Wifi security: should use WPA2-AES, WPA2-TKIP or both?


Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES) and WPA2-PSK (TKIP / AES). Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access (WPA2) are the main security algorithms you’ll see when setting up a wireless network. WEP is the oldest Wifi security algorithm, so there are more security vulnerabilities. WPA has improved security, but is now also considered vulnerable. While WPA2 is not perfect, it’s currently the safest option. The Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES) are two different encryption types used on networks that are secured by WPA2. Let’s see how they differ and what works best for you.

Compare AES vs TKIP

TKIP and AES are two different encryption types used by Wifi networks. TKIP is actually an old encryption protocol introduced with WPA to replace very insecure WEP encryption at the time. And TKIP is similar to WEP encryption. TKIP is no longer considered safe, so you should not use it.

AES is a more secure encryption protocol introduced by WPA2. AES is not a special standard developed for Wifi networks. However, this is a global coding standard even approved by the US government. For example, when encrypting a hard drive with TrueCrypt, it can use AES encryption. AES is often considered quite secure, and its main weaknesses are brute-force attack (which is prevented by using strong Wi-Fi passwords).

The short version TKIP is an older coding standard used by the WPA standard. AES is a new Wifi encryption solution used by the new and secure WPA2 standard. However, depending on your router, choosing WPA2 may not be enough.

While WPA2 is said to use AES for optimal security, it can also use TKIP for backward compatibility with older devices. In such a state, devices supporting WPA2 will connect to WPA2 and WPA-enabled devices will connect to WPA. So “WPA2” does not always mean WPA2-AES. However, on devices without the “TKIP” or “AES” option, WPA2 is usually synonymous with WPA2-AES.

“PSK”-“pre-shared key” – the encrypted password. Distinguish it from WPA-Enterprise using a RADIUS server to generate passwords on large corporate or government wireless networks.

Explain the Wifi security mode

Here are the options that users can see on their router:

  • Open: Open Wi-Fi network without password. Users should not set up an open Wi-Fi network.
  • WEP 64 (at risk): The old WEP protocol is vulnerable and you really should not use it.
  • WEP 128 (at risk): This is also the WEP protocol, but with better encrypted cryptography. However, actually it is not really better than WEP 64.
  • WPA-PSK (TKIP): Use the original version of WPA (mainly WPA1). It has been replaced by WPA2 and is not secure.
  • WPA-PSK (AES): Uses the original WPA protocol, but replaces TKIP with more modern AES encryption. It is provided as a stopgap. However, AES-enabled devices almost always support WPA2, while devices requiring WPA rarely support AES encryption. Therefore, this option does not make sense.
  • WPA2-PSK (TKIP): Uses the latest WPA2 standard with older TKIP encoding. It is also not secure and is only ideal if you have older devices that can not connect to the WPA2-PSK (AES) network.
  • WPA2-PSK (AES): This is the safest option. It uses WPA2, the latest Wifi encryption and the latest AES encryption protocol. You should use this option.
  • WPAWPA2-PSK (TKIP/AES): Some devices offer and even suggest this mixed mode option. This option allows the use of WPA and WPA2, with both TKIP and AES. This provides maximum compatibility for any legacy device, but also allows an attacker to compromise the network by breaking the vulnerable WPA and TKIP protocols.

WPA2 certification has been available since 2004, 10 years ago. In 2006, WPA2 certification became mandatory. Any device manufactured after 2006 with the “Wifi” icon must support WPA2 encryption.

Because your Wi-Fi enabled device can be “young” more than 8-10 years old, select WPA2-PSK (AES) only. Select that option and see if it works. If the device does not work, you can change it. In case of Wifi security is your concern, you should buy a new device manufactured since 2006.

WPA and TKIP will slow down Wifi

The WPA and TKIP compatibility options can also slow down wireless networks. Many modern Wifi routers support 802.11n and newer, and the faster standards will drop to 54mbps if WPA or TKIP is enabled. This will ensure they are compatible with older devices.

802.11n standard supports up to 300mbps if using WPA2 with AES. Theoretically, 802.11ac provides a maximum speed of 3.46 Gbps in optimum conditions. On most routers we see, the options are usually WEP, WPA (TKIP) and WPA2 (AES) – possibly WPA (TKIP) + WPA2 (AES).

If there is a router that provides WPA2 with TKIP or AES, select AES. As almost all devices will certainly work with it, and it’s faster and safer.