October 6, 2009 1:55 PM
Fast Wi-Fi's little secret - you have to turn on WPA2 encryption
by John Dunn
Here's what most people know about 802.11n high-speed Wi-Fi: it offers much higher throughput and signal stability over greater distances. Now the bit that hasn't yet sunk in for many: getting that throughput could mean changing the type of encryption used.
It dawned on me some weeks back when I was asked by a small business user to troubleshoot an 802.11n router that would not connect to a new n-class laptop at better than 802.11g level, or 54Mbit/s to the rest of us, despite the advertised 300Mbit/s capability.
There was no problem with drivers, channel used, MAC filtering security or the distance between the AP and laptop, so what was going on? It was operating in mixed-mode b/g/n, but that should make no significant difference as the standard is backwards compatible and can support multiple clients in different modes.
Pondering that the only variable left was security it hit me; the client was set up to connect using basic WPA encryption with TKIP, the commonest setting on most 802.11g access points (APs) for reasons that probably have to do with the relative complexity of setting up anything more sophisticated on older consumer models. When upgrading the router to n, the small business concerned had simply replicated the 802.11g-level security to the new box.
Not enough has been done to explain that 802.11n was designed quite consciously to upgrade security to at least WPA2 level with 128-bit AES encryption (see 802.11i), and that not doing this would, in effect, limit throughput to ‘g' levels for anyone not using it.
The basis of this is technical. The 802.11n standard defines security as WPA2 or above, but includes support for older forms of security only to allow backwards compatibility, which is to say at lower throughputs. It doesn't process TKIP at all to the best of my knowledge, although some clients will sometimes, dubiously, report higher throughputs even when using plain WPA.
Curiously, the other way to get full throughputs on 802.11n kit is to turn off encryption altogether, but this is more of a basic convenience for unpaired devices than a serious operating mode.
I wouldn't be surprised if many people have bought 802.11n products and simply hitched them together using WPA (or even WEP) without realising that they are still getting ‘g' level performance as a result. How many people would even know how to check?
On new hardware, WPA2 is no great hurdle and befuddled users can always resort to Wi-Fi protected setup (WPS), which allows a PIN number to be exchanged during an enrolling process in order to set up an encrypted link between AP and client. Larger businesses will (or should) be using WPA2 -Enterprise, which requires an authentication server an extra layer, so WPS alone won't be enough.
One other thing. With all new wireless adaptors, because users will have to change the AP to WPA2 to get full performance, this turns the WLAN into a WPA2-only network. WPA2 has been a requirement of all certified wireless hardware since 2006, but any clients unable to supprt it will no longer be able to use the WLAN at all, at any speed. So it goes.
Email
Print
Comment
Contact Us
Subscribe to this blog
You must be logged in to post a comment.