- TKIP vs AES: an encryption guide
- Router security in a nutshell
- Which is more secure – AES or TKIP?
- Which is faster – AES or TKIP?
- Conclusion
- Written by: River Hart
- What are WPA-PSK/WPA2-PSK, TKIP and AES? | Understanding types of internet encryption
- Security certification programs
- Wired Equivalent Protection (WEP)
- Wi-Fi-Protected Access (WPA)
- Wi-Fi-Protected Access 2 (WPA2)
- Wi-Fi-Protected Access 3 (WPA3)
- Ciphers and protocols
- Ciphers
- Encryption protocols
- Different combinations and which is safest?
- Written by: Aaron Drapkin
TKIP vs AES: an encryption guide
When it comes to keeping your router – and its connection – secure, you can choose between two primary encryption methods – TKIP and AES. But which is more secure? In this blog, we’ll take a look at each option to determine just that.
Router security in a nutshell
Before you encounter TKIP and AES encryption, if you’re establishing a wireless network you’ll first need to choose between the Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access II (WPA2) algorithms. This isn’t a choice to be made lightly – no closing your eyes and throwing a dart – because selecting the wrong algorithm can create a sluggish, unsafe network.
The oldest protocol in the pile is WEP, and it’s now considered to be lacking necessary security measures – as is WPA, which was introduced as a temporary solution to the situation before being replaced, in turn, by WPA2 in 2006. WPA2 has its fair share of issues and vulnerabilities despite being the shiniest, newest option, but it’s still the best pick of the bunch.
So, now that we’ve decided to go with WPA2, we can turn our attention to the real conundrum – WPA2-AES or WPA2-TKIP? Essentially, AES (Advanced Encryption Standard) and TKIP (Temporal Key Integrity Protocol) are the different types of encryption you can use on WPA2 networks.
Which is more secure – AES or TKIP?
TKIP was introduced around the same time as WPA to serve a similar function – namely to act as a patch and replace the weak WEP encryption protocol. At the time, this fresh TKIP encryption upgrade was significant – but time has also seen its effectiveness erode away. Because TKIP encryption isn’t so different to WEP encryption, it’s considered just as unsecure and vulnerable to attackers.
Though AES is somewhat susceptible to brute-force attacks (which is why having a strong password is so important!)
AES, on the other hand, is newer, more secure, and used by the WPA2 algorithm. You’ll see AES encryption used all over the web – even the U.S. government has even implemented it. AES encryption is a sturdy, serious protocol that can be 128-bit, 192-bit, or 256-bit – a figure that denotes the amount of data scrambling and how many subsequent potential combinations would exist, a daunting thought for anyone attempting to break encryption. Though AES it is somewhat susceptible to brute-force attacks (which is why having a strong password is so important!), it would still take an astronomically huge amount of time to crack even a 128-bit cipher, and we’re talking billions of billions of billions of years, here.
Which is faster – AES or TKIP?
If you go with WPA-TKIP instead, you’ll see your speeds take a huge hit.
The answer is pretty straightforward, seeing as WPA algorithms and TKIP encryption can slow your WiFi network to a crawl. In addition to being outdated and unsecure, TKIP is infamous for slowing systems that still use it. A new 802.11n router will want to default to WPA2-AES encryption, but if you go with WPA-TKIP instead, your speeds will decrease significantly.
So, not only is WPA2-AES far more secure, but it’s far faster, too. 802.11n routers using WPA2-AES can see speeds touching 300mbps, and in absolutely perfect conditions, are even capable of achieving 3.46gbps.
Conclusion
The numbers don’t lie, and you won’t want to take chances with your router’s security, so go with AES encryption! AES is compatible with just about every device and can support faster speeds, too.
WPA-TKIP did its job well enough, providing a then-secure alternative to weak WEP encryption whilst WPA2-AES was being cooked up. But now that WPA2-AES is readily available, there’s no real need to revert back to using TKIP – your WiFi network will be securer and quicker, and you’ll be able to enjoy the web knowing you’ve got the best possible encryption watching your back. If you want to learn more check out our guide to internet encryption types.
Written by: River Hart
Originally hailing from Wales, River Hart graduated from Manchester Metropolitan University with a 1:1 in Creative Writing, going on to work as an Editor across a number of trade magazines. As a professional writer, River has worked across both digital and print media, and is familiar with collating news pieces, in-depth reports and producing by lines for international publications. Otherwise, they can be found pouring over a tarot deck or spending more hours than she’ll ever admit playing Final Fantasy 14.
What are WPA-PSK/WPA2-PSK, TKIP and AES? | Understanding types of internet encryption
In articles about network security, the terms ‘protocol’, ‘standard’ and ‘certification’ and ‘program’ are often used interchangeably when talking about encryption. What one source, website, or individual refers to as a ‘protocol’, for instance, might be referred to as a ‘standard’ elsewhere.
In articles on network security, the terms ‘protocol’, ‘standard’ and ‘certification’ and ‘program’ are often used interchangeably
The first things we examine below are certification programs. WPA, WPA2, and WPA3 are the three wireless network certification programs we’ll be discussing in this article. These are occasionally referred to as encryption standards themselves.
Certification programs – in this case for Wi-Fi networks – use encryption protocols to secure data transmitted over a given Wi-Fi connection. An example would be TKIP, the Temporal Key Integrity Protocol. How encryption protocols encrypt data is determined by ciphers, which are essentially just algorithms that shape the process. An example of this is AES (which, confusingly, stands for Advanced Encryption Standard).
Authentication methods or mechanisms are used to verify wireless clients, such as a Pre-Shared Key (PSK), which is essentially just a string of characters. In cryptography this is called a ‘shared secret’ – it’s a piece of data known only by entities involved in the secure communication it is being used for. An example of a PSK would be a Wi-Fi password, which can be up to 63 characters and usually initiates the encryption process.
Security certification programs
All networks need security programs, certifications, and protocols to keep the devices and users on the network safe. For wireless networks, a number of security certification programs have been developed, including WPA and WPA2.
Wired Equivalent Protection (WEP)
WEP was the original wireless network security algorithm, and as you can probably tell by the name, was designed to supply a given network with the security of a wired one. WEP uses the RC4 cipher. However, WEP isn’t very secure at all, which is why it’s not commonly used, and is wholly obsolete when compared to later protocols. Everyone on the network shares the same key – a form of static encryption – which means everyone is put in harm’s way if one client is exploited.
Wi-Fi-Protected Access (WPA)
WPA is a more modern and more secure security certification for wireless networks. However, it is still vulnerable to intrusion and there are more secure protocols available. Wireless networks protected by WPA have a pre-shared key (PSK) and use the TKIP protocol – which in turn uses the RC4 cipher – for encryption purposes, making WPA-PSK. This is also not the most secure program to use because using PSK as the cornerstone of the certification process leaves you with similar vulnerabilities to WEP.
Wi-Fi-Protected Access 2 (WPA2)
WPA2 is another step up in terms of security and makes use of the Advanced Encryption Standard (AES) cipher for encryption, which is the same cipher the US military uses for a lot of its encryption. TKIP is replaced with CCMP – which is based on AES processing – providing a better standard of encryption. There is both a personal version (which supports CCMP/AES and TKIP/RC4) and an enterprise version (which supports EAP – the Extensible Authentication Protocol – as well as CCMP). See our guide to WPA2 for more information about it.
Wi-Fi-Protected Access 3 (WPA3)
WPA3 was only recently developed in the last three years and isn’t yet in widespread use. WPA3 also has Personal and Enterprise options, and is described by the Wi-Fi Alliance as having:
New features to simplify Wi-Fi security, enable more robust authentication, deliver increased cryptographic strength for highly sensitive data markets, and maintain resiliency of mission-critical networks.
Ciphers and protocols
Above, we looked at exactly which certification programs are the most up-to-date, as well as what encryption protocols and ciphers they use to secure wireless networks. Here, we’ll briefly run through how they work.
Ciphers
Ciphers – which, as we mentioned before, determine the process by which data is encrypted – are an important part of securing a wireless network. RC4 – short for Rivet Cipher 4 – which is a stream cipher. Stream ciphers encrypt data one bit at a time, using a pseudo-random bit generator to create an 8-Bit number. Created way back in 1987, it was lauded for its speed and simplicity for many years but now is recognized to have several vulnerabilities that leave it open to man-in-the-middle attacks, amongst others.
Vast improvement has come in the form of the AES, which is an acronym for Advanced Encryption Standard. AES is a symmetric block cipher. It’s symmetric in the sense that there is just one key used to decipher the information and it is classified as a ‘block’ cipher because it encrypts in blocks of bits instead of bite-by-bite like a stream cipher. It uses key lengths of 256 bits, which makes it virtually impenetrable to brute force attacks (on present computing power). AES encryption is the US federal standard for encryption and is considered the strongest widely-used form ever created.
Encryption protocols
The Temporal Key Integrity Protocol was designed with WEP’s vulnerabilities in mind. WEP used a 64-bit or 128-bit encryption key that had to be entered on wireless access points and devices manually, and the key itself would never change. TKIP, on the other hand, implements a per-packet key, meaning that it creates a new 128-bit key for each data packet in a dynamic fashion.
The Counter Mode Cipher Block Chaining Message Authentication Code Protocol is the step up from TKIP largely because it uses the AES cipher, the security-maximizing properties of which were discussed above.
Different combinations and which is safest?
Below is a rundown of some of the different combinations the wireless networks you regularly connect to might use for their security.
Option | Option | Safety level |
Open Network | This is the kind of network you might find in a café or outside at a tourist spot. It requires no password which means anyone can connect to the network. | Very Risky |
WEP 64/128 | Although WEP 128 is more secure than WEP 64 – it uses a bigger encryption key – these are both old, outdated, and therefore vulnerable. | Very Risky |
WPA-PSK (TKIP) | This is a pairing of the older security certification program with an outdated encryption protocol, so isn’t very secure either. | Risky |
WPA2-PSK (TKIP) | Using an outdated encryption protocol that isn’t secure defeats the purpose of using WPA2, which is a secure Wi-Fi certification program. | Risky |
WPA2-PSK (AES) | This is the latest encryption cipher paired with the most up-to-date and secure certification program, combining to make the most secure wireless network option. | Secure |
Written by: Aaron Drapkin
After graduating with a philosophy degree from the University of Bristol in 2018, Aaron became a researcher at news digest magazine The Week following a year as editor of satirical website The Whip. Freelancing alongside these roles, his work has appeared in publications such as Vice, Metro, Tablet and New Internationalist, as well as The Week’s online edition.