Cryptic Encryption: Making sense of WiFi security standards

I few weeks back, I revamped my home network to deal with a flakey router and what proved to be flakey firmware on an otherwise solid pair of wireless router/access points.

The flakey router was removed, and “HyperWRT firmware”:http://www.hyperwrt.org was installed on the Linksys WRT54G router/access points. One of them was configured to serve as my internet firewall/router. Both “were configured for WDS”:http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=2946 to allow the 2nd device to provide access for a wired PC in the living room and extend the range of the wireless network.

Everything worked well, much better than before, but in the back of my brain, I was nagged by the fact that my network was only secured by the “increacingly vulnerable WEP standard”:http://www.tomsnetworking.com/Sections-article120.php. Even worse, the new firmware seemed to offer an alternative by offering support for the more secure WPA standards.

Unforutnately, my first foray broke my link to the living room. I configured both WRT54Gs to use WPA Preshared Keys with TKIP. The result was that my laptop wouldn’t connect and my WDS link would fail after a small amount of time. The laptop problem was fixed by updating the driver.

The WDS problem was stickier. I learned that the overlap between TKIP and WDS is underspecified. There are some solutions to the problem, but it wasn’t clear to me what they were. There were some reports of getting wds to work with AES instead of TKIP, but when I first tried it, it failed.

This morning though, when I was going to roll everything back to WEP, I noticed that everything seemed to be working. After some investigation, it seems that the AES option is shorthand for an even more recent set of protocols that make up the WPA2 standard. It specifies both a method of authentication and key management that goes beyond TKIP while interoperating with WDS. In addition, it uses the AES encryption standard, which is more secure than the standard used by WEP and WPA/TKIP.

The only downside is that AES is more computationally intensive. The result is that my older hardware is an even bigger bottleneck than before. With WEP I was able to use about 50% of the theoretical 54 Mbps offered by 802.11g. With WPA and AES, I can only use about 25%.

*Update:* It appears I am wrong about the throughput. The Broadcom chipset used in the WRT54G has a hardware encryption accelerator and various reviewers report no obvious penalty for using AES. I even tried myself, by temporarily disabling encryption and transferring the same large file as before. I didn’t see any difference either. It looks like real-world bandwidth for 802.11g is ~11-25 Mbps, which is about what I was seeing.

Bummer. I guess I’ll have to keep an eye out for when 802.11n gear gets cheap. That, or finish running Cat5 between my office and living room as I set out to do last fall.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.