TKIP vs AES: Wi-Fi Security Protocols Explained

While setting up your router at home or work, you must have come across multiple options when it comes to choosing the security standard for your Wi-Fi connection. WEP, WPA, WPA2, CCMP, EMP, TKIP, AES … the list is as long as it is confusing. While options are (almost) always a good thing, it’s difficult for a regular internet user to choose one, especially when most of us don’t know how one standard differs from another. Well, those who don’t know should stick with the WPA2 protocol as this is the most widely used standard WiFi security protocol. However, WPA2 uses two different type of encryption; AES and TKIP. In this article we are going to learn a little more about each of them to help you decide which one you should choose.

What is TKIP?

TKIP, or Temporary Key Integrity Protocol, was introduced in the early years of this millennium as a stopgap security measure to replace the older and inherently unsafe WEP (Wired Equivalent Privacy) encryption standard which was widely used on early Wi-Fi equipment that were launched in the late 1990s and early 2000s. While TKIP was intended to be at least relatively more secured than WEP, the standard has since been deprecated in the 2012 revision of Wi-Fi 802.11 after it was found to have glaring security loopholes that can be exploited by hackers without too much of a problem. That’s because TKIP uses the same underlying mechanism as WEP, and is hence, equally vulnerable to attacks. Having said that, some of the new security features implemented by the WPA-PSK (TKIP) standard, like per-packet key hashing, broadcast key rotation and a sequence counter, meant that it was able to eliminate some of the weaknesses of WEP, like the infamous key recovery attacks that the older standard was susceptible to, although, the protocol has significant vulnerabilities of its own.

TKIP vs AES: Wi-Fi Security Protocols Explained

What is AES?

Short for Advanced Encryption Standard, AES is a set of ciphers that’s available in a block size of 128 bits and key lengths of either 128, 192 or 256 bits depending on the hardware. Although it comes with its own baggage, it is a much more secured protocol that supersedes that legacy DES (Data Encryption Standard) protocol that was originally published back in the 1970s. Unlike its predecessor, AES doesn’t use the Fiestel network and instead, uses a design principal known as substitution-permutation network as the base for its block cipher algorithm. It is the encryption standard of choice for the U.S. federal government, and is the only publicly accessible cipher approved by the country’s National Security Agency (NSA). While some cryptographers have, from time to time, presented evidences of supposed vulnerabilities in AES, all of those have either been shown to be impractical or ineffective against full AES-128 implementation.

Image Courtesy: D-Link

WPA, WPA2, WEP: What About These Acronyms?

You get the option to use either TKIP or AES with most routers available in the market today, but what what about all those other pesky acronyms, like WPA, WPA2, WEP, PSK, Enterprise, Personal, etc. etc.? To start off, the one thing that you must absolutely remember is that WEP, or Wired Equivalent Privacy, is a decades-old protocol that has been proven to be extremely vulnerable, which is why it should be consigned to the annals of history where it belongs. WPA (Wi-Fi Protected Access), which superseded WEP, is a newer protocol that is relatively more secure, although, that too has been shown to be singularly ineffective against competent hackers.

Image Courtesy: LinkSys

The newest and most secured WPA2 protocol, which became the industry standard in the middle of the last decade, should be the default security algorithm for virtually all Wi-Fi equipment launched 2006 onwards, when the standard became mandatory for all new Wi-Fi devices. While the older WPA was designed to be backwards compatible with older Wi-Fi hardware secured with WEP, WPA2 does not work with older network cards and legacy devices.

Difference between Personal, Enterprise, and WPS

Some of you may be wondering about a few more confusing acronyms that you have to deal with while setting up your router. As such, the Personal and Enterprise modes are not so much different encryption protocols, rather mechanisms for authentication key distribution to distinguish between end-users. The Personal mode, also referred to as PSK or pre-shared key, is primarily designed for home and small office networks and doesn’t require an authentication server. For the most part, all you need is basically a password to log into these networks.

Enterprise mode, on the other hand, is designed primarily for enterprise networks, and while it does provide additional security, it also requires a much more complicated setup. It requires a RADIUS authentication server to verify each login and, uses the EAP (Extensible Authentication Protocol) for authentication. Personal and Enterprise modes are both available with WPA as well as WPA2, as can be seen from the above image of our LinkSys EA7300 setup page.

Image Courtesy: D-Link

There’s also another authentication key distribution mechanism called WPS (Wi-Fi Protected Setup), but it has been proven to have multiple security issues, including what’s known as the Wi-Fi Pin Recovery vulnerability, which could potentially allow remote attackers to recover the WPS PIN, thereby letting them decipher the router’s Wi-Fi password fairly easily.

TKIP vs AES vs TKIP/AES: How to Pick the Correct Option?

By now, you already know that there’s no real debate between the TKIP and AES standards. That’s because, unlike the older, deprecated protocol, there is no documented practical hack that would allow a remote attacker to read data encrypted by AES. However, given that some of the routers actually offer you a confusing ‘TKIP/AES’ option, many of you may be wondering if there’s any merit in picking that over AES. So here’s the deal. The mixed TKIP/AES mode is only meant for backwards compatibility with legacy Wi-Fi equipment from a bygone era, so unless you’re using any such device, cyber-security experts recommend that you use WPA2-PSK/Personal (AES) every single time. In case you got some old – and I mean really old – Wi-Fi equipment that was launched without AES, the mixed-mode WPA/WPA2 (TKIP/AES) configuration maybe a necessary evil that you need to resort to, but do remember that it could also make you vulnerable to security breaches, thanks to all the security holes found in the WPA and TKIP protocols.

If enhanced security isn’t enough to convince you about the benefits of sticking with the WPA2 (AES) standard, maybe the next piece of info will convince you to do that. Using WPA/TKIP for compatibility will also mean that you will get relatively slower connectivity. You won’t really notice it if you’re still stuck on slower connections, but many of the modern ultra-fast routers that support the 802.11n/ac will only support speeds of up to 54Mbps with the mixed mode, so that expensive Gigabit connection of yours will still be downgraded to 54Mbps if you’re using mixed mode encryption. While 802.11n supports up to 300Mbps with WPA2 (AES), 802.11ac can support theoretical top speeds of up to 3.46 Gbps on the 5GHz band, although, practical speeds are likely to be much lower.

SEE ALSO: How to Setup Linksys Smart WiFi Router

TKIP VS AES: The Best Security For Your Wi-Fi Network

As an end-user, the one thing that you need to remember is that if your router setup page simply says WPA2, it almost inevitably means WPA2-PSK (AES). Similarly, WPA without any of the other acronyms mean WPA-PSK (TKIP). Some routers do offer WPA2 with both TKIP and AES, in which case, unless you really intend to use an ancient device on the network, you know better than to use TKIP. Just about all your Wi-Fi equipment from the past decade will certainly work with WPA2 (AES) and, you’ll get a faster, more secure network for it. How’s that for a bargain? So if you have any further doubts on the subject or have an option on your router’s setup page that we haven’t covered here, do leave a note in the comment section below and we’ll do our best to get back to you.

#Tags
Comments 0
Leave a Reply

Loading comments...