TKIP vs AES

[hat]

I currently use AES encryption, as it's the only one that hasn't been cracked (WEP and TKIP being the alternatives). Apparantly, WEP is generic and can be hacked into by just about anyone who cares to know how. TKIP has been recently cracked, but how easy is it to get in to?

This is for my home wireless network. I'm not too worried about getting hacked, even if I left it unsecured.

*I do broadcast my SSID. I didn't for quite some time, but it always seemed to bring up connectivity issues. My mom has a laptop for work and she takes it all over the place and there's a list of previously accessed wireless networks in that thing about a mile long, but she does come here and use my network sometimes. For some reason, with SSID broadcasting disabled, I had to re-configure the settings for my network so she could get access. Nothing would change on my end. For this reason I leave SSID broadcasting on to avoid this issue.

*I have a MAC address filter set up. Only my mom's desktop, which stays here, and my mom's laptop can access my network, regardless if someone knows the password or not. This leads me to believe that even if I left my network unsecured, I wouldn't actually get anyone accessing my network: the worst anyone could do is packet sniffing.

Looking at AES and TKIP, it looks like TKIP is a lot less resource intensive than AES. I want to use the less resource intensive TKIP encryption so as to not swamp my router with the intensive AES encryption. As previously mentioned, I know TKIP has been hacked, but how easy is it to get in to?

tl;dr I want to use TKIP instead of AES because it's less resource intensive, but should I be worried about the decreased security?

[streetfighter 2]

Quote:

Originally Posted by hat

tl;dr I want to use TKIP instead of AES because it's less resource intensive, but should I be worried about the decreased security?

I'm not personally. It depends how paranoid you are though.

http://arstechnica.com/tech-policy/n...ure-on-wpa.ars

I tend to think of wireless security on a more fundamental level:
Are there a lot of people in range of your wireless network?
Are you in an area likely to be wardriven?
Do you transact a lot of sensitive and unencrypted data on the network?
Do you like pistachios salted or not?

[hat]

Quote:

Originally Posted by streetfighter 2

Are there a lot of people in range of your wireless network?

I live in an apartment complex.

Quote:

Originally Posted by streetfighter 2

Are you in an area likely to be wardriven?

Folks is poor around here... and we're starting to see signs of the "creeping death"... that is, the ghetto is spilling over into this neighborhood. I guess people would be looking for free internet around here, but there's also tons of unsecured networks, so I reckon those people would target the unsecured networks rather than mine.

Quote:

Originally Posted by streetfighter 2

Do you transact a lot of sensitive and unencrypted data on the network?

Not really. I'm more worried about somebody packet sniffing a credit card number from a Paypal transaction and other things of that nature. The only shared files I have on my network are literally my "dc" folder (holds WCG and FAH on one machine) and my Quake folder (same machine, makes for easy modification of files through network file sharing).

Quote:

Originally Posted by streetfighter 2

Do you like pistachios salted or not?

Definately salted when I get them, but I havn't had any in some time.

[IggSter]

I wouldn't be worried about someone sniffing your credit card details as in most cases that connection is encrytped also, so even if someone manages to break into your wifi, they would only see an encrypted data stream.

One of the best counters is actually to refresh your wifi key on a weekly basis - a bit of a PITA to change the clients but worth the effort IMHO.

Another suggestion would be to use some form or 3rd party authentication (if your router supports it) such as TACACS or RADIUS.

http://freeradius.org/

[garyinhere]

Quote:

Originally Posted by hat

Not really. I'm more worried about somebody packet sniffing a credit card number from a Paypal transaction and other things of that nature

The easiest way to get around this imo and this is also what i do, is to go to wal-mart and purchase a visa prepaid credit card. It will only have the amount of money on it that you load to it. I leave mine empty until ready to make a purchase on new egg. You can also tie the card into your PP account and if it gets compromised just cut it up and buy another... I've been using the same card for over a year with no worries about my info being stolen! Plus you don't run into credit card debt because you can only spend what you load on it

[mrhuggles]

erm, i think that AES might not be as bad as you think, generally it uses hardware acceleration, it shouldn't be slower unless your hardware uses a purely software implementation, like if it didnt support it but support was later haxed in via a patch or something? maybe... thats why WPA2 is so much faster than WPA usually, WPA was more of a software thing and then WPA2 was a nice hardware change, am i wrong about that? im pretty sure i read it somewhere...

[slyfox2151]

turning off SSID broadcast does nothing at all to stop hackers. it just stops it from being displayed on windows... a simple program will still see the SSID.



good luck breaking into a WPA network....
mac address blocking wont stop a hacker... he will just change his mac address to be the same as the laptop and bam.. he has internet.

[hat]

Quote:

Originally Posted by mrhuggles

erm, i think that AES might not be as bad as you think, generally it uses hardware acceleration, it shouldn't be slower unless your hardware uses a purely software implementation, like if it didnt support it but support was later haxed in via a patch or something? maybe... thats why WPA2 is so much faster than WPA usually, WPA was more of a software thing and then WPA2 was a nice hardware change, am i wrong about that? im pretty sure i read it somewhere...

Resource intensive on the router, I meant.

Quote:

Originally Posted by slyfox2151

turning off SSID broadcast does nothing at all to stop hackers. it just stops it from being displayed on windows... a simple program will still see the SSID.



good luck breaking into a WPA network....
mac address blocking wont stop a hacker... he will just change his mac address to be the same as the laptop and bam.. he has internet.

How would he get my MAC address?

[mrhuggles]

is it really resource intense? i cant notice a difference on my WHR-HP-GN, thats 400mhz tho, but also i couldn't tell any difference on my old WRT54G v2 and that was only 200mhz, generally on the WRT54G i used openWRT and on the WHR-HP-GN i use DD-WRT

[slyfox2151]

Quote:

Originally Posted by hat

Resource intensive on the router, I meant.



How would he get my MAC address?

the laptop would send out its mac address when its connected to the router.

[AsRock]

Quote:

Originally Posted by hat

Resource intensive on the router, I meant.



How would he get my MAC address?

I used a program called Wireless Monitor as it was the only one i could find that worked with my lappy and that would give you peoples mac addresses. All so it will show you the SSID's too.

[Fourstaff]

From what I know, if you set a simple protection it will deter most from stealing your internets, if you set a strong protection it will prevent that bored kid over the corner from gaining access, and nothing will stop a determined hacker.

Bottom line: dont worry too much.

[qubit]

@hat: Why not use WPA2? This has not been hacked into AFAIK

@streetfighter 2: I like my pistachios salted. This is terribly important.

[Mussels]

pro tip: cut back the signal strength, and they cant hack it.


if router has no options to do that, use tinfoil over the routers aerial XD



btw i see some confusion: the actual encryption methods available are:


None:
WEP: basically none :P
WPA aka WPA1: tougher to crack, but can be done given time (days of packet sniffing/forced injection)
WPA2 (tough)

AES and TKIP are just sub settings for those. WPA2 with TKIP is the best, iirc.


MAC addy blocks are worthless, as you can spoof the mac addy you see sending the data when you do the sniffing. it wont even slow a hacker down.

[RejZoR]

I can't think of any reason not to use AES. Routers are designed to use it and i can asure you you can't tell a difference between unencrypted router and a router using AES. So, just AES and live a peaceful life.

[streetfighter 2]

Quote:

Originally Posted by Mussels

btw i see some confusion: the actual encryption methods available are:


None:
WEP: basically none :P
WPA aka WPA1: tougher to crack, but can be done given time (days of packet sniffing/forced injection)
WPA2 (tough)

AES and TKIP are just sub settings for those. WPA2 with TKIP is the best, iirc.

I see some confusion-- The actual encryption methods are:
AES
RC4

Wi-Fi Alliance Certifications:
WPA
WPA2

The protocols:
WEP -> Uses RC4
TKIP - Mandatory in WPA & WPA2 spec -> Uses RC4 (AES is not mandatory in the spec)
CCMP - Mandatory in WPA2 spec -> Uses AES

[newtekie1]

Use TKIP, hell use WEP. Yes they are both easily hackable but most won't even bother because they can just drive a few doors down and find an unsecured access point and get on that. You aren't a company so your wireless network is a low target.

And MAC filtering is probably the most useless protection ever. It is insanely easy to spoof a MAC address, and they don't even have to crack the encryption to figure out what MAC address the packets are coming from.

[RejZoR]

That's not true. Even if you're just an individual, it's still smart to use max possible security.
Either you don't want anyone to sniff your online shopping info or worse, download for example child pr0n through your connection. In the end you'll be prosecuted. So don't take wireless security too easily. Just use WPA2 AES and just forget about any possible worries.

[kuroikenshi]

Rather related to this... im a bit perturbed at the amount of wireless devices that can connect to wireless network ONLY if the SSID is being broadcasted.

Why can't they work in the ability to connect to that network even if its not being broadcasted?

Also granted that some of these encryptions are easy to break, for the most part having SOME type of security is enough of a deterient from most people who just want a quick easy access to the internet.

[qubit]

Quote:

Originally Posted by streetfighter 2

I see some confusion-- The actual encryption methods are:
AES
RC4

Wi-Fi Alliance Certifications:
WPA
WPA2

The protocols:
WEP -> Uses RC4
TKIP - Mandatory in WPA & WPA2 spec -> Uses RC4 (AES is not mandatory in the spec)
CCMP - Mandatory in WPA2 spec -> Uses AES

I see that I was obviously one of the confused. Cleared that up nicely for me now.

[newtekie1]

Quote:

Originally Posted by RejZoR

That's not true. Even if you're just an individual, it's still smart to use max possible security.
Either you don't want anyone to sniff your online shopping info or worse, download for example child pr0n through your connection. In the end you'll be prosecuted. So don't take wireless security too easily. Just use WPA2 AES and just forget about any possible worries.

No not really. As I said, MAC address filtering is just a waste of time and CPU power on a router, because it is so easily spoofed.

And TKIP will keep everyone off your network.

Having maximum security at the expenense of a slower connection due to an overloaded router isn't smart for an individual. The kiddy porn people aren't wasting time cracking security, they are just using the free connections that are already available to them.

[RejZoR]

What slowdown? I can't see any and i'm gaming online, downloading a lot and all. Maybe you'd notice it if you have many systems connected and you'd be using full LAN. But most of ppl use it to connect laptops wirelessly. AES is just a logical option and i really can't see a single reason not to use it. It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?

[Fourstaff]

Quote:

Originally Posted by RejZoR

What slowdown?

His hardware is probably way weaker than yours, so you might not feel it but he will certainly get some performance boost.

[newtekie1]

Quote:

Originally Posted by RejZoR

What slowdown? I can't see any and i'm gaming online, downloading a lot and all. Maybe you'd notice it if you have many systems connected and you'd be using full LAN. But most of ppl use it to connect laptops wirelessly. AES is just a logical option and i really can't see a single reason not to use it. It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?

Most consumer level routers can not handle TKIP or AES without effecting the connection speed, AES being worse and showing a more noticeable affect. This only really applies if you have a connection that is faster than 30Mb/s though, and once you get up that high you aren't going to notice the difference unless you really pay attention. Most people won't be able to tell a 50Mb/s connection from a 20Mb/s connection. Pages to them will load instantly with either, so it will seem to be the same. The gaming online aspect doesn't really show that you aren't seeing any slowdown, because games don't need much faster than a 5Mb/s connection, the latency is more important there.

And your anology is a little exagerated. You make it sound like TKIP is easily broken, that is far from the case. In fact it is still extremely difficult to crack and needs some seriously powerful hardware to do it. I believe the people that did it had to use a cluster of high end computer to pull it off. It isn't something that some guy driving down the road with a laptop is going to be able to pull off.

Quote:

Originally Posted by Fourstaff

His hardware is probably way weaker than yours, so you might not feel it but he will certainly get some performance boost.

Or my connection is faster than his...

[streetfighter 2]

Quote:

Originally Posted by RejZoR

It's like deciding between a proper door lock (AES) and a wooden stick (TKIP) that's blocking it from the inside. What would you pick?

I'm sorry to point it out, but this is a wildly inaccurate analogy... Unless this is the wooden stick you're talking about:


Have a look for yourself: http://arstechnica.com/tech-policy/n...ure-on-wpa.ars

Quote:

These two [TKIP] attacks can certainly present problems, but they do not threaten the overall encryption of the wireless stream.

If someone was a fairly proficient programmer (and if properly motivated) they could write an exploit for TKIP and be limited to injecting tiny packets. In a few weeks they might be able to do some minor damage, but nothing that could truly compromise the network. No one has confirmed the ability to retrieve the WPA key.