WPA2 Encryption Basics

Wired Equivalency Protocol (WEP) uses a naive encryption standard that has become virtually useless. WEP was supplanted by WiFi Protected Access (WPA). WPA was found to be too weak too, and it has been supplanted in turn by WiFi Protected Access 2 (WPA2), which seems to be strong enough for now. ;-)

Windows 7, Vista and Windows XP SP3 support WPA2. Windows XP SP2 supports WPA2 too, but requires the Wireless Client Update [update KB893357 at Microsoft’s Download Center (support.microsoft.com)].

Encryption and keys

Encryption scrambles messages so that an opponent or attacker cannot intercept them. Most encryption is based on encryption keys, which are merely secret codes used to scramble and unscramble the message. Strong encryption requires strong keys.

WPA2-PSK (Preshared Key) is the strongest and most practical form of WPA for most home users. WPA2 is more secure than WPA because it uses the much stronger AES (Advanced Encryption Standard) protocol for encrypting packets. [more] [Smart Computing]

The encryption key may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits. The maximum length results in 256 bit strength, which is what 64 (hex digits) multiplied by 4 bits/digit yields.

To protect against current brute force attacks, a truly random passphrase of at least 20 characters should be used, and 33 characters or more is recommended. But, pre-shared keys are usually configured only once, and users don't need to enter them every time. You might as well use the strongest possible encryption key. :-)

Your SSID (wireless network name)

Due to the naive design of WPA2, the name of your network is the starting point for hackers. It is broadcast in the clear, and it's easy to look up your encryption key on widely available rainbow tables if your SSID is simple. The more random your network name, the better. Treat your WiFi network name as you would a password. Make it complex and avoid using any whole words. Maximum length for an SSID is 32 characters.

I use something like "ASZumFY2J6JeIbpv8xNWVRqmY8SDF8AX" (without quote marks) for my SSID. You can use one of the key generators below to generate your own random SSID. Just trim it back to 32 characters, and you'll have a very strong one.

Preshared key generators

Use these to create 32 character SSIDs too.

Examples:

63 random printable ASCII characters:
ZCTf}xc1ag.n~](j;&:6DrfE7!!ntd[B5v^}m@hJ_?bkKewh#C_~g2wCPD:6>sX

64 random hexadecimal characters (0-9 and A-F):
537A2806E97D20C2689C2CE1F1F3E7D8A6363FFF908BCDCF8F4955BA07B3A993

Questions and answers

What is TKIP?
TKIP (Temporal Key Integrity Protocol) is a backwards compatibile protocal for legacy equipment or handheld devices that cannot support the stronger AES, the most advanced encryption protocol. Some routers (Linksys) can operate in a dual TKIP/AES mode. However... It is probably best to select AES alone, not the combined mode as there may be vulnerabilities due to backward compatibility provisions in TKIP.

References