![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Configure the access point with only WPA2 and CCMP. WPA2 may be referred to as "IEEE 802.11i". CCMP includes AES encryption, so CCMP may be referrred to as "AES". Don't configure support for the older TKIP encryption. Don't configure support for WPA or WEP or Open (no security at all).
A home network will want to use pre-shared keys. This also also called "WPA2-Personal". The resistance of WPA2-PSK to attack depends entirely on the ability of the pre-shared key to resist a dictionary attack: that is, how random the key is and how long the key is.
How long is needed? Each character gives about 2.5 bits of binary key. You want something more than 33 characters (90bits) and probably more than 50 characters (128b). That's a lot of typing which needs to be exactly right. Cut-and-paste from a USB stick seems to be called for.
How random is needed? Really random. To make life easy grab it from Linux's /dev/random. This has issues, but not nearly as many as a human attempt to write a random string:
$ pwgen -s 50 1 icvxgsQI8TdyECJcVWrpmB1djkz2UIdIqrj0trwabcxMAc50Nw
The biggest hurdle moving to WPA2 has been backward compatiblity. That now doesn't seem to be a problem. Microsoft have shipped WPA2-PSK support as part of Service Pack 3 for Windows Xp. There is a specific download for WPA2 support in Windows Xp SP2. Linux's Network Manager and wpa_supplicant support WPA2-PSK, as do nearly all device drivers. Even pre-WPA2 chipsets seem to have support, but with the AES encryption done in software. Apple support WPA2.
You need to watch older access points, as these will do AES in software. There's a lot of headroom in PC CPUs, but none at all in access point CPUs. So activating WPA2 on a access point which lacks hardware encryption can really hurt throughput. Of course, some mongrel stealing your Internet bandwidth also hurts performance :-)
Whilst reconfiguring your access point you may want to consider if you have any 802.11b devices. If not you might to configure only 802.11g to gain additional performance from some protocol enhancements made for 802.11g which are disabled when being backwardly compatible.
Verify correct operation by checking the ESSID broadcast. There is only one "IE" and it is "WPA2" (and not additionally "WPA" or "WEP"). There is only one "Cipher" it is "CCMP" (and not "TKIP").
# iwlist eth1 scan
Cell 01 - Address: 00:11:22:33:44:55
ESSID:"example"
Mode:Master
Frequency:2.462 GHz (Channel 11)
Quality=37/70 Signal level=-58 dBm Noise level=-95 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:bcn_int=100
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
Once you've got the access protected a lot of the "raising the bar" techniques that were needed when insecure WEP was the only choice can be removed. Broadcast the SSID, allow any MAC address, and so on. This gives a payoff in convenience in return for the inconvenience of entering the long, random WPA2-PSK key.