Showing results for 
Search instead for 
Do you mean 
Reply
harryz
Posts: 3
Registered: ‎12-06-2009

WPA-PSK vs. WPA2-PSK security

Aloha,

 

Much to my dismay, I have discovered that my recently purchased Range Expander (WRE54G) does not support WPA2-PSK security which was what I was running on my wireless network. So, since I have to downgrade my wireless network to WPA-PSK security, I have a few questions:

 

1) How much less secure is WPA-PSK vs. WPA2-PSK?

 

2) With WPA-PSK I have a choice between TKIP and AES encryption. Which one provides more security?

 

Thanks in advance,

 

Harry Z.

Posts: 86
Registered: ‎11-14-2008

Re: WPA-PSK vs. WPA2-PSK security

1. WPA2 was rebuilt from ground up because the powers that be were worried about potential security vunerabilities with WPA. I believe WPA has been cracked, but it is better than WEP by a large margin. To ensure your system is secure make sure you do not broadcast your SSID, change default passwords, Turn on MAC address filtering.

2. AES





harryz
Posts: 3
Registered: ‎12-06-2009

Re: WPA-PSK vs. WPA2-PSK security

Aloha Johnathan,

 

Mahalo nui loa (Thank you very much) for your reply. I kind of thought that WAP had been compromised, otherwise why bother to create WAP2?

 

Is there a resource on the web that you know of that explains all the different options with WAP and WAP2 in language a non-network guru can understand.

 

Take care, and I owe you some chocolate covered macadamia nuts.

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: WPA-PSK vs. WPA2-PSK security

WPA was created to deal with the vulnerabilities of WEP. As usual, standardization was slow. WPA2 is IEEE standard 802.11i. WPA is "pre-standard". See wikipedia.

WPA uses TKIP which has weaknesses.

WPA2 uses AES (or better CCMP) which is considered secure.

As usual, pre-shared key security also highly depends on the strength of the key. WPA2 with AES and passphrase "password" is obviously very insecure. Passphrases can be up to 63 characters in length.

For security, use WPA2 with AES. If you have clients which require WPA+TKIP you can set up WPA2 with AES+TKIP. This allows AES clients to connect with AES and TKIP client to connect with TKIP.

Forget about not broadcasting the SSID: it technically breaks the standard, causes numerous problems with a variety of clients, and does not provide any security. Even if the SSID is not broadcast in the beacon, the beacon itself is visible to anyone. Anyone will immediately know that there is an access point which does not broadcast the SSID. In addition, the SSID is always unencrypted in each packets when a wireless client tries to connect to your access point. It only takes a single packet to reveal your SSID. If there is a wireless device connected at the moment a simple deauthenticate attack will immediately force the wireless client to reconnect and reveal the SSID. Only as long as there are no wireless connections to your wireless network a non-broadcast SSID is "secret".

Also forget about MAC address filtering: MAC addresses are always unencrypted in wireless packets. It is easily and quickly possible to find the MAC addresses which have access to your wireless network. It is also very easy to clone MAC addresses on wireless cards. Wireless MAC address filtering will do one thing: cause you problem each time you want to connect a new wireless device. It won't keep any attacker away from your network. Anyone willing to attack your WPA-TKIP protected network will quickly deal with a "hidden" SSID and MAC address filtering...

Thus: if you have to use WPA with TKIP you are still relatively secure. WPA2 with AES would be better. Configure your router for WPA2 and TKIP+AES. That way WPA2 clients are able to connect with AES. If you are very worried about security use the TKIP client as little as possible. An attacker against TKIP needs TKIP encrypted traffic. The less TKIP traffic there is the less material for an attack.

Of course, with a repeater like the WRE54G you have little options. I generally recommend people not to use a repeater anyway. Repeaters knock off well from your wireless bandwidth as traffic is repeated. Whenever possible, run a wire between those locations. If you need wireless in the second location, set up an wireless access point (or another wireless router set up as plain switch/access point) and wire this second access point to your main router. You have much better throughput, you can roam between wireless networks, and all your worries about WPA-TKIP are obsolete...
ridcully
Posts: 2,329
Registered: ‎09-07-2006

Re: WPA-PSK vs. WPA2-PSK security

Check this link.
harryz
Posts: 3
Registered: ‎12-06-2009

Re: WPA-PSK vs. WPA2-PSK security

Thank you to both of you for the updates. Really appreciate it. 

 

And that "difference between" site is really neat.

 

Mahalo!

 

Harry Z.