What does WPA/WPA2 really encrypt?

wireless-networking encryption wpa wpa2 wpa2-psk

Solution 1:

WPA (and WPA2) encrypts traffic below the level that Wireshark or similar tools capture. Those tools capture at the operating system's socket interface, not at the level of the actual network media. When you send a packet over WPA-protected WiFi, the WPA encryption isn't added until the last moment before the data is broadcast.

There might still be other encryption - for example, I could apply PGP encryption to an email and send it to SMTP server over TLS, which would be two levels of encryption... but those levels would be visible to (and, indeed, created by) the application (such as my email client). Somebody sniffing that traffic would still be able to see things like what protocol it's using (TCP, on top of IP), what port it comes from and is routing to, the destination IP address, and so on.

However, once the packet reaches the WiFi interface driver, it gets encrypted with the AES key that my machine is using for WPA. At that point, about the only things visible are the network SSID that I'm using (I think the source and destination MAC addresses may also be visible) and a vague idea of the size. Somebody without the WiFi key sniffing the network traffic using software-defined radio or a WiFi card in promiscuous mode wouldn't be able to tell the difference between my email and me sending a network ping or chatting on Skype; they wouldn't even be able to tell where the packets were going beyond the WiFi access point.

Solution 2:

What WPA-Personal (aka WPA-PSK) does is encrypt the packets that go on the air, so that people who aren't connected to this network can't read your messages (and WEP did the same in this respect, by the way, it just did it in a different way, which suffered from a serious hole). It additionally tries to make it difficult/impossible to connect to the network without knowing the secret password.

Without this encryption (e.g. on open networks), anyone can read all the packets that are being exchanged, without even being "connected" to the network: it just needs to be close enough to "hear" the signal.

If you think of a foreign language as a kind of encryption, WPA is a bit like the situation where all machines connected to this WPA network speak their very own language language which only the AP also understands. So, machines not connected to the network can't understand anything (other than witness that some communication is taking place between the machines and the AP) and those that are connected to this network can only talk to each other by communicating via the AP.

Solution 3:

As described here here the encryption is done on Layer 2 right after MAC address (frame payload) so to see the encrypted traffic you have to use a device with sniff capabilities at L2 and try to read on the packet you sniffed.

Solution 4:

What is the key difference between WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES)

Source: Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both?

TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.

AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.

In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.

While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2” doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.

what's the best solution for home / work network? Thanks.

It's all covered in the rest of the above article:

On most routers we’ve seen, the options are generally WEP, WPA (TKIP), and WPA2 (AES) — with perhaps a WPA (TKIP) + WPA2 (AES) compatibility mode thrown in for good measure.

If you do have an odd sort of router that offers WPA2 in either TKIP or AES flavors, choose AES. Almost all your devices will certainly work with it, and it’s faster and more secure. It’s an easy choice, as long as you can remember AES is the good one.

Related

Why does my HP switch appear to be reporting inconsistent information?
How do I fix Manjaro error hibernation device not found on boot?
Finding and Saving Media Player Classic downloaded subtitles?
Bluetooth AptX on Windows 10
OpenVPN Bad LZO decompression header byte: 69
How to ssh from one ec2 instance to another?
systemd keeps respawning pulseaudio, and doesn't allow me to stop it
What are uBlock Origin hotkeys?
screen a serial get could not find a PTY Error
How to make Slack work with new Brazilian daylight savings time information?
How to enable underscore (shortcut mnemonics) for menu items?
Advantages of Ubuntu LTS versions over regular Ubuntu?