What are WPA-PSK/WPA2-PSK, TKIP and AES? | Understanding types of internet encryption

The type of security algorithms and encryption specifications of your Wi-Fi network largely determine how speedy and secure it is. 

That's why it's vitally important that you know what they are, what they stand for, and exactly what they do. 



In articles about network security, the terms 'protocol', 'standard' and 'certification' and 'program' are often used interchangeably when talking about encryption. What one source, website, or individual refers to as a 'protocol', for instance, might be referred to as a 'standard' elsewhere.  

The first things we examine below are certification programs. WPA, WPA2, and WPA3 are the three wireless network certification programs we'll be discussing in this article. These are occasionally referred to as encryption standards themselves. 

Certification programs – in this case for Wi-Fi networks – use encryption protocols to secure data transmitted over a given Wi-Fi connection. An example would be TKIP, the Temporal Key Integrity Protocol. How encryption protocols encrypt data is determined by ciphers, which are essentially just algorithms that shape the process. An example of this is AES (which, confusingly, stands for Advanced Encryption Standard). 

Authentication methods or mechanisms are used to verify wireless clients, such as a Pre-Shared Key (PSK), which is essentially just a string of characters. In cryptography this is called a 'shared secret' – it's a piece of data known only by entities involved in the secure communication it is being used for. An example of a PSK would be a Wi-Fi password, which can be up to 63 characters and usually initiates the encryption process. 

Security certification programs

All networks need security programs, certifications, and protocols to keep the devices and users on the network safe. For wireless networks, a number of security certification programs have been developed, including WPA and WPA2. 

Wired Equivalent Protection (WEP)

WEP was the original wireless network security algorithm, and as you can probably tell by the name, was designed to supply a given network with the security of a wired one. WEP uses the RC4 cipher. However, WEP isn't very secure at all, which is why it's not commonly used, and is wholly obsolete when compared to later protocols. Everyone on the network shares the same key – a form of static encryption – which means everyone is put in harm's way if one client is exploited. 

Wi-Fi-Protected Access (WPA) 

WPA is a more modern and more secure security certification for wireless networks. However, it is still vulnerable to intrusion and there are more secure protocols available. Wireless networks protected by WPA have a pre-shared key (PSK) and use the TKIP protocol – which in turn uses the RC4 cipher – for encryption purposes, making WPA-PSK. This is also not the most secure program to use because using PSK as the cornerstone of the certification process leaves you with similar vulnerabilities to WEP. 

Wi-Fi-Protected Access 2 (WPA2)

WPA2 is another step up in terms of security and makes use of the Advanced Encryption Standard (AES) cipher for encryption, which is the same cipher the US military uses for a lot of its encryption. TKIP is replaced with CCMP – which is based on AES processing – providing a better standard of encryption. There is both a personal version (which supports CCMP/AES and TKIP/RC4) and an enterprise version (which supports EAP – the Extensible Authentication Protocol – as well as CCMP). See our guide to WPA2 for more information about it.

Wi-Fi-Protected Access 3 (WPA3) 

WPA3 was only recently developed in the last three years and isn't yet in widespread use. WPA3 also has Personal and Enterprise options, and is described by the Wi-Fi Alliance as having:

New features to simplify Wi-Fi security, enable more robust authentication, deliver increased cryptographic strength for highly sensitive data markets, and maintain resiliency of mission-critical networks.

Ciphers and protocols

Above, we looked at exactly which certification programs are the most up-to-date, as well as what encryption protocols and ciphers they use to secure wireless networks. Here, we'll briefly run through how they work. 


Ciphers – which, as we mentioned before, determine the process by which data is encrypted – are an important part of securing a wireless network. RC4 – short for Rivet Cipher 4 – which is a stream cipher. Stream ciphers encrypt data one bit at a time, using a pseudo-random bit generator to create an 8-Bit number. Created way back in 1987, it was lauded for its speed and simplicity for many years but now is recognized to have several vulnerabilities that leave it open to man-in-the-middle attacks, amongst others. 

Vast improvement has come in the form of the AES, which is an acronym for Advanced Encryption Standard. AES is a symmetric block cipher. It's symmetric in the sense that there is just one key used to decipher the information and it is classified as a 'block' cipher because it encrypts in blocks of bits instead of bite-by-bite like a stream cipher. It uses key lengths of 256 bits, which makes it virtually impenetrable to brute force attacks (on present computing power). AES encryption is the US federal standard for encryption and is considered the strongest widely-used form ever created.

Encryption protocols

The Temporal Key Integrity Protocol was designed with WEP's vulnerabilities in mind. WEP used a 64-bit or 128-bit encryption key that had to be entered on wireless access points and devices manually, and the key itself would never change. TKIP, on the other hand, implements a per-packet key, meaning that it creates a new 128-bit key for each data packet in a dynamic fashion. 

The Counter Mode Cipher Block Chaining Message Authentication Code Protocol is the step up from TKIP largely because it uses the AES cipher, the security-maximizing properties of which were discussed above. 

Different combinations and which is safest?

Below is a rundown of some of the different combinations the wireless networks you regularly connect to might use for their security. 

Option Option  Safety level
Open Network This is the kind of network you might find in a café or outside at a tourist spot. It requires no password which means anyone can connect to the network. Very Risky 
WEP 64/128 Although WEP 128 is more secure than WEP 64 – it uses a bigger encryption key – these are both old, outdated, and therefore vulnerable.  Very Risky
WPA-PSK (TKIP) This is a pairing of the older security certification program with an outdated encryption protocol, so isn't very secure either.  Risky
Using an outdated encryption protocol that isn't secure defeats the purpose of using WPA2, which is a secure Wi-Fi certification program.  Risky 
WPA2-PSK (AES) This is the latest encryption cipher paired with the most up-to-date and secure certification program, combining to make the most secure wireless network option.  Secure

Written by: Aaron Drapkin

After graduating with a philosophy degree from the University of Bristol in 2018, Aaron became a researcher at news digest magazine The Week following a year as editor of satirical website The Whip. Freelancing alongside these roles, his work has appeared in publications such as Vice, Metro, Tablet and New Internationalist, as well as The Week's online edition.


There are no comments yet.

Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a budget price

Longtime top ranked VPN, with great price and speeds

One of the largest VPNs, voted best VPN by Reddit