[Off topic] Difference between wpa: tkip & aes

Jouni Malinen jkmaline at cc.hut.fi
Sun Nov 6 13:04:18 EST 2005

On Sun, Nov 06, 2005 at 03:54:31PM +0200, Jar wrote:

> Because the sniffer shows that the data packets are WEP protected. 
> Looking inside the data packet there is mention about TKIP.

The sniffer has no way of knowing that they are WEP protected unless is
takes a look at what happened during association.

> When using Kismet, it complains about some weak keys after 24h traffic. 
>   I assume that the weak key problem is because TKIP/WEP method is 
> actually used and not CCMP-AES.

That weak key claim is probably valid only if WEP was used (i.e., not
for TKIP and certainly not for CCMP). Anyway, even for WEP, there are
more efficient ways of cracking the key than weak keys, so reporting
weak is kind of pointless for WEP nowadays.. It is weak, no matter what
key is used.

> Or is it so that you can't see via sniffer is the encryption TKIP or 
> AES? How to 100% verify the security of the connection then?

There are no clear differences in TKIP and CCMP frame format that would
be clearly pointing out which one is being used. You could probably
figure out which one it is by looking at number of frames and how the
IV/packet number/TSC fields are being incremented since that part is
somewhat different between TKIP and CCMP. Anyway, the proper
verification would be to take a look at what kind of WPA/RSN IE was used
in (Re)Association Request (and later authenticated during 4-Way

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list