wrt54g ssid broadcast disabled

Bryan Kadzban bryan at kadzban.is-a-geek.net
Wed Nov 2 22:04:37 EST 2005


Lucia Di Occhi wrote:
> My router, the WRT54G, supports Security Mode WPA2-Personal and two
> encryption algorithms:
> 
> TKIP+AES
> AES
> 
> The router is configured for WPA2 and TKIP+AES but you are saying
> that AES-CCMP is more secure.  So my question is: what is the
> difference between the two encryption options offered by the linksys
> WPA2 security mode, which one is deemed more secure and why?

With TKIP+AES, I believe your AP is advertising two different possible
pairwise encryption algorithms (TKIP and AES-CCMP), and using TKIP for
the group key (because it has to stay compatible with all associated
clients).

With AES(-CCMP) only, the AP will advertise only AES-CCMP for pairwise
keys, and use AES-CCMP for the group key as well.

The difference is that AES-CCMP is not a band-aid on WEP, it's an
entirely different encryption algorithm.  TKIP is "just" a band-aid.

Don't get me wrong; TKIP has proven (so far) to be a pretty decent
band-aid, and it's probably good enough for almost anyone at this time.
(The underlying RC4 algorithm is still supported by a lot of HTTPS
sites, for instance.)  But stuff like this can change pretty quickly,
too, and IMO RC4 is starting to age (but note: I'm not a cryptanalyst!).

That's why I use AES on my wireless networks, at least.

> since my wpa_supplicant.conf now reads: 
>     proto=WPA
>     key_mgmt=WPA-PSK 
>     pairwise=TKIP
>     group=TKIP
> what am I really using, is it WPA instead of WPA2 even if the AP is set
> for WPA2?

WPA and WPA2 are compatibility standards from the Wi-Fi Alliance.  WPA
included TKIP encryption, using either pre-shared keys or full EAP
authentication (with a RADIUS server).  WPA2 includes either TKIP or
AES-CCMP encryption, using either pre-shared keys or full EAP
authentication (again, with a RADIUS server).  Users may enable or
disable any of the available encryption algorithms on their APs in any
mode.  I believe AES-CCMP is an extension for WPA also, because my
(fairly old) WRT54G offers AES-CCMP, but not WPA2.  Maybe there was no
standard for that combination, though.

There are also some minor differences between WPA and WPA2 regarding key
caching and fast roaming, but I don't believe those are required with
WPA2 (they are an option, but I think a WPA2 AP can interoperate with a
client that doesn't support the caching).

According to that network block, you are using WPA (no key-caching) on
the client side.  I believe you're still using WPA2 (support for
key-caching) on the AP side, but this specific client isn't taking
advantage of the caching capability.  If this client never roams, it
doesn't matter.

If you want to use AES, then you can try setting pairwise and group to
CCMP in wpa_supplicant's config, and use AES only in the AP's config.
(Because if you use TKIP+AES, then you'll have to use group=TKIP on the
client side.)  proto=WPA2 shouldn't hurt, but depending on the client
NIC and drivers, it might.  But as above, if you don't roam, I don't
believe it matters anyway.

key_mgmt should stay WPA-PSK unless you plan on setting up a RADIUS
server for client authentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20051102/36938c91/attachment.pgp 


More information about the HostAP mailing list