How can use AES-256?

Hi everyone,

I am a newbie on OpenWRT and I need to AES-256. I wonder how should I use it? Should I wait for OpenWRT-19?

What do you want to do with AES-256? Encrypt a file?

I have wireless modules and I need to communicate with AES-256 crypto

WPA2 with CCMP uses AES, and it is already available on OpenWrt, or did I miss the question?

1 Like

You’ll need to be a lot more specific than that. Manufacturer example code and/or protocol definitions would be a good place to start if these devices aren’t 802.11 standards compliant as their only encryption

1 Like

As others have said, wpa2 with ccmp enforced already uses AES, however I'm not sure if it's AES-256 vs 128. In any case you need high quality 32 byte long keys to make the difference actually relevant. Few people type in 32 character random keys in practice.

It uses 128.

The OP need to be more clear.


Yes ur right but I must use AES-256 :frowning: I wonder is there any way to use AES-256 OpenWRT18? Will OpenWRT19 have AES-256 ?

Since it sounds like your devices aren't 802.11-compliant, you'll have to get specs of the protocol from the manufacturer. The likely also supply code examples, which could be the basis of your code to support the protocol.

My WiFi modules are 802.11ac and 802.11n but I wonder openWRT18 can support AES-256 I heard about that openWRT19 will have but I don't know :frowning:

How do your modules support AES-256? At least as far as I know, only 802.11ac supports AES-256 and GCMP, not 802.11n.

Follow what mac80211 and hostapd support. OpenWrt doesn't write the encryption and protocol portions of the stack.

If you really want AES256, please consider using TLS instead of hacking 802.11.

I think what needs to be clarified here is that there is no standard that uses AES256 and so you have no hope of making it work for WiFi because even if you can make it work for the access point there are zero clients that will be able to use it.

WPA3 supports AES192

In truth, AES128 is already overkill. See here:

There are proprietary communications methods that may use AES-256 and may use the same unlicensed bands (at least in the US) as does 802.11. These are generally not compatible with 802.11 hardware and will almost certainly never be supported in software, as most of the processing is done in the hardware.

I'm not sure if there are actually any commercial products implementing AES-256 in the context of 802.11ac, but for the (far-)future-looking


A few interesting nuggets from section 11.4 of the 802.11ac amendment:

The AES algorithm is defined in FIPS PUB 197-2001. All AES processing used within CCMP uses AES with either a 128-bit key (CCMP-128) or a 256-bit key (CCMP-256).


CCMP-128 processing expands the original MPDU size by 16 octets, 8 octets for the CCMP Header field and 8 octets for the MIC field. CCMP-256 processing expands the original MPDU size by 24 octets, 8 octets for the CCMP Header field, and 16 octets for the MIC field.

The changes, at least as described by that article and articles linked, are due to a potential threat from quantum computing in the next 20 years. Apparently NIST understands how people hold on to long-obsolete hardware, like every one of those 4/32 devices out there.


That's good info Jeff. Everything I found mentioned only 128 and 192 bit keys. Such as this from wikipedia on WPA3

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2.[9][10] The new standard uses 128-bit encryption in WPA3-Personal mode (192-bit in WPA3-Enterprise)[11] and forward secrecy.[12] The WPA3 standard also replaces the Pre-Shared Key exchange with Simultaneous Authentication of Equals as defined in IEEE 802.11-2016 resulting in a more secure initial key exchange in personal mode.[13][14] The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface.[2][15]

It seems like maybe there's some optional 256 bit mode that isn't in actual widespread use.

1 Like