What type of security to choose for a wifi router. WiFi Encryption Type - Which to Choose, WEP or WPA2-PSK Personal-Enterprise To Protect Network Security

Internet tips
    Before reading this material, it is recommended that you familiarize yourself with the previous articles of the cycle:
  • We build a network with our own hands and connect it to the Internet, part one - building a wired Ethernet network (without a switch, in the case of two computers and with a switch, as well as in the presence of three or more machines) and organizing Internet access through one of the network computers, on which has two network cards and an operating Windows system XP Pro.
  • Part Two: Configuring Wireless Equipment in a Peer-to-Peer Network - Covers networking issues when using only wireless adapters.

In the previous article, only a few words were devoted to encryption in wireless networks - it was promised to cover this issue in a separate article. Today we are fulfilling our commitment :)

First, a little theory.

Data encryption in wireless networks has received so much attention because of the very nature of wireless networks. Data is transmitted wirelessly using radio waves, and in general it is used omnidirectional antennas... Thus, the data is heard by everyone - not only the one to whom it is intended, but also the neighbor who lives behind the wall or "interested" who stops with a laptop under the window. Of course, the distances over which wireless networks operate (no amplifiers or directional antennas) are short - about 100 meters in ideal conditions. Walls, trees, and other obstructions dull the signal a lot, but that still doesn't solve the problem.

Initially, only the SSID (network name) was used for security. But, generally speaking, it is protection that this method can be called with a big stretch - the SSID is transmitted to open form and no one bothers an attacker to eavesdrop on him, and then substitute the desired one in his settings. Not to mention the fact that (this applies to access points), the broadcast mode can be enabled for the SSID, i.e. it will be forcibly broadcast to all listeners.

Therefore, there was a need for data encryption. The first such standard was WEP - Wired Equivalent Privacy. Encryption is performed using a 40 or 104 bit key (stream encryption using the RC4 algorithm on a static key). And the key itself is a set of ASCII characters with a length of 5 (for a 40-bit) or 13 (for a 104-bit key) characters. The set of these characters is translated into a sequence of hexadecimal digits, which are the key. Drivers from many manufacturers allow hexadecimal values ​​(of the same length) to be entered directly instead of ASCII characters. Please note that the algorithms for translating from an ASCII sequence of characters into hexadecimal key values ​​may differ from manufacturer to manufacturer. Therefore, if your network uses dissimilar wireless equipment and you cannot configure WEP encryption using an ASCII key phrase, try entering the key in hexadecimal instead.

But what about the manufacturers' statements about support for 64 and 128-bit encryption, you ask? That's right, marketing plays a role here - 64 is more than 40, and 128 is 104. In reality, data encryption occurs using a key of length 40 or 104. But besides the ASCII phrase (the static component of the key), there is also such a thing as Initialization Vector - IV is the initialization vector. It serves to randomize the rest of the key. The vector is randomly selected and dynamically changes during operation. In principle, this is a reasonable solution, since it allows you to introduce a random component into the key. The vector is 24 bits long, so the total key length is 64 (40 + 24) or 128 (104 + 24) bits.

All would be good, but the used encryption algorithm (RC4) is currently not particularly strong - with a strong desire, in a relatively short time, you can brute-force the key. Still, the main vulnerability of WEP is related to the initialization vector. The IV is only 24 bits long. This gives us roughly 16 million combinations - 16 million different vectors. Although the figure "16 million" sounds pretty impressive, everything in the world is relative. In real work, all possible key variants will be used in the interval from ten minutes to several hours (for a 40-bit key). After that, the vectors will start repeating. An attacker only needs to collect a sufficient number of packets by simply listening to the wireless network traffic and find these repeats. After that, the selection of the static component of the key (ASCII phrase) does not take much time.

But that is not all. There are so-called "volatile" initialization vectors. Using such vectors in a key allows an attacker to start guessing the static part of the key almost immediately, rather than waiting for several hours, passively accumulating network traffic. Many manufacturers build in software (or the hardware part of wireless devices) a check for such vectors, and if there are similar ones, they are silently discarded, i.e. do not participate in the encryption process. Unfortunately, not all devices have this function.

Currently, some manufacturers wireless equipment offer "extended versions" of the WEP algorithm - they use keys longer than 128 (more precisely 104) bits. But in these algorithms only the static component of the key increases. The length of the initialization vector remains the same, with all the ensuing consequences (in other words, we only increase the time to find a static key). It goes without saying that WEP algorithms with increased key length may not be compatible from different manufacturers.

Scared well? ;-)

Unfortunately, when using the 802.11b protocol, nothing but WEP can be selected. More precisely, some (minority) vendors supply different implementations of WPA encryption (soft methods), which are much more robust than WEP. But these "patches" are incompatible even within the equipment of the same manufacturer. In general, when using equipment of the 802.11b standard, there are only three ways to encrypt your traffic:

  • 1. Using WEP with maximum length key (128 bits or higher), if the equipment supports a cyclic change of keys from the list (up to four keys in the list), it is advisable to activate this change.
  • 2. Using the 802.1x standard
  • 3. Using a third party software for organizing VPN tunnels (encrypted data streams) over a wireless network. To do this, a VPN server is installed on one of the machines (usually with pptp support), on the others, VPN clients are configured. This topic requires separate consideration and is beyond the scope of this article.

802.1x uses a bunch of several protocols for its work:

  • EAP (Extensible Authentication Protocol) - protocol for extended authentication of users or remote devices;
  • TLS (Transport Layer Security) is a transport layer security protocol, it ensures the integrity of data transfer between the server and the client, as well as their mutual authentication;
  • RADIUS (Remote Authentication Dial-In User Server) - server for authentication (authentication) of remote clients. It provides user authentication.

802.1x protocol provides authentication of remote clients and provision of temporary keys for data encryption. Keys (in encrypted form) are sent to the client for a short period of time, after which they are generated and sent new key... The encryption algorithm has not changed - the same RC4, but the frequent rotation of the keys makes it very difficult to be hacked. This protocol is supported only in operating systems (from Microsoft) Windows XP. Its big disadvantage (for the end user) is that the protocol requires a RADIUS server, which most likely will not be on the home network.

802.11g devices support the enhanced WPA encryption algorithm, Wi-Fi Protected Access. By and large, it is a temporary standard designed to fill the security niche before the arrival of the IEEE 802.11i protocol (the so-called WPA2). WPA includes 802.1X, EAP, TKIP, and MIC.

Of the unconsidered protocols, TKIP and MIC appear here:

  • TKIP (Temporal Key Integrity Protocol) is an implementation of dynamic encryption keys, plus each device on the network also receives its own Master key (which also changes from time to time). Encryption keys are 128 bits long and are generated according to a complex algorithm, and the total number of possible key variants reaches hundreds of billions, and they change very often. However, the encryption algorithm used is still RC4.
  • MIC (Message Integrity Check) is a packet integrity check protocol. The protocol allows you to drop packets that have been "inserted" into the channel by a third party, i.e. did not leave a valid sender.

The large number of advantages of the TKIP protocol does not cover its main disadvantage - the RC4 algorithm used for encryption. While no TKIP-based WPA hacks have been reported so far, who knows what the future holds for us? Therefore, now the use of the AES (Advanced Encryption Standard) standard is becoming more and more popular, which comes to replace TKIP. By the way, in the future WPA2 standard there is a mandatory requirement for using AES for encryption.

What conclusions can be drawn?

  • If there are only 802.11g devices on the network, it is better to use WPA-based encryption;
  • if possible (with the support of all devices) enable AES encryption;

Let's move on to setting up encryption directly on devices. I am using the same wireless adapters as in the previous article:

The Asus WL-100g cardbus adapter is installed on the laptop. The card management interface is a utility from ASUS (ASUS WLAN Control Center).

External adapter with USB interface ASUS WL-140. The adapter is controlled via the interface built into Windows XP (Zero Wireless Configuration). This card is 802.11b standard, so it does not have WPA support.

Board with PCI interface Asus WL-130g. The control interface in the implementation is from (the manufacturer of the chipset of this PCI card).

ASUS WLAN Control Center - ASUS WL-100g

Let's start by setting up encryption in the ASUS WLAN Control Center management interface. All settings are concentrated in the section Encryption... First, let's choose the type of authentication ( Network Authentication), three types are available to us: Open System, Shared Key and WPA.

1. WEP encryption.

The Open System / Shared Key types are subsets of the authentication algorithm built into WEP. Open System mode is insecure, and it is strongly discouraged to enable it when Shared Key can be activated. This is due to the fact that in Open System mode to enter wireless network(association with another station or access point), it is enough to know only the SSID of the network, and in the Shared Key mode, you also need to set a common WEP encryption key for the entire network.

Next, select Encryption - WEP, the key size is 128 bits (it is better not to use a 64-bit key at all). We select the key format, HEX (entering the key in hexadecimal form) or generating a key from an ASCII sequence (do not forget that the generation algorithms may differ for manufacturers). We also take into account that the WEP key (or keys) must be the same on all devices in the same network. You can enter up to four keys in total. The last point is to choose which of the keys will be used (Default Key). In this case, there is another way - to start using all four keys sequentially, which increases security. (only compatible with devices from the same manufacturer).

2. WPA encryption.

When supported on all devices (usually 802.11g devices), it is strongly recommended to use this mode instead of the legacy and vulnerable WEP.

Typically, wireless devices support two WPA modes:

  • Standard WPA. It does not suit us, since it requires a RADIUS server on the network (moreover, it works only in conjunction with an access point).
  • WPA-PSK - WPA with Pre Shared Keys support. And this is what you need - the key (the same for all devices) is manually set on all wireless adapters and the primary authentication of stations is carried out through it.

You can choose TKIP or AES as encryption algorithms. The latter is not implemented on all wireless clients, but if it is supported by all stations, then it is better to stop at it. Wireless Network Key is the same Pre Shared Key. It is advisable to make it longer and not to use a word from a dictionary or a set of words. Ideally, it should be some kind of gibberish.

After clicking on the Apply (or Ok) button, the specified settings will be applied to the wireless card. This completes the procedure for setting up encryption on it.

Control interface in implementation from Ralink - Asus WL-130g

The setting is not very different from the already reviewed interface from ASUS WLAN CC. In the window of the interface that opens, go to the tab Profile, select the desired profile and click Edit.

1. WEP encryption.

Encryption is configured in the tab Authentication and Security... If WEP encryption is activated, select Shared in Authentication type(i.e. the shared key).

We select the type of encryption - WEP and enter up to four ASCII or hexadecimal keys. The length of the key cannot be specified in the interface; a 128-bit key is used immediately.

2. WPA encryption.

If in Authentication type select WPA-None, then we will enable WPA Shared Key Encryption. We select the type of encryption ( Encryption) TKIP or AES and enter the shared key ( WPA Pre-Shared Key).

This concludes the encryption setting in this interface... To save the settings in the profile, just click the button Ok.

Zero Wireless Configuration (Windows built-in interface) - ASUS WL-140

ASUS WL-140 is an 802.11b card, so it only supports WEP encryption.

1. WEP encryption.

In settings wireless adapter go to the bookmark Wireless networks... Next, select our wireless network and press the button Tune.

In the window that appears, activate Data encryption... We also activate Network Authentication, disabling this item will enable authentication of the "Open System" type, i.e. any client will be able to connect to the network knowing its SSID.

Enter the network key (and re-enter it in the next field). We check its index (serial number), usually it is equal to one (i.e. the first key). The key number must be the same on all devices.

Key ( network password), as the operating system tells us, must contain 5 or 13 characters or be fully entered in hexadecimal. Once again, I draw your attention to the fact that the algorithm for translating the key from symbolic to hexadecimal form may differ for Microsoft and manufacturers of their own interfaces for managing wireless adapters, so it will be safer to enter the key in hexadecimal form (i.e., numbers from 0 to 9 and letters from A to F).

There is also a flag in the interface that is responsible for Automatic key provisioning but I don't know exactly where this will work. The help section says that the dongle can be sewn into the wireless adapter by its manufacturer. In general, it's best not to enable this feature.

This completes the encryption setting for the 802.11b adapter.

By the way, about the OS built-in help. Most of what has been said here and even more can be found in Help and Support Center, which has a good help system, you just need to enter keywords and click on the green search arrow.

2. WPA encryption.

Having examined the encryption setting on the example of the 802.11b ASUS WL-140 adapter, we did not touch on the WPA setting in Windows, since the card does not support this mode. Let's consider this aspect using the example of another adapter - ASUS WL-100g. The ability to configure WPA in Windows XP appears with the installation of Service Pack version 2 (or the corresponding updates on the Microsoft website).

Service Pack 2 greatly expands the functionality and convenience of wireless settings. Although the main menu items have not changed, new ones have been added to them.

The encryption is configured in a standard way: first, select the icon of the wireless adapter, then press the button Properties.

Go to the bookmark Wireless networks and choose which network we will configure (usually it is one). We press Properties.

In the window that appears, select WPA-None, i.e. Pre-keyed WPA (if you choose Compatible, then we will enable the WEP encryption configuration mode, which was already described above).

Choose AES or TKIP (if all devices on the network support AES, then it is better to choose it) and enter the WPA key twice (the second in the confirmation field). It is desirable to be long and difficult to fit.

After clicking on Ok the WPA encryption setting can also be considered complete.

In conclusion, a few words about the Wireless Setup Wizard that has appeared with Service Pack 2.

In properties network adapter select the button Wireless networks.

In the window that appears, click on Set up a wireless network.

Here they tell us where we got to. We press Further.

We choose Set up a wireless network... (If you choose Add, you can create profiles for other computers on the same wireless network).

In the window that appears, set the SSID of the network, activate WPA encryption, if possible, and select the method for entering the key. Generation can be provided operating system or enter keys manually. If the first is selected, then a window will pop up asking you to enter required key(or keys).

  • In a text file, for subsequent manual input on other machines.
  • Saving a profile on a USB flash drive for automatic input on other Windows XP machines with integrated Service Pack version 2.

If the mode of saving to Flash is selected, then in the next window you will be prompted to insert the Flash-medium and select it from the menu.

If manual saving of parameters was selected, then after pressing the button Type

... will be displayed text file with the parameters of the configured network. I draw your attention to the fact that random and long (i.e. good) keys are generated, but TKIP is used as the encryption algorithm. The AES algorithm can later be turned on manually in the settings, as described above.

Total

We have finished configuring encryption on all wireless adapters. Now you can check if computers can see each other. How to do this was described in the second part of the series "DIY networks" (we act in the same way when encryption in the network was not turned on).

If we are in trouble, and not all computers can see each other, then we check the general settings for the adapters:

  • The authentication algorithm must be the same for everyone (Shared Keys or WPA);
  • The encryption algorithm must be the same for everyone (WEP-128bit, WPA-TKIP or WPA-AES);
  • The key length (in the case of WEP encryption) must be the same for all stations in the network (the usual length is 128bit);
  • The key itself must be the same at all stations on the network. If using WEP, then possible reason- using an ASCII key and the network uses dissimilar equipment (from different manufacturers). Try entering the key in hexadecimal notation.

To secure your Wi-Fi network and set a password, be sure to select the wireless security type and encryption method. And at this stage, many have a question: which one to choose? WEP, WPA, or WPA2? Personal or Enterprise? AES, or TKIP? What security settings will best protect your Wi-Fi network? I will try to answer all these questions within the framework of this article. Consider all possible methods authentication and encryption. Let's find out what security parameters Wi-Fi networks it is better to set it in the router settings.

Note that the type of security or authentication, network authentication, security, authentication method are all the same.

Authentication type and encryption are the basic security settings wireless wifi networks. I think, first you need to figure out what they are, what versions there are, their capabilities, etc. After that, we’ll figure out what type of protection and encryption to choose. I will show you using several popular routers as an example.

I highly recommend setting up a password and securing your wireless network. Set the maximum level of protection. If you leave the network open, unprotected, anyone can connect to it. This is unsafe in the first place. As well as unnecessary load on your router, drop in connection speed and all kinds of problems with connecting different devices.

Wi-Fi network security: WEP, WPA, WPA2

There are three protection options. Not counting "Open", of course.

  • WEP(Wired Equivalent Privacy) is an outdated and insecure authentication method. This is the first and not very successful method of protection. Attackers can easily access wireless networks that are protected with WEP. You do not need to set this mode in the settings of your router, although it is there (not always).
  • WPA(Wi-Fi Protected Access) is a reliable and modern type of security. Maximum compatibility with all devices and operating systems.
  • WPA2- a new, improved and more reliable version of WPA. There is support for AES CCMP encryption. At the moment, it is The best way Wi-Fi protection networks. This is what I recommend using.

WPA / WPA2 can be of two types:

  • WPA / WPA2 - Personal (PSK)- this is the usual way authentication. When you only need to set a password (key) and then use it to connect to a Wi-Fi network. One password is used for all devices. The password itself is stored on the devices. Where, if necessary, you can see it, or change it. This is the recommended option.
  • WPA / WPA2 - Enterprise- a more sophisticated method, which is mainly used to protect wireless networks in offices and various institutions. Allows you to provide a higher level of protection. Used only when a RADIUS server is installed for device authorization (which gives out passwords).

I think we've figured out the authentication method. Best to use WPA2 - Personal (PSK). For better compatibility, so that there are no problems with connecting older devices, you can set WPA / WPA2 mixed mode. Many routers have this method set by default. Or marked as "Recommended".

Wireless encryption

There are two ways TKIP and AES.

We recommend using AES. If you have old devices on the network that do not support AES encryption (but only TKIP) and there will be problems connecting them to the wireless network, then set "Auto". TKIP encryption type is not supported in 802.11n mode.

In any case, if you install strictly WPA2 - Personal (recommended), then only AES encryption will be available.

What kind of protection should I put on a Wi-Fi router?

Use WPA2 - Personal with AES encryption ... To date, this is the best and most safe way... This is how the wireless security settings look on ASUS routers:

And this is how these security settings look on TP-Link routers (with old firmware).

More detailed instructions for TP-Link you can see.

Instructions for other routers:

If you do not know where to find all these settings on your router, then write in the comments, I will try to suggest. Just don't forget to indicate the model.

Since WPA2 - Personal (AES) older devices ( Wi-Fi adapters, phones, tablets, etc.) may not support, in case of problems with the connection, set the mixed mode (Auto).

I often notice that after changing the password or other protection parameters, the devices do not want to connect to the network. The computers may have the error "The network settings saved on this computer do not match the requirements of this network." Try to delete (forget) the network on the device and reconnect. How to do this on Windows 7, I wrote. And in Windows 10 you need.

Password (key) WPA PSK

Whichever type of security and encryption method you choose, you need to set a password. He WPA key, Wireless Password, Wi-Fi network security key, etc.

Password length from 8 to 32 characters. You can use letters of the Latin alphabet and numbers. Also special characters: - @ $ #! etc. No spaces! The password is case sensitive! This means that "z" and "Z" are different characters.

I do not advise you to put simple passwords... Better to create strong password, which no one will be able to pick up for sure, even if they try hard.

It is unlikely that you will be able to remember such a complex password. It would be nice to write it down somewhere. It's not uncommon for a Wi-Fi password to be forgotten. What to do in such situations, I wrote in the article:.

If you need even more protection, you can use MAC Binding. True, I do not see the need for this. WPA2 - Personal paired with AES and a strong password is enough.

How do you protect your Wi-Fi network? Write in the comments. Well, ask questions 🙂

This article is about security when using WiFi wireless networks.

Introduction - WiFi vulnerabilities

The main reason for the vulnerability of user data when this data is transmitted over WiFi networks is that the exchange takes place over the radio wave. And this makes it possible to intercept messages at any point where the WiFi signal is physically available. Simply put, if the signal of an access point can be caught at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In an adjacent room, on another floor of the building, on the street.

Imagine this picture. In the office, the local network is built via WiFi. The signal from the access point of this office is picked up outside the building, for example in a parking lot. An attacker outside the building can gain access to the office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and discreetly. Technically much easier than wired networks.

Yes. To date, the means of protecting WiFi networks have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital "garbage".

How does WiFi protection work?

The access point includes in its WiFi network only the device that will send the correct (specified in the access point settings) password. In this case, the password is also sent encrypted, in the form of a hash. The hash is the result of irreversible encryption. That is, data that is translated into a hash cannot be decrypted. If an attacker intercepts the password hash, he will not be able to obtain the password.

But how does the access point know if the password is correct or not? If she also receives a hash, but cannot decrypt it? Everything is simple - in the settings of the access point, the password is specified in its pure form. The authorization program takes a clean password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client has the correct password. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If the two hashes match, then they are both created from the same dataset.

By the way. Due to this feature, hashes are used to control data integrity. If two hashes (created with a time interval) match, then the original data (during this time interval) has not been changed.

Nevertheless, despite the fact that the most modern method WiFi network protection (WPA2) is reliable, this network can be hacked. How?

There are two methods for accessing a WPA2 secured network:

  1. Password brute-force attacks (so-called dictionary brute-force attacks).
  2. Exploiting a vulnerability in the WPS function.

In the first case, the attacker intercepts the password hash for the access point. Then a hash comparison is performed over a database containing thousands or millions of words. A word is taken from the dictionary, a hash for this word is generated, and then this hash is compared with the hash that was intercepted. If a primitive password is used on the access point, then cracking the password, this access point, is a matter of time. For example, an 8-digit password (8 characters is the minimum password length for WPA2) is one million combinations. On modern computer you can iterate over one million values ​​in a few days or even hours.

In the second case, a vulnerability is exploited in the first versions of the WPS function. This feature allows you to connect a device to the access point where you cannot enter a password, such as a printer. When using this function, the device and the access point exchange a digital code, and if the device sends the correct code, the access point will authorize the client. There was a vulnerability in this function - the code was 8 digits, but uniqueness was checked only with four of them! That is, to hack WPS, you need to enumerate all the values ​​that give 4 digits. As a result, hacking an access point via WPS can be performed literally in a few hours, on any, the weakest device.

Setting up WiFi security

The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.

WiFi network access mode

The access point can operate in one of two modes - open or protected. In the case of open access, any device can connect to the access point. In the case of secure access, only the device that transmits the correct access password is connected.

There are three types (standards) for protecting WiFi networks:

  • WEP (Wired Equivalent Privacy)... The very first standard of protection. Today, it does not actually provide protection, since it is very easy to hack due to the weakness of the defense mechanisms.
  • WPA (Wi-Fi Protected Access)... Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective WiFi protection networks. But in the late 2000s, opportunities were found to break WPA security through vulnerabilities in security mechanisms.
  • WPA2 (Wi-Fi Protected Access)... The latest protection standard. Provides reliable protection if certain rules are followed. To date, there are only two known ways to break WPA2 protection. Searching for a password in a dictionary and a workaround through the WPS service.

Therefore, to ensure the security of the WiFi network, you must select the WPA2 security type. However, not all client devices can support it. For example Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Use AES encryption method.

The password for accessing the WiFi network must be composed as follows:

  1. Use letters and numbers in the password. An arbitrary set of letters and numbers. Or a very rare, meaningful only for you, word or phrase.
  2. Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991 or dom12345.
  3. If it is necessary to use only a digital password, then its length must be at least 10 characters. Because an eight-character digital password is brute-force real time(from several hours to several days, depending on the power of the computer).

If you will use complex passwords, in accordance with these rules, then your WiFi network cannot be hacked by guessing a password using a dictionary. For example, for a password like 5Fb9pE2a(arbitrary alphanumeric), maximum possible 218340105584896 combinations. Today it is almost impossible to match. Even if the computer compares 1,000,000 (million) words per second, it will take almost 7 years to iterate over all the values.

WPS (Wi-Fi Protected Setup)

If your access point has Wi-Fi Protected Setup (WPS), you need to disable it. If this feature is required, you need to make sure that its version is updated to the following features:

  1. Using all 8 symbols of the pincode instead of 4, as it was in the beginning.
  2. Enabling a delay after several attempts to transmit the wrong PIN code from the client.

An additional opportunity to improve WPS security is the use of an alphanumeric pincode.

Security of public WiFi networks

Today it is fashionable to use the Internet via WiFi networks in public places - in cafes, restaurants, shopping centers, etc. It is important to understand that the use of such networks can lead to theft of your personal data. If you access the Internet through such a network and then authorize on any site, then your data (login and password) can be intercepted by another person who is connected to the same WiFi network. Indeed, on any device that has passed authorization and is connected to an access point, you can intercept network traffic from all other devices on this network. And the peculiarity of public WiFi networks is that anyone can connect to it, including an attacker, and not only to open network but also to protected.

What can you do to protect your data when connected to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. However, not all sites support the HTTPS protocol. Addresses on a site that supports HTTPS start with the prefix https: //. If the addresses on the site have the http: // prefix, this means that the site does not support HTTPS or it is not used.

Some sites do not use HTTPS by default, but they have this protocol and you can use it if you explicitly (manually) specify the https: // prefix.

For other use cases such as Internet chats, skype, etc., free or paid VPN servers can be used to protect this data. That is, first connect to VPN server, and only then use chat or an open site.

WiFi password protection

In the second and third parts of this article, I wrote that in the case of using the WPA2 security standard, one of the ways to hack a WiFi network is to guess a password using a dictionary. But for an intruder, there is another way to get the password for your WiFi network. If you store your password on a sticker glued to the monitor, this makes it possible for a stranger to see this password. Also, your password can be stolen from a computer that is connected to your WiFi network. An outsider can do this if your computers are not protected from unauthorized access. This can be done using malware. In addition, the password can be stolen from a device that is taken outside the office (home, apartment) - from a smartphone, tablet.

Thus, if you need reliable protection your WiFi network, you need to take steps to store the password securely. Protect it from unauthorized access.

If you found it useful or just liked this article, then do not hesitate - financially support the author. This is easy to do by throwing money on Yandex Wallet No. 410011416229354... Or on the phone +7 918-16-26-331 .

Even a small amount can help you write new articles :)

WPA encryption involves using a secured Wi-Fi network. Generally, WPA stands for Wi-Fi Protected Access, that is, protected access to Wi-Fi.

Majority system administrators know how to configure this protocol and know a lot about it.

But ordinary people can learn a lot about what WPA is, how to set it up and how to use it.

True, on the Internet you can find many articles on this matter, from which it is impossible to understand anything. Therefore, today we will speak in simple language about difficult things.

A bit of theory

So, WPA is a protocol, technology, program that contains a set of certificates used to transmit a Wi-Fi signal.

In simpler terms, this technology allows you to use different methods authentication to protect Wi-Fi network.

It could be electronic key, it is also a special certificate of the right to use this network (we will talk about this later).

In general, with the help of this program, only those who have the right to do so will be able to use the network, and that's all you need to know.


For reference: Authentication is a means of protection that allows you to establish the identity of a person and his right to access the network, by matching the reported and expected data.

For example, a person can authenticate when they place their finger on a fingerprint scanner. If he just enters a username and password, this is only authorization.

But the fingerprint allows you to check whether this person really logs in, and not someone took his data and entered with their help.

Rice. 1. Smartphone fingerprint scanner

So, in computer networks also, certain methods are used to confirm that the device that has the right to access the network gets access.

WPA has its own set of such methods. We will talk about them further, and before that we will clarify several important points.

What you need to know about WPA?

  1. This technology not all devices can use, but only those that support it at the software level. That is, if the manufacturer has incorporated the WPA support function into the device, then it can be used.
  2. WPA is a legacy of WEP, another technology that lacked authentication per se.
  3. WPA uses special keys that are sent to all devices that will be allowed to connect to the network. And then everything is simple:
  • the signal reaches a new device and asks for a key from it;
  • if the device gives the key, it connects to the network;
  • and if it does not, a signal about this is sent to the central device and the connection does not occur.

If you have ever worked with Cisco Pocket Tracer (a networking simulator from this company), then you can understand the principle of operation of this technology if you look at Figure 2.

A warning! Basically, if you've never worked with a Cisco Pocket Tracer, don't bother. And without this scheme, everything will be clear to you.

There is a LAP - a device that performs remote control and transmits a signal to a client, that is, a computer that uses a Wi-Fi signal.

And also on the diagram there is a WLC - a wireless controller local network... On the right is the authentication server.

All this is connected by a regular Switch (a device that simply connects various network devices). The key is sent from the controller to the authentication server and is stored there.

The client, when trying to connect to the network, must transmit to the LAP a key that it knows. This key goes to the authentication server and is compared with the desired key.

If the keys match, the signal is freely distributed to the client.

Rice. 2. An exemplary WPA scheme in Cisco Pocket Tracer

Components of WPA

As we said above, WPA uses special keys that are generated every time you try to start signal transmission, that is, turn on Wi-Fi, and also change once in a while.

WPA includes several technologies at once that help generate and transmit these same keys.

The figure below shows the general formula, which includes all the components of the technology under consideration.

Rice. 3. Formula with WPA components

Now let's look at each of these components separately:

  • 1X is a standard that is used to generate that very unique key, with which authentication occurs in the future.
  • EAP is the so-called Extensible Authentication Protocol. It is responsible for the format of the messages by which the keys are transmitted.
  • TKIP is a protocol that allowed expanding the key size to 128 bytes (earlier, in WEP, it was only 40 bytes).
  • MIC is a mechanism for checking messages (in particular, they are checked for integrity). If the messages do not meet the criteria, they are sent back.

It is worth saying that now there is WPA2, which, in addition to all of the above, also uses CCMP and AES encryption.

We will not talk about what it is now, but WPA2 is more reliable than WPA. That's all you really need to know.

Once again from the start

So you have Wi-Fi. The network uses WPA technology.

To connect to Wi-Fi, each device must provide a user certificate, or, more simply, a special key issued by the authentication server.

Only then will he be able to use the network. That's all!

Now you know what WPA is. Now let's talk about what is good and what is bad about this technology.

Advantages and Disadvantages of WPA Encryption

The advantages of this technology include the following:

  1. Enhanced security of data transmission (compared to WEP, its predecessor, WPA).
  2. Tighter control over Wi-Fi access.
  3. Compatible with a wide range of devices that are used to organize a wireless network.
  4. Centralized security management. The center in this case is the authentication server. This prevents attackers from gaining access to hidden data.
  5. Enterprises can use their own security policies.
  6. Easy to set up and use.

Of course, this technology also has disadvantages, and they often turn out to be very significant. In particular, we are talking about the following:

  1. The TKIP can be cracked in a maximum of 15 minutes. This was announced by a group of specialists in 2008 at the PacSec conference.
  2. In 2009, specialists from the University of Hiroshima developed a method to hack any network using WPA in one minute.
  3. With the help of the vulnerability, named by the Hole196 specialists, you can use WPA2 with your key, and not with the one required by the authentication server.
  4. In most cases, any WPA can be hacked using the usual enumeration of all possible options (brute-force), as well as using the so-called dictionary attack. In the second case, the options are used not in a chaotic order, but according to the dictionary.

Of course, in order to take advantage of all these vulnerabilities and problems, it is necessary to have special knowledge in the field of building computer networks.

For most ordinary users, none of this is available. Therefore, you don't have to worry about someone gaining access to your Wi-Fi.

Rice. 4. Cracker and computer

About setting up WPA encryption

For the user, the setup looks very simple - he chooses WPA technology to encrypt the password with which he will connect to the network.

More precisely, it uses WPA-PSK, that is, WPA not with a key, but with a password. To do this, he goes into the settings of the router, finds the type of network authentication there and sets the password.

In more detail, this procedure is performed as follows:

  1. To go to the router settings, in your browser, enter 192.168.0.1 or 192.168.1.1 in the address bar. If you have not changed anything in this window, then the login and password will be the same - "admin" and "admin".
  2. Next, find the item regarding the authentication method. For example, if the Asus RT-N12 is used, this item is located in the "Advanced Settings" section and in the "Wireless" subsection (this is in the menu on the left). WPA is selected next to "Authentication Method".
  3. As well as important parameters are indicated "WPA Pre-Shared Key", that is, the password for connecting to the network and "SSID", that is, the name of the network.

Rice. 5. Router settings window

As you can see in Figure 5, there is also a WPA Encryption field. Usually these two parameters (and "Authentication Method") are specified together.

The "Encryption" parameter refers to the type of encryption. There are only two types that are used in conjunction with WPA - TKIP and AES.

And combinations of these two types are also used.

As for the choice of the type of encryption, here are instructions for you on this topic:

  1. If the security of your network is really important to you, use AES. In this case, do not use any combination with TKIP.
  2. If you are using outdated devices which do not support WPA2, it is better to use TKIP.
  3. For a home network, TKIP is also fine. This will create less load on the network, but also reduce its security.

There can be no other advice in this case. TKIP has weaker security and that says it all.

Actually, that's all there is to WPA encryption.

Above, we talked about the fact that this technology has a lot of vulnerabilities. Below you can see how they are used to hack the network.

Wi-Fi encryption - which protocol should you choose?

I bought myself new router and decided to set it up myself. I set everything up - the Internet and the wireless network are working. The question arose, because radio waves (Wi-Fi in my case) spread not only within my apartment. Accordingly, they can be intercepted. In theory. The router has a wireless encryption setting. I assume that it is to exclude interception and eavesdropping. The question is, which of the encryption protocols available in my router should I choose? Available: WPE, WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, WPS. What kind of Wi-Fi encryption should I use in my case?


norik | February 16, 2015 10:14 am
I will omit descriptions of any obsolete protocols Wi-Fi encryption... Therefore, I will describe only those that make sense to use. If the protocol is not described here, then either it is exotic, or you do not need it.

WPA and WPA2 (Wi-Fi Protected Access) - available on all routers. The most popular and widespread protocol. He is one of the most modern. IMHO - the best choice for home and small office. However, for large offices it is also quite suitable, except that it makes sense to make authorization more complicated. The length of the password is up to 63 bytes, so if you crack it, you can turn gray sooner. Of course, you need to choose WPA2 if it is supported by all devices on the network (only very old gadgets do not understand it).

What's really valuable is what's inside of this service several encryption algorithms can be used. Among them: 1. TKIP - I do not recommend it, as it is quite possible to find a hole.
2. CCMP is much better.
3. AES - I like it the most, but it is not supported by all devices, although it is in the WPA2 specification.

WPA2 also provides two modes of initial authentication. These modes are PSK and Enterprise. WPA Personal, also known as WPA PSK, means that all users will enter the wireless network with a single password entered on the client side at the time of connecting to the network. Excellent for home, but problematic for a large office. It will be difficult for everyone to change the password every time when another employee who knows it leaves.

WPA Enterprise assumes a separate server with a set of keys. For a home or office for 6 cars, this is cumbersome, but if there are 3 dozen wireless devices in the office, then you can attend to it.

Actually, this exhausts the choice of Wi-Fi encryption at the moment. The rest of the protocols either do not have encryption or a password at all, or have holes in the algorithms, where only the completely lazy will not get in. I recommend the combination of WPA2 Personal AES for home use. For large offices - WPA2 Enterprise AES. If there is no AES, then TKIP can be dispensed with, but then the probability of reading the packets by an unauthorized person remains. It is believed that WPA2 TKIP was never hacked, unlike WPA TKIP, but it was ...

Did you like the article? To share with friends:
You may also be interested in