Wifi encryption mode. Wireless network encryption type: how to choose a security method? How to choose the encryption type and set the WPA key on the WiFi router
Undoubtedly, many computer users who work with the Internet (and not only) have heard of the term AES. What kind of system this is, what algorithms it uses and what it is used for, a fairly limited circle of people have any idea. By and large, the average user doesn’t need to know this. Nevertheless, let’s consider this cryptographic system, without delving too deeply into complex mathematical calculations and formulas, so that it can be understood by anyone.
What is AES encryption?
Let's start with the fact that the system itself is a set of algorithms that make it possible to hide the initial appearance of some data transmitted, received by the user, or stored on a computer. Most often it is used in Internet technologies when it is necessary to ensure complete confidentiality of information, and refers to the so-called symmetric encryption algorithms.
The AES encryption type involves the use of the same key, which is known to both the sending and the receiving side, to convert information into a secure form and reverse decoding, in contrast to symmetric encryption, which involves the use of two keys - private and public. Thus, it is easy to conclude that if both parties know the correct key, the encryption and decryption process is quite simple.
A little history
AES encryption was first mentioned back in 2000, when the Rijndael algorithm won the competition to select a successor to the DES system, which has been a standard in the United States since 1977.
In 2001, the AES system was officially adopted as the new federal data encryption standard and has since been used everywhere.
Types of AES encryption
It included several intermediate stages, which were mainly associated with increasing the length of the key. Today there are three main types: AES-128 encryption, AES-192 and AES-256.
The name speaks for itself. The digital designation corresponds to the length of the key used, expressed in bits. In addition, AES encryption is a block type that works directly with blocks of information of a fixed length, encrypting each of them, in contrast to stream algorithms that operate on single characters of a clear message, converting them into encrypted form. In AES, the block length is 128 bits.
If we talk scientific language, the same algorithms that AES-256 encryption uses imply operations based on a polynomial representation of operations and codes during processing two-dimensional arrays(matrices).
How it works?
The operating algorithm is quite complex, but includes the use of several basic elements. Initially, a two-dimensional matrix, transformation cycles (rounds), a round key, and initial and reverse substitution tables are used.
The data encryption process consists of several stages:
- calculation of all round keys;
- byte substitution using the main S-Box table;
- shift in shape using different quantities (see figure above);
- mixing data within each column of the matrix (form);
- addition of the form and the round key.
Decryption is performed in the reverse order, but instead of the S-Box table, the reverse setting table, which was mentioned above, is used.
To give an example, if you have a key 4 bits long, the search will require only 16 stages (rounds), that is, you need to check everything possible combinations, starting from 0000 and ending with 1111. Naturally, such protection is hacked quite quickly. But if we take larger keys, 16 bits will require 65,536 stages, and 256 bits will require 1.1 x 10 77. And as stated by American experts, it will take about 149 trillion years to select the correct combination (key).
What to use in practice when setting up a network: AES or TKIP encryption?
Now let's move on to using AES-256 when encrypting transmitted and received data in wireless networks.
As a rule, in any there are several parameters to choose from: AES only, TKIP only and AES+TKIP. They are applied depending on the protocol (WEP or WEP2). But! TKIP is outdated system, because it has less security and does not support 802.11n connections with data transfer rates exceeding 54 Mbps. Thus, the conclusion about the priority use of AES together with the WPA2-PSK security mode suggests itself, although both algorithms can be used in pairs.
Issues of reliability and security of AES algorithms
Despite the loud statements of experts, AES algorithms are theoretically still vulnerable, since the very nature of encryption has a simple algebraic description. This was noted by Nils Fergusson. And in 2002, Josef Pieprzyk and Nicolas Courtois published a paper substantiating a potential XSL attack. True, it caused a lot of controversy in the scientific world, and some considered their calculations to be erroneous.
In 2005, it was suggested that the attack could use third-party channels, not just mathematical calculations. Moreover, one of the attacks calculated the key after 800 operations, and the other obtained it after 2 32 operations (in the eighth round).
Without a doubt, today this system could be considered one of the most advanced, if not for one thing. A few years ago, a wave swept across the Internet virus attacks, in which an encryption virus (and also a ransomware), penetrating computers, completely encrypts data, demanding a tidy sum of money for decryption. At the same time, the message noted that encryption was carried out using the AES1024 algorithm, which, until recently, was believed to not exist in nature.
Whether this is true or not, even the most famous anti-virus software developers, including Kaspersky Lab, were powerless when trying to decrypt the data. Many experts admitted that the notorious one, which at one time struck millions of computers around the world and destroyed them important information, in comparison with this threat turned out to be baby talk. In addition, I Love You was aimed more at multimedia files, and new virus gained access exclusively to confidential information of large corporations. However, no one can say clearly that AES-1024 encryption was used here.
Conclusion
To summarize, in any case, we can say that AES encryption is by far the most advanced and secure, regardless of what key length is used. It is not surprising that this particular standard is used in most cryptosystems and has fairly broad prospects for development and improvement in the foreseeable future, especially since it may be very likely to combine several types of encryption into one whole (for example, parallel use symmetric and asymmetric or block and stream encryption).
IN Lately Many “exposing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies used. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).
Basics
Any interaction between an access point (network) and a wireless client is based on:- Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
- Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.
The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:
- Open- a so-called open network in which all connected devices are authorized immediately
- Shared- the authenticity of the connected device must be verified with a key/password
- EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server
- None- no encryption, data is transmitted in clear text
- WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
- CKIP- proprietary replacement for Cisco's WEP, early version of TKIP
- TKIP- Improved WEP replacement with additional checks and protection
- AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection
Combination Open Authentication, No Encryption widely used in guest access systems such as providing Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often such a connection is combined with an additional check for Captive Portal by redirecting a custom HTTP request to additional page, where you can request confirmation (login-password, agreement with the rules, etc.).
Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).
Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.
Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each working client in this moment. This key can be periodically updated during operation without breaking the connection, and is responsible for its generation additional component- an authorization server, and almost always this is a RADIUS server.
All possible safety parameters are summarized in this plate:
| Property | Static WEP | Dynamic WEP | WPA | WPA 2 (Enterprise) |
| Identification | User, computer, WLAN card | User, computer |
User, computer |
User, computer |
| Authorization |
Shared key |
EAP |
EAP or shared key |
EAP or shared key |
Integrity |
32-bit Integrity Check Value (ICV) |
32-bit ICV |
64-bit Message Integrity Code (MIC) |
CRT/CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES |
Encryption |
Static key |
Session key |
Per-packet key via TKIP |
CCMP (AES) |
Key distribution |
One-time, manual |
Pair-wise Master Key (PMK) segment |
Derived from PMK |
Derived from PMK |
Initialization vector |
Text, 24 bits |
Text, 24 bits |
Advanced vector, 65 bit |
48-bit packet number (PN) |
Algorithm |
RC4 |
RC4 |
RC4 |
AES |
Key length, bits |
64/128 |
64/128 |
128 |
up to 256 |
Required infrastructure |
No |
RADIUS |
RADIUS |
RADIUS |
While WPA2 Personal (WPA2 PSK) is clear, an enterprise solution requires further consideration.
WPA2 Enterprise
Here we are dealing with an additional set various protocols. Client side special component software The supplicant (usually part of the OS) interacts with the authorizing part, the AAA server. IN in this example displays the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.
The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:
Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:
- Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
- Cisco Secure Access Control Server (ACS) 4.2, 5.3- configured via a web interface, sophisticated in functionality, allows you to create distributed and fault-tolerant systems, expensive
- FreeRADIUS- free, configured using text configs, not convenient to manage and monitor
In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transfer additional parameters to the access point (for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):
EAP
The EAP protocol itself is containerized, that is, the actual authorization mechanism is left to the user internal protocols. At the moment, the following have received any significant distribution:- EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted within the TLS tunnel between the supplicant and the RADIUS server
- EAP-TLS(Transport Layer Security). Uses a public key infrastructure (PKI) to authorize the client and server (subject and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates for each wireless device, so is only suitable for managed enterprise environments. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
- EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
- PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, such a tunnel is authorized using the well-known MSCHAPv2 protocol.
- PEAP-GTC(Generic Token Card) - similar to the previous one, but requires cards one-time passwords(and related infrastructure)
All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using group policy on Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is performed as follows: digital signature, so (optional) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).
Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with a ProSet utility that extends available list. Cisco AnyConnect Client does the same.
How reliable is it?
After all, what does it take for an attacker to hack your network?For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different sides, blocking it is not easy. If you have appropriate client adapters that allow you to listen to the broadcast, network traffic visible as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV time and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.
Of course, you can try to find PSK key, or a password to one of the EAP methods. Common attacks against these methods are not known. You can try using methods social engineering, or
Today cannot be called something out of the ordinary. However, many users (especially owners mobile devices) are faced with the problem of which security system to use: WEP, WPA or WPA2-PSK. We’ll see what kind of technologies these are now. However, the greatest attention will be paid to WPA2-PSK, since it is this protection that is most in demand today.
WPA2-PSK: what is it?
Let's say right away: this is a system for protecting any local connection to a wireless network based on WI-Fi. To wired systems based network cards using a direct Ethernet connection, this has no effect.
With the use of technology, WPA2-PSK is the most “advanced” today. Even somewhat outdated methods that require a username and password, and also involve encryption of confidential data during transmission and reception, look, to put it mildly, like baby talk. And that's why.
Types of protection
So, let's start with the fact that until recently the WEP structure was considered the most secure connection security technology. It used key integrity verification when connecting any device wirelessly and was an IEEE 802.11i standard.
WPA2-PSK WiFi network protection works, in principle, almost the same, but it checks the access key at the 802.1X level. In other words, the system checks all possible options.
However, there is a newer technology called WPA2 Enterprise. Unlike WPA, it requires not only a personal access key, but also the presence of a Radius server providing access. Moreover, such an authentication algorithm can operate simultaneously in several modes (for example, Enterprise and PSK, using AES CCMP level encryption).
Basic protection and security protocols
Just like those going into the past, modern methods protections use the same protocol. This is TKIP (WEP security system based on software update and RC4 algorithm). All this requires entering a temporary key to access the network.
As shown practical use, such an algorithm itself did not provide any special security for connecting to a wireless network. That's why new technologies were developed: first WPA and then WPA2, complemented by PSK (personal key access) and TKIP (temporary key). In addition, it also included transmit-receive data, today known as the AES standard.
Outdated technologies
The WPA2-PSK security type is relatively new. Before this, as mentioned above, the WEP system was used in combination with TKIP. TKIP protection is nothing more than a means of increasing the bit depth of the access key. At the moment, it is believed that the basic mode allows you to increase the key from 40 to 128 bits. With all this, you can also change a single WEP key to several different ones that are generated and sent to automatic mode the server itself, which authenticates the user upon login.
In addition, the system itself involves the use of a strict hierarchy of key distribution, as well as a technique that allows you to get rid of the so-called predictability problem. In other words, when, say, for a wireless network using WPA2-PSK security, the password is set in the form of a sequence like “123456789”, it is not difficult to guess that the same key and password generator programs, usually called KeyGen or something like that, When you enter the first four characters, the next four characters can be automatically generated. Here, as they say, you don’t need to be a unique person to guess the type of sequence used. But this, as is probably already understood, is the simplest example.
As for the user's date of birth in the password, this is not discussed at all. You can easily be identified using the same registration data in in social networks. Themselves digital passwords This type is completely unreliable. It’s better to use numbers, letters, as well as symbols (even non-printable ones if you specify a combination of “hot” keys) and a space. However, even with this approach, WPA2-PSK can be cracked. Here it is necessary to explain the operating methodology of the system itself.
Typical access algorithm
Now a few more words about the WPA2-PSK system. What is this in terms of practical application? This is a combination of several algorithms, so to speak, in working mode. Let's explain the situation with an example.
Ideally, the sequence of execution of the procedure for protecting the connection and encrypting transmitted or received information comes down to the following:
WPA2-PSK (WPA-PSK) + TKIP + AES.
In this case, the main role is played by the public key (PSK) with a length of 8 to 63 characters. In what exact sequence the algorithms will be used (whether encryption occurs first, or after transmission, or in the process using random intermediate keys, etc.) is not important.
But even with protection and an encryption system at the AES 256 level (meaning the bit depth of the encryption key), hacking WPA2-PSK for hackers knowledgeable in this matter will be a difficult task, but possible.
Vulnerability
Back in 2008, at the PacSec conference, a technique was presented that allows you to hack a wireless connection and read the transmitted data from the router to the client terminal. All this took about 12-15 minutes. However, it was not possible to hack the reverse transmission (client-router).
The fact is that when the QoS router mode is enabled, you can not only read transmitted information, but also replace it with a fake one. In 2009, Japanese experts presented a technology that could reduce hacking time to one minute. And in 2010, information appeared on the Internet that the easiest way to hack the Hole 196 module present in WPA2 is to use your own private key.
There is no talk of any interference with the generated keys. First, a so-called dictionary attack is used in combination with brute force, and then the space is scanned wireless connection for the purpose of intercepting transmitted packets and their subsequent recording. It is enough for the user to make a connection, and he is immediately deauthorized and the transmission is intercepted starter packages(handshake). After this, you don't even need to be near the main access point. You can easily work offline. However, to perform all these actions you will need special software.
How to hack WPA2-PSK?
For obvious reasons, the complete algorithm for hacking a connection will not be given here, since this can be used as some kind of instruction for action. Let us dwell only on the main points, and then only in general terms.
As a rule, when directly accessing the router, it can be switched to the so-called Airmon-NG mode to monitor traffic (airmon-ng start wlan0 - renaming wireless adapter). After this, traffic is captured and recorded using the airdump-ng mon0 command (tracking channel data, beacon speed, encryption speed and method, amount of data transferred, etc.).
Next, the command to fix the selected channel is used, after which the Aireplay-NG Deauth command is entered with accompanying values (they are not given for reasons of legality of using such methods).
After this (when the user has already been authorized when connecting), the user can simply be disconnected from the network. At the same time re-entry from the hacking side, the system will repeat the login authorization, after which it will be possible to intercept all access passwords. Next, a window with a “handshake” will appear. You can then apply launch special file WPACrack, which allows you to crack any password. Naturally, no one will tell anyone exactly how it is launched. Let us only note that if you have certain knowledge, the entire process takes from several minutes to several days. For example, an Intel-level processor running on standard clock frequency 2.8 GHz, capable of processing no more than 500 passwords per second, or 1.8 million per hour. In general, as is already clear, you should not delude yourself.
Instead of an afterword
That's it for WPA2-PSK. What it is, perhaps, will not be clear from the first reading. Nevertheless, I think any user will understand the basics of data protection and the encryption systems used. Moreover, today almost all owners face this problem. mobile gadgets. Have you ever noticed that when creating a new connection on the same smartphone, the system suggests using a certain type of security (WPA2-PSK)? Many simply do not pay attention to this, but in vain. In advanced settings you can use enough a large number of additional parameters in order to improve the security system.
Today we'll dig a little deeper into the topic of protection. wireless connection. Let's figure out what it is - it is also called “authentication” - and which one is better to choose. You've probably come across abbreviations such as WEP, WPA, WPA2, WPA2/PSK. And also some of their varieties - Personal or Enterprice and TKIP or AES. Well, let's take a closer look at all of them and figure out which type of encryption to choose to ensure maximum speed without sacrificing speed.
I note that to protect your WiFi password necessary, no matter what type of encryption you choose. Even the simplest authentication will avoid quite serious problems in the future.
Why do I say this? It’s not even a matter of the fact that connecting many wrong clients will slow down your network—that’s just the beginning. The main reason is that if your network is not password-protected, then an attacker can attach itself to it, who will perform illegal actions from under your router, and then you will have to answer for his actions, so take wifi protection very seriously.
WiFi data encryption and authentication types
So, we are convinced of the need to encrypt the wifi network, now let’s see what types there are:
What is WEP wifi protection?
WEP(Wired Equivalent Privacy) is the very first standard to emerge, but its reliability no longer meets modern requirements. All programs configured to hack a wifi network using brute force methods are aimed primarily at selecting a WEP encryption key.
What is a WPA key or password?
WPA(Wi-Fi Protected Access) - more modern standard authentication, which allows you to securely protect local network and the Internet from illegal penetration.
What is WPA2-PSK - Personal or Enterprise?
WPA2- an improved version of the previous type. Hacking WPA2 is almost impossible, it provides the maximum degree of security, so in my articles I always say without explanation that you need to install it - now you know why.
Standards WiFi protection WPA2 and WPA have two more varieties:
- Personal, denoted as WPA/PSK or WPA2/PSK. This type is the most widely used and optimal for use in most cases - both at home and in the office. In WPA2/PSK we set a password of at least 8 characters, which is stored in the memory of the device that we connect to the router.
- Enterprise- a more complex configuration that requires the RADIUS function to be enabled on the router. It works according to the principle, that is, a separate password is assigned for each individual connected gadget.
WPA encryption types - TKIP or AES?
So, we have decided that WPA2/PSK (Personal) is the best choice for network security, but it has two more types of data encryption for authentication.
- TKIP- today this is an outdated type, but it is still widely used, since many devices for a certain number of years support only it. Does not work with WPA2/PSK technology and does not support 802.11n WiFi.
- AES- the latest and most reliable type of WiFi encryption at the moment.
What type of encryption should I choose and install the WPA key on my WiFi router?
We've sorted out the theory - let's move on to practice. Because the WiFi standards 802.11 "B" and "G", which have maximum speed up to 54 Mbit/s, no one has been using it for a long time - today the norm is 802.11 “N” or “AC”, which support speeds up to 300 Mbit/s and higher, then consider using WPA/PSK protection with type TKIP encryption it makes no sense. Therefore, when you set up a wireless network, set it to default
WPA2/PSK - AES
Or, as a last resort, specify “Auto” as the encryption type to ensure that you still connect devices with outdated WiFi module.
In this case, the WPA key, or simply put, the password for connecting to the network, must have from 8 to 32 characters, including English lowercase and uppercase letters, as well as various special characters.
Wireless security on your TP-Link router
The screenshots above show the control panel of a modern TP-Link router in new version firmware. Setting up network encryption here is in the " Additional settings — Wireless mode».
In the old “green” version, we are interested in WiFi configurations networks are located in the menu " Wireless Mode - Security". If you do everything as in the image, it will be great!
If you noticed, there is also such an item as “WPA group key update period”. The fact is that to provide greater protection, real digital key WPA for connection encryption changes dynamically. Here you set the value in seconds after which the change occurs. I recommend not touching it and leaving it at default - in different models The update interval is different.
Authentication method on ASUS router
On ASUS routers All WiFi settings located on one “Wireless Network” page
Network protection via Zyxel Keenetic router
Likewise for Zyxel Keenetic- chapter " WiFi network- Access point"
IN Keenetic routers without the “Zyxel” prefix, the encryption type is changed in the “ home network».
Setting up D-Link router security
On D-Link we look for the section “ Wi-Fi - Security»
Well, today we understood the types of WiFi encryption and terms like WEP, WPA, WPA2-PSK, TKIP and AES and learned which one is better to choose. Read also about other network security options in one of my previous articles, in which I talk about MAC and IP addresses and other security methods.
Video on setting the encryption type on the router
Good day, dear friends, acquaintances and other personalities. Today we'll talk about WiFi encryption , which is logical from the title.
I think that many of you use such a thing as, which means, most likely, also WiFi on them for your laptops, tablets and other mobile devices.
It goes without saying that this same Wi-Fi must be locked with a password, otherwise harmful neighbors will use your Internet for free, or even worse, your computer :)
It goes without saying that in addition to the password, there are also all sorts of different types of encryption of this very password, or more precisely, your WiFi protocol so that it is not only not used, but also cannot be hacked.
In general, today I would like to talk a little with you about such a thing as WiFi encryption, or rather these very WPE, WPA, WPA2, WPS and others like them.
Ready? Let's get started.
WiFi encryption - general information
To begin with, let’s talk in a very simplified way about what authentication with a router (server) looks like, that is, what the process of encryption and data exchange looks like. This is the picture we get:
That is, first, as a client, we say that we are us, that is, we know the password (green arrow at the top). The server, let’s say a router, rejoices and gives us a random string (it is also the key with which we encrypt the data), and then the data encrypted with this same key is exchanged.
Now let's talk about types of encryption, their vulnerabilities and so on. Let's start in order, namely with OPEN, that is, from the absence of any cipher, and then we move on to everything else.
Type 1 - OPEN
As you already understood (and I just said), in fact, OPEN- this is the absence of any protection, i.e. Wifi There is no encryption as a class, and you and your router are absolutely not involved in protecting the channel and transmitted data.
This is exactly the principle they work on. wired networks- they do not have built-in protection and by “crashing” into it or simply connecting to a hub/switch/router, the network adapter will receive packets from all devices in this network segment in clear text.
However, with a wireless network you can “crash” from anywhere - 10-20-50 meters or more, and the distance depends not only on the power of your transmitter, but also on the length of the hacker’s antenna. Therefore, open data transmission over a wireless network is much more dangerous, because in fact your channel is available to everyone.
Type 2 - WEP (Wired Equivalent Privacy)
One of the very first types Wifi encryption is WEP. Came out at the end 90 -x and is currently one of the weakest types of encryption.
Do you want to know and be able to do more yourself?
We offer you training in the following areas: computers, programs, administration, servers, networks, website building, SEO and more. Find out the details now!
In many modern routers, this type of encryption is completely excluded from the list of options to choose from:
It should be avoided in much the same way as open networks- it provides security only for a short time, after which any transmission can be fully disclosed, regardless of the complexity of the password.
The situation is aggravated by the fact that passwords in WEP- it's either 40 , or 104 bit that there is an extremely short combination and it can be selected in seconds (this does not take into account errors in the encryption itself).
Main problem WEP- a fundamental design error. WEP actually transmits several bytes of this same key along with each data packet.
Thus, regardless of the complexity of the key, any transmission can be revealed simply by having a sufficient number of intercepted packets (several tens of thousands, which is quite small for an actively used network).
Type 3 - WPA and WPA2 (Wi-Fi Protected Access)
These are some of the most modern types of such a thing as WiFi encryption and so far, in fact, almost no new ones have been invented.
Actually, the generation of these types of encryption replaced the long-suffering WEP. Password length is arbitrary, from 8 before 63 bytes, which makes it very difficult to select (compare with 3, 6 And 15 bytes in WEP).
Standard supports various algorithms encryption of transmitted data after a handshake: TKIP And CCMP.
The first is something like a bridge between WEP And WPA, which was invented at the time IEEE were busy creating a full-fledged algorithm CCMP. TKIP as well as WEP, suffers from some types of attacks, and is generally not very secure.
Nowadays it is rarely used (although why it is still used at all is not clear to me) and in general the use WPA With TKIP almost the same as using simple WEP.
In addition to different encryption algorithms, WPA(2) support two different modes initial authentication (password check for client access to the network) - PSK And Enterprise. PSK(sometimes called WPA Personal) - login using a single password that the client enters when connecting.
This is simple and convenient, but in the case of large companies it can be a problem - let’s say your employee left and so that he can no longer access the network, you have to change the password for the entire network and notify other employees about it. Enterprise eliminates this problem due to the presence of many keys stored on a separate server - RADIUS.
Besides, Enterprise standardizes the authentication process itself in the protocol EAP (E xtensible A authentication P rotocol), which allows you to write your own algorithm.
Type 4 - WPS/QSS
Wifi encryption WPS, aka QSS - interesting technology, which allows us not to think about a password at all, but simply press a button and immediately connect to the network. In essence, this is a “legal” method of bypassing password protection in general, but what is surprising is that it has become widespread due to a very serious miscalculation in the access system itself - this is years after the sad experience with WEP.
WPS allows the client to connect to the access point using an 8-character code consisting of numbers ( PIN). However, due to an error in the standard, you only need to guess 4 of them. Thus, all it takes is 10000 attempts to guess and, regardless of the complexity of the password to access the wireless network, you automatically get this access, and with it, in addition, this same password as it is.
Given that this interaction occurs before any security checks, per second can be sent by 10-50 login requests via WPS, and through 3-15 hours (sometimes more, sometimes less) you will receive the keys to heaven.
When this vulnerability was disclosed, manufacturers began to implement a limit on the number of login attempts ( rate limit), after exceeding which the access point automatically turns off for a while WPS- however, so far there are no more than half of such devices from those already released without this protection.
Even more - temporary disabling does not change anything fundamentally, since with one login attempt per minute we will need only 10000/60/24 = 6,94 days. A PIN usually found before the entire cycle has been completed.
I would like to once again draw your attention to the fact that when the WPS your password will inevitably be revealed, regardless of its complexity. So if you need it at all WPS- turn it on only when connecting to the network, and keep it off the rest of the time.
Afterword
In fact, you can draw your own conclusions, but in general, it goes without saying that you should use at least WPA, and better WPA2.
In the next article on WiFi we will talk about how different types of encryption affect the performance of the channel and router, and also consider some other nuances.
As always, if you have any questions, additions, etc., then welcome to the comments on the topic about WiFi encryption.
PS: For the existence of this material, thanks to the author of Habr under the nickname ProgerXP. In fact, all the text is taken from his material, so as not to reinvent the wheel with your own words.