Use WPA-AES To Secure Your Wireless Network

Wired Equivalent Privacy (WEP) was the first standard implemented for securing wireless networks. As the weakness of the RC4 algorithm, which WEP relied on, became better known Wi-Fi Protected Access (WPA) was created as a successor. WPA has two modes: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP was a bandage created for devices that could implement AES. It used WEP but with four rotating keys that raised the challenge of attacking the network significantly. But it was never meant to be a long-term replacement. Nowadays everything has support for AES, which was a good enough reason to move away from TKIP. In addition to that the weaknesses in RC4 are now bad enough where breaking TKIP is easy:

Almost a third of the world’s encrypted Web connections can be cracked using an exploit that’s growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

A wireless network secured with TKIP can now be broken in an hour. If you haven’t already setup your access point to exclusively use AES it’s time to do so. If you’re administering a web server and haven’t already disabled RC4 you’ve failed. But there’s no reason you can’t redeem yourself by disabling it now.

I spend a lot of time advocating for people to encrypt their data. One caveat I try to point out but sometimes forget is that all encryption isn’t made the same. Some encryption algorithms and implementations are far better than others. Even poor encryption is better than no encryption but usually not by a lot. Effective encryption is what you need if you want to keep your data private.