Encryption wpa2 aes. Wireless Setup Wizard

All tips

Wi-Fi encryption - which protocol to choose?

I bought myself new router and decided to set it up myself. Everything is set up - the Internet and wireless network are working. A question arose, because radio waves (Wi-Fi in my case) propagate not only within my apartment. Accordingly, they can be intercepted. Theoretically. The router has a wireless network encryption setting. I assume that it is precisely to exclude interception and “eavesdropping”. The question is, which of the encryption protocols available in my router should I choose? Available: WPE, WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, WPS. Which Wi-Fi encryption should I use in my case?

norik | 16 February 2015, 10:14
I will omit descriptions of any outdated protocols Wi-Fi encryption. Therefore, I will describe only those that make sense to use. If the protocol is not described here, then either it is exotic or you do not need it.

WPA and WPA2 (Wi-Fi Protected Access) - available on all routers. The most popular and widespread protocol. It is also one of the most modern. IMHO - best choice for home and small office. However, it is also quite suitable for large offices, except that it makes sense to make authorization more complicated. Its password length is up to 63 bytes, so if you crack it by guessing, you can turn gray earlier. Of course, you need to choose WPA2 if it is supported by all devices on the network (only very old gadgets do not understand it).

What's truly valuable is what's inside of this service Multiple encryption algorithms can be used. Among them: 1. TKIP - I do not recommend it, since it is quite possible to find a hole.
2. CCMP - much better.
3. AES - I like it the most, but it is not supported by all devices, although it is included in the WPA2 specification.

WPA2 also provides two initial authentication modes. These modes are PSK and Enterprise. WPA Personal, also known as WPA PSK, means that all users will log into the wireless network with a single password entered on the client side at the time of connecting to the network. Great for home, but problematic for a large office. It will be difficult to change the password for everyone every time when another employee who knows it quits.

WPA Enterprise requires a separate server with a set of keys. For a home or office with 6 machines, this is cumbersome, but if there are 3 dozen wireless devices in the office, then you can take care.

Actually, this exhausts the choice of Wi-Fi encryption on at the moment. The remaining protocols either do not have encryption or a password at all, or have holes in the algorithms that only the very lazy would not get into. I recommend the WPA2 Personal AES combination for home use. For large offices - WPA2 Enterprise AES. If there is no AES, then you can get by with TKIP, but then there is still the possibility of packets being read by an outsider. There is an opinion that WPA2 TKIP was never hacked, unlike WPA TKIP, but it was protected...

Good day, dear readers of the blog site! Today we will talk about wireless security DIR-615, about network security generally. I will tell you what the concept of WPA is. Next I will give step by step instructions setting up a wireless network using a wizard, about automatic and manual modes assigning a network key. Next we will show how add wireless device using the WPS wizard. Finally, I will provide a description of the WPA-Personal (PSK) and WPA-Enterprise (RADIUS) configurations.

Network Security

In this article, as promised, I will write about the different levels of security that you can use to protect your data from intruders. DIR-615 offers the following security types:

What is WPA?

WPA, or Wi-Fi Protected Access Wi-Fi access), - This Wi-Fi standard, which was designed to improve security capabilities WEP.

2 major improvements over WEP:

Improved data encryption via TKIP. TKIP mixes the keys using a hashing algorithm and adding an integrity check feature, thereby ensuring that the keys cannot be tampered with. WPA2 is based on 802.11i and uses AES instead of TKIP.
User Authentication, which is generally absent in WEP, through EAP. WEP regulates access to a wireless network based on the computer's specific hardware MAC address, which is relatively easy to find out and steal. EAP is built on more secure system encryption public key to ensure that only authorized network users will be able to access the network.

WPA-PSK/WPA2-PSK uses a passphrase or key to authenticate your wireless connection. This key is an alphanumeric password between 8 and 63 characters in length. The password can include characters (!?*&_) and spaces. This key must be exactly the same key that is entered on your wireless router or access point.

WPA/WPA2 enables user authentication via EAP. EAP is built on a more secure public key encryption system to ensure that only authorized network users can access the network.

Wireless Setup Wizard

To launch the security wizard, open the morning Setup and then click the button Wireless Network Setup Wizard .

Automatic Network Key Assignment

Once this screen appears, the installation is complete. You will be provided with a detailed report of your network security settings.
Click Save to continue.

Manual Network Key Assignment

Select wireless password security. it must be exactly 5 or 13 characters long. It can also be exactly 10 or 26 characters using 0-9 and A-F.
Click to continue.

Installation is complete. You will be provided with a detailed report of your wireless security settings. Click Save to complete the Security Wizard.

Add a Wireless Device using the WPS Wizard

PBC: Select this option to use the method PBC to add a wireless client. Click Connect .

WPA-Personal (PSK) Configuration

It is recommended that you enable encryption on your wireless router before turning on your wireless network adapters. Please establish wireless connectivity before enabling encryption. Your wireless signal may get worse when encryption is enabled due to additional overhead.

WPA-Enterprise (RADIUS) Configuration

It is recommended that you enable encryption on your wireless router before turning on your wireless network adapters. Please establish wireless connectivity before enabling encryption. Your wireless signal may degrade when you enable encryption due to additional overhead.

Log in to the web-based configuration utility by opening a web browser window and entering the router's IP address (192.168.0.1). Click Setup and then Wireless Settings on the left side.
Next in Security Mode , select WPA-Enterprise.
Comment: Should be disabled

IN lately Many “exposing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short review will help bring together all the applicable encryption and radio access authorization technologies. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).

Basics

Any interaction between an access point (network) and a wireless client is based on:

Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.

The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:

Open- the so-called open network, in which all connected devices are authorized at once
Shared- the authenticity of the connected device must be verified with a key/password
EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server

The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, the encryption algorithm used must match and, accordingly, the encrypted connection must be correctly established. The encryption algorithms are:

None- no encryption, data is transmitted in clear text
WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
CKIP- proprietary replacement for Cisco's WEP, early version of TKIP
TKIP- Improved WEP replacement with additional checks and protection
AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in systems guest access like providing the Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often such a connection is combined with an additional check for Captive Portal by redirecting a custom HTTP request to additional page, where you can request confirmation (login-password, agreement with the rules, etc.).

Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).

Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each currently running client. This key can be periodically updated during operation without breaking the connection, and is responsible for its generation additional component- an authorization server, and almost always this is a RADIUS server.

All possible safety parameters are summarized in this plate:

Property	Static WEP	Dynamic WEP	WPA	WPA 2 (Enterprise)
Identification	User, computer, WLAN card	User, computer	User, computer	User, computer
Authorization	Shared Key	EAP	EAP or shared key	EAP or shared key
Integrity	32-bit Integrity Check Value (ICV)	32-bit ICV	64-bit Message Integrity Code (MIC)	CRT/CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES
Encryption	Static key	Session key	Per-packet key via TKIP	CCMP (AES)
Key distribution	One-time, manual	Pair-wise Master Key (PMK) segment	Derived from PMK	Derived from PMK
Initialization vector	Text, 24 bits	Text, 24 bits	Advanced vector, 65 bit	48-bit packet number (PN)
Algorithm	RC4	RC4	RC4	AES
Key length, bits	64/128	64/128	128	up to 256
Required infrastructure	No	RADIUS	RADIUS	RADIUS

While WPA2 Personal (WPA2 PSK) is clear, an enterprise solution requires further consideration.

WPA2 Enterprise

Here we are dealing with an additional set various protocols. Client side special component software The supplicant (usually part of the OS) interacts with the authorizing part, the AAA server. IN in this example displays the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:

Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
Cisco Secure Access Control Server (ACS) 4.2, 5.3- can be configured via a web interface, is sophisticated in functionality, allows you to create distributed and fault-tolerant systems, is expensive
FreeRADIUS- free, configured using text configs, not convenient to manage and monitor

In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transmit to the access point additional options(for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is containerized, that is, the actual authorization mechanism is left to the user internal protocols. On present moment The following have received any significant distribution:

EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted inside the TLS tunnel between the supplicant and the RADIUS server
EAP-TLS(Transport Layer Security). Uses a public key infrastructure (PKI) to authorize the client and server (subject and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates on each wireless device, so is only suitable for a managed corporate environment. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, authorization takes place in such a tunnel using the well-known MSCHAPv2 protocol.
PEAP-GTC(Generic Token Card) - similar to the previous one, but requires cards one-time passwords(and related infrastructure)

All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using group policy on Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is performed as follows: digital signature, so (optional) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with a ProSet utility that extends available list. Cisco AnyConnect Client does the same.

How reliable is it?

After all, what does it take for an attacker to hack your network?

For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different sides, blocking it is not easy. If you have appropriate client adapters that allow you to listen to the broadcast, network traffic visible as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV brute force time, and one of many free available utilities scanning.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.

Of course, you can try to find PSK key, or a password to one of the EAP methods. Common attacks against these methods are not known. You can try using methods social engineering, or thermorectal cryptanalysis.

You can gain access to a network protected by EAP-FAST, EAP-TTLS, PEAP-MSCHAPv2 only if you know the user’s login password (hacking as such is impossible). Attacks such as brute-force attacks or those aimed at vulnerabilities in MSCHAP are also not possible or difficult due to the fact that the EAP client-server channel is protected by an encrypted tunnel.

Access to a network closed by PEAP-GTC is possible either by hacking the token server or by stealing the token along with its password.

Access to a network closed by EAP-TLS is possible if a user certificate is stolen (along with its private key, of course), or when issuing a valid but false certificate. This is only possible if the certification center is compromised, which in normal companies is protected as the most valuable IT resource.

Since all of the above methods (except PEAP-GTC) allow storing (caching) passwords/certificates, if stolen mobile device the attacker gets full access without any questions from the network. Full encryption can be used as a preventative measure hard drive with a password request when turning on the device.

Remember: with proper design, a wireless network can be very secure; There are no means of hacking such a network (to a certain extent)

Express wired internet is becoming more and more accessible. And along with the development mobile technology the question of use becomes relevant home internet on each device. A Wi-Fi router serves this purpose; its purpose is to distribute wireless connection Internet between different users.

Special attention should be paid to the security of your network.

When purchasing, you just need to configure it the first time you turn it on. A disk with a configuration utility is supplied with the router. Use it to configure home network couldn't be easier. But, nevertheless, inexperienced users Problems often arise at the stage of network security settings. The system prompts you to select an authentication method, and there are at least four options to choose from. Each of them has certain advantages and disadvantages, and if you want to protect yourself from the actions of attackers, you should choose the most reliable option. This is what our article is about.

Authentication Methods

Most home router models support the following network authentication methods: no encryption, WEP, WPA/WPA2-Enterprise, WPA/WPA2-Personal (WPA/WPA2-PSK). The last three also have several encryption algorithms. Let's take a closer look.

Lack of protection

This method speaks for itself. The connection is completely open, absolutely anyone can connect to it. Typically this method is used in public places, but it’s better not to use it at home. The minimum that this threatens you with is that your neighbors will occupy your channel when connected, and you simply will not be able to receive maximum speed according to your tariff plan. In the worst case, attackers can use this for their own purposes, stealing your confidential information or committing other illegal actions. But you don’t need to remember the password, but you must admit, this is a rather dubious advantage.

WEP

When using this network authentication method transmitted information protected with a private key. The type of protection is " Open system" and "Shared Key". In the first case, identification occurs through filtering by MAC address without using an additional key. The protection is, in fact, the most minimal, and therefore unsafe. In the second you have to come up with secret code, which will be used as the security key. It can be 64, 128 of 152 bit. The system will tell you how long the code should be, depending on its encoding - hexadecimal or ASCII. You can set several such codes. The reliability of protection is relative and has long been considered outdated.

WPA/WPA2 – Enterprise and WPA/WPA2-Personal

A very reliable method of network authentication, in the first case it is used in enterprises, in the second - at home and in small offices. The difference between them is that in home version a permanent key is used, which is configured at the access point. Together with the encryption algorithm and the connection SSID, it forms a secure connection. To gain access to such a network, you need to know the password. Therefore, if it is reliable and you do not disclose it to anyone, this is an ideal option for an apartment or house. In addition, almost all manufacturers mark it as recommended.

In the second case, a dynamic key is used and each user is assigned an individual one. There is no point in bothering with this at home, so it is used only in large enterprises where the security of corporate data is very important.

Additional reliability also depends on the encryption algorithm. There are two of them: AES and TKIP. It's better to use the first one, since the latter is a derivative of WEP and has proven to be a failure.

How to change Wi-Fi authentication method

If you have previously configured your connection authentication but are unsure about the correct method, be sure to check it now. Go to the router settings by entering its IP address, login and password in the browser (you can read more in the article IP address of the router on our website). You need to go to the network security settings tab. IN different models router, it can be located differently. Then select a network authentication method, come up with strong password, click "Save" and reboot the router. Don't forget to reconnect to the network again from all devices.

Conclusion

We hope you found this information useful. Do not neglect Wi-Fi security settings. Do not leave it open, but select the recommended authentication method and the correct encryption algorithm.

What connection security method are you using? Share with us in the comments.

Today many people have houses Wi-Fi router. After all, wirelessly it is much easier to connect to the Internet a laptop, a tablet, and a smartphone, of which there are more than people in every family. And it (the router) is essentially the gateway to the information universe. Read front door. And it depends on this door whether an uninvited guest will come to you without your permission. Therefore, it is very important to pay attention correct setting router so that your wireless network is not vulnerable.

I don't think I need to remind you that hiding Point SSID access does not protect you. Restricting access by MAC address not effective. Therefore only modern methods encryption and complex password.

Why encrypt? Who needs me? I have nothing to hide

It's not so scary if your PIN code is stolen credit card and they will take all the money from her. Moreover, if someone surfs the Internet at your expense, knowing the Wi-Fi password. And it’s not so scary if they publish your photos from corporate parties where you look unsightly. It’s much more offensive when attackers get into your computer and delete photos of how you picked up your son from the maternity hospital, how he took his first steps and went to first grade. Backups are a separate topic, of course they need to be done... But over time, your reputation can be restored, you can earn money, but the photographs that are dear to you are no longer there. I think everyone has something that they don't want to lose.
Your router is a border device between private and public, so make sure it is fully protected. Moreover, it is not so difficult.

Encryption technologies and algorithms

I'm leaving out the theory. It doesn’t matter how it works, the main thing is to know how to use it.
Wireless security technologies developed in the following chronological order: WEP, WPA, WPA2. Encryption methods RC4, TKIP, AES have also evolved.
The best in terms of security today is the WPA2-AES combination. This is exactly how you should try to configure Wi-Fi. It should look something like this:

WPA2 has been mandatory since March 16, 2006. But sometimes you can still find equipment that does not support it. In particular, if you have Windows XP installed on your computer without the 3rd service pack, then WPA2 will not work. Therefore, for reasons of compatibility, on routers you can find configuration options WPA2-PSK -> AES+TKIP and another menagerie.
But if your fleet of devices is modern, then it is better to use WPA2 (WPA2-PSK) -> AES, as the most secure option today.

What is the difference between WPA(WPA2) and WPA-PSK(WPA2-PSK)

The WPA standard provides the Extensible Authentication Protocol (EAP) as the basis for the user authentication mechanism. An indispensable condition for authentication is the user's presentation of a certificate (otherwise called a credential) confirming his right to access the network. To obtain this right, the user is verified against a special database of registered users. Without authentication, the user will be prohibited from using the network. Registered user base and verification system in large networks usually located on special server(most often RADIUS).
Simplified Pre-Shared Key mode (WPA-PSK, WPA2-PSK) allows you to use one password, which is stored directly in the router. On the one hand, everything is simplified, there is no need to create and maintain a user base, on the other hand, everyone logs in with the same password.
At home, it is more advisable to use WPA2-PSK, that is, the simplified mode of the WPA standard. Wi-Fi Security does not suffer from such simplification.

Wi-Fi access password

Everything is simple here. Password to your wireless point access (router) must be more than 8 characters and contain letters in different case, numbers, punctuation marks. And he should not be associated with you in any way. This means that dates of birth, your names, car numbers, phone numbers, etc. cannot be used as a password.
Since it is almost impossible to break WPA2-AES head-on (there were only a couple of cases simulated in laboratory conditions), the main methods of cracking WPA2 are a dictionary attack and brute force (sequential search of all password options). Therefore than more complex password, the less chances attackers have.

... in the USSR, automatic lockers became widespread at railway stations. The lock code was one letter and three numbers. However, few people know that the first version of storage lockers used 4 digits as a code combination. It would seem what's the difference? After all, the number of code combinations is the same - 10,000 (ten thousand). But as practice has shown (especially the Moscow Criminal Investigation Department), when a person was asked to use a combination of 4 digits as a password to a storage locker cell, a lot of people used their year of birth (so as not to forget). What the attackers used quite successfully. After all, the first two digits in the date of birth of the absolute majority of the country's population were known - 19. All that remains is to determine by eye the approximate age of the person checking in luggage, and any of us can do this with an accuracy of +/- 3 years, and in the remainder we get (more precisely, the attackers) less 10 combinations for selecting an access code to an automatic storage locker...

Security rules when creating a password

To each his own. That is, the router password should not match any other password you have. From mail, for example. Make it a rule that all accounts have their own passwords and they are all different.
Use strong passwords that cannot be guessed. For example: 2Rk7-kw8Q11vlOp0

U Wi-Fi password there is one huge plus. You don't need to remember it. You can write it on a piece of paper and stick it to the bottom of the router.

Guest Wi-Fi zone

If your router allows you to organize a guest area. Then be sure to do it. Naturally protecting it with WPA2 and a strong password. And now, when friends come to your home and ask for Internet access, you don’t have to tell them your main password. Moreover, the guest zone in routers is isolated from the main network. And any problems with your guests' devices will not affect your home network.