• This should be a simple question but seems to be a debatable one depending on who you ask or where you look.

    1. What Encryption methods are supported with WPA?
    2. What Encryption methods are supported with WPA?

    I will post my findings from different sources after I get an unbiased response!

  • Hi S:

    WPA and WPA2 are brands of the Wi-Fi Alliance used to sell products.

    WPA means "the device in this box supports WEP and TKIP."

    WPA2 means "the device in this box supports WEP, TKIP, and CCMP."

    In practice WPA and WPA2 have also been used to describe a configuration choice for a given device, such as "Please choose one of the following cipher suites: none, WEP-40, WEP-104, WPA (TKIP), or WPA2 (CCMP)."

    I hope this helps. Can you add your location to your forum profile? Thanks. /criss

  • Thanks for your reply Criss. The reasons for me asking this question are two-fold.

    1. I work in an industry where standards rule, so need to ensure a system is 'WPA2' compliant if requested to be so.
    2. I plan to take the CWNA and CWSP soon so want to know what the official answer is.

    Now, the reason for my confusion is the following bits of info I have found within the CWNA course material and the wi-fi alliance website:

    1. wi-fi alliance say: "WPA2 provides data encryption via the AES. In contrast, WPA uses Temporal Key Integrity Protocol (TKIP). " - This is found in the FAQ section.

    2. The CWNA 3rd edition Studay guide page 440 says "WPA supports two types of encryption: TKIP and AES"

    3. The CWNA Courseware v3 says WPA supports TKIP and WPA2 uses AES but also support TKIP.

    Surely all of these statements cannot be correct! A follow on question from this is: Is WPA2 with TKIP the same as WPA with TKIP?

    Any clarity on this would be much appreciated.

  • Hi S:

    The CWNAv3 study guide was published just when the Wi-Fi Alliance was redefining what they meant by WPA and creating the companion brand WPA2. I don't have a copy at hand to comment on the particulars.

    More people are familiar with the encryption algorithm acronym AES than with the cipher suite acronym CCMP. CCMP is based on AES. The other three IEEE 802.11 cipher suites are based on RC4.

    Remember, WPA and WPA2 are officially Wi-Fi Alliance brands for selling product. In this sense they are neither cipher suites nor encryption algorithms; each is a list of crypto capabilities in a branded product and a promise of multi-vendor interoperability.

    Cipher Suite - Encryption Algorithm - WPA - WPA2
    WEP-40 ------ RC4 --------------------- yes - yes
    WEP-104 ----- RC4 --------------------- yes - yes
    TKIP ---------- RC4 --------------------- yes - yes
    CCMP --------- AES --------------------- no - yes

    Sorry about the lack of formating. You have to imagine the four columns.

    So your three bits of info are all correct, even bit number 2 when taken in the context of when it was written.

    When answering exam questions I recommend you first decide if the question is speaking of brands which support multiple configuration choices as above, or of the configuration choices themselves. In this later popular sense, sanctioned as well by the Wi-Fi Alliance despite the confusion it creates, TKIP/RC4=WPA while CCMP/AES=WPA2.

    I hope this helps. Thanks. /criss

  • Hi S:

    CWNAv3 study guide page 440, third paragraph, first sentence, would be better if it read: "WPA branded devices support three IEEE 802.11 cipher suites -- WEP-40, WEP-104, and TKIP. All are based on the RC4 encryption algorithm."

    This catches the sentence up with both the Wi-Fi Alliance, which redefined what it meant by WPA, and the IEEE 802.11i amendment, which redefined WEP as WEP-40 and standardized the use of longer WEP keys with WEP-104 (while at the same time deprecating the use of WEP!).

    There are other security related details in the text harder to improve without a larger rewrite. I am eager to find that the just released CWSPv2 (security) study guide is perfect in every detail! Let's buy a copy and see.

    I hope this helps. Thanks. /criss

  • Hi all,

    I have small query regarding WPA/WPA2.

    If WPA does not/should not support AES/CCMP, then why do we have AES as an encryption option with WPA in WZC ( Windows XP and Server 2003)??

    The cable guy article by Microsoft at says

    AES Support

    WPA defines the use of AES as an additional optional replacement for WEP encryption. Because adding AES support through a firmware update might not be possible for existing wireless equipment, support for AES on wireless network adapters and wireless APs is not required.

    Any comment on the same??


  • Many Wi-Fi devices support WPA with AES, but they are all proprietary implementations. Since the Wi-Fi Alliance never specified the use of AES in WPA, any use of it in this capacity is uncertified by the Wi-Fi Alliance for compatibility.


  • Hi Himanshu:

    Good question.

    WPA is a trademark of the Wi-Fi Alliance. They are at liberty to define it, and to redefine it as they see fit. And they have.

    The enduring meaning is "trust us, this product is worth buying."

    Another early meaning was "buy this product - it is much better than WEP."

    A later meaning has been "ok, but you should really be buying WPA2."

    At the moment Wi-Fi Alliance lists 1500 legacy products that are branded WPA and 536 newer products that are branded WPA2.

    I imagine eventually there will be no Wi-Fi products on the shelves that need a brand distinction between WPA and WPA2. They will all contain chipsets that offer all the cipher suites defined by IEEE 802.11 as amended by 802.11i and they will all be "interoperable". Of course all the legacy stuff will still be in the field.

    All of the above is about branding and selling products. The Alliance has also sanctioned, and some vendors have adopted, the use of "WPA" and "WPA2" to mean configuration choices equivalent to "TKIP/RC4" and "CCMP/AES". However, many vendors have gone their own way naming their own configuration choices. Thus every version of every configuration utility may give its own meaning to all the familiar acronyms used above. Confusing? Yes.

    I hope this helps. Thanks. /criss

  • By (Deleted User)

    Criss, that was the "polite"-tically correct way of summing it up. No Protection Mechanisms needed.

    So, when is 802.11w going to be implemented...?

  • Thanks Devin, Criss for explaining the business aspect of my query.

Page 1 of 2