selected by NIST to replace DES as the symmetric
encryption scheme of choice for electronic transactions
and is based on Rijndael. It is one of the major changes
between WPA and WPA2/802.11i and often requires a
hardware upgrade to access points in order to accomodate it.  

In many cases, if your router supports WPA2 + AES, then WPA2+ AES will be faster then any tkip implementation as part of the protocal calls for hardware encryption for AES and not software.  Though I'd suppose on a lesser end a company could run some software hack for it.


----------



## FordGT90Concept (Dec 14, 2010)

newtekie1 said:


> Not true.  TKIP and AES can both be used with either WPA or WPA2, and there is very little difference between the two.  For example, you can use AES with WPA, or you can use TKIP with WPA2.  WPA2 only indicates complete compliance with the 802.11i standard.
> 
> Mainly the big difference is WPA=CCMP Optional and WPA2=CCMP Required.


There's a good chance you'll run into problems if you do.  Using TKIP on WPA2 is just plain stupid.  The whole reason why WPA2 shines is because it supports AES.  To not use it is like installing a $10,000 alarm system in a house and never arming it.


@Flak: Rijndael (AES) > Triple DES


----------



## Flak (Dec 14, 2010)

FordGT90Concept said:


> @Flak: Rijndael (AES) > Triple DES





Unless I'm not understanding what I typed (lol), I'm pretty sure thats what I said.


----------



## newtekie1 (Dec 14, 2010)

FordGT90Concept said:


> There's a good chance you'll run into problems if you do.  Using TKIP on WPA2 is just plain stupid.  The whole reason why WPA2 shines is because it supports AES.  To not use it is like installing a $10,000 alarm system in a house and never arming it.



That wasn't my point. My point was that WPA doesn't immediately imply TKIP and WPA2 doesn't immediately imply AES.


----------



## FordGT90Concept (Dec 14, 2010)

Did I say it does?  I stated the type of encryption you should use for each.  Likewise, if your hardware can only support a given encryption method, you should use the accompany protocol to maximize compatibility.  That is to say, if you have a device that has issues connecting to WPA2/AES, you should drop the network down to WPA/TKIP.  In most cases today, I usually start at WPA2/AES and only drop down to WPA/TKIP if an important device can't connect wirelessly be it a laptop, set-top box, or what have you.  Additionally, some older routers had firmware upgrades for WPA2 but they do a poor job at AES.

Put simply: WPA2/AES; when in doubt, WPA/TKIP.


----------



## newtekie1 (Dec 14, 2010)

FordGT90Concept said:


> WPA = TKIP
> WPA2 = AES



Seems pretty clear to me.  You are saying WPA is the same as TKIP and WPA2 is the same as AES, after all that is what equals means.


----------

