TKIP and CCMP – CompTIA Security+ SY0-401: 1.5


The TKIP and CCMP protocols have been an important part of our wireless key management and encryption technologies. In this video, you’ll learn how TKIP and CCMP relates to WPA and WPA2 wireless encryption.

<< Previous Video: SSID ManagementNext: Wireless Power and Antenna Placement >>


In this video, we’re going to talk about the technologies used for encryption on wireless networks. Specifically on networks using WPA, WPA2, and WPA2-enterprise. WPA stands for Wi-Fi Protected Access.

And you’ll notice we’re not going to talk about WEP, which stands for Wired Equivalent Privacy. The older WEP encryption that was used on wireless networks was found to have some cryptographic flaws, and therefore you should not– and certainly probably won’t– see WEP used on today’s modern wireless networks.

We’re going to focus on two types of technologies used in WPA. The first one we’ll talk about is TKIP. That stands for Temporal Key Integrity Protocol. TKIP was built to rotate keys around so that there would not be the same problems we ran into with encryption with the WEP protocol. And TKIP was also something that made sure that there would be something unique about each one of these encryption keys.

The other technology that we’ll talk about is the one we commonly see with WPA2 today, and that is AES that is used in conjunction with CCMP. AES is the Advanced Encryption Standard algorithm that’s doing a lot of the encryption. And it’s combined with CCMP, which is Counter Mode with Cypher Block Chaining Message Authentication Code Protocol. We hardly call it that because it’s so many words. You most often see it referred to when you’re setting up your wireless network as WPA2 and in parentheses it might have TKIP or it might say AES and CCMP.

When we ran into the cryptographic problems with the WEP protocol, we needed something to fill the gaps, And so we created TKIP. This allowed us to make those 802.11 networks more secure without worrying about the cryptographic problems that we had with WEP. One of the keys with TKIP is that it makes the keys together. It took this secret root key and mixed it with the initialization vector. And this made the key much more secure because it was constantly changing.

Another nice edition of TKIP is that it includes sequence counters. This is useful to avoid replay attacks. In a replay attack, someone can record the information going over the network and then replay it again to gain access. Instead of having you there, they would pretend that they were you because they were replaying your previous content. Well, with a sequence counter, you can’t replay content because it would still have the old counter numbers inside of it. So this was one way to make sure that no one could record that and then use that information later.

TKIP also implemented a 64-bit message integrity check. This meant that information could not be changed somewhere in the middle of the conversation. This is a big problem if you’re worried about a man-in-the-middle attack where someone would receive information, modify that information, and then send it on to you. With the message integrity check, you can be assured that the original information is still intact when it gets to you.

We see TKIP being used with the WPA encryption protocol. This was the stop gap between WEP and WPA2. With the WPA2, we chose to go a different route with encryption. That different route with encryption implemented CCMP, the Counter Mode with Cypher Block Chaining Message Authentication Code Protocol. This is what replaced TKIP when the final WPA2 implementation was released. This was a more advanced encryption standard. It had a larger key size, it had a larger block size to be able to do the encryption, and it used a lot more computing resources. It used encryption algorithms that required more CPU usage. And we usually solve out this time frame that many people had to upgrade their wireless hardware to be able to implement WPA2. These days, our hardware is up to date and we generally see WPA2 used on all of our wireless devices.

There were some nice capabilities added with CCMP. One of them was data confidentiality, where only certain people that were authorized to receive information across the network could receive that data. There’s also authentication enabled within CCMP, so you can be assured that the user on the network really is the genuine user. There’s also access control implemented within CCMP. So we were able to allow or disallow access to the network based on your credentials.

If you’re working with some older hardware, you may see that it only supports WPA and not WPA2, and therefore would only be supporting TKIP. On newer access points and wireless devices, you may see those supporting WPA2, which of course would be supporting CCMP and AES. And you may see on the newer devices that there might be options to support some of the older hardware, so you may also be able to even configure the newer hardware to simply use WPA. But as our older hardware is phased out, these days we tend to always use WPA2, which means we’re going to be using CCMP in combination with AES.