Where do the security modes & algorithm options come from that Linux (Mint) Network Connections or Network Manager display? (or don't show in a manager's GUI, but used)?

Mint 19 XFCE (32bit), Network Connections (the manager), has no field to select a wifi algorithm. Guessing it chooses the algorithm, based on the selected mode (WPA2, etc)??

Are they from the linux kernel used, the wifi network controller adapter, the controller's drivers or other source?

My router WRT54GL (w/ latest firmware) only offers WPA2 Personal and WPA2 Enterprise. (Other modes listed are older -not recommended).

Selecting "WPA2 Personal" in router wireless security, it offers separate algorithm options: "AES" and "AES+TKIP." (AES is selected).

Problem is, an older laptop with Intel Pro Wireless 3945ABG adapter & driver iwl3945, the Linux wifi connection setup only offers mode: "WPA / WPA2" - together as shown. It has other, older modes.

Running "iwlist wlp5s0 scanning," shows when "WPA / WPA2 Personal" is selected in Network Connections, it uses
"IE: IEEE 802.11i / WPA2 ver.1";
"Group cipher = CCMP" - (only one shown);
"Pairwise ciphers(1) CCMP" (only one shown);

Does mixing & matching AES - in the router - & CCMP in the wireless device really work as it should? No problem w/ laptop inet connection operation.
That doesn't mean wifi security is best it can be.

Contrast: If for router wireless security mode, I select WPA/WPA2 and algorithm TKIP + AES, then running "iwlist wlp5s0 scanning," the laptop's wireless network controller shows it's using AES (I believe).

Note: iPhones warn using "TKIP+AES" is a security issue - use only AES.

But in the router, if I select TKIP+AES, the command above (& others) shows the laptop's using AES & another - as a pair. I assume it defaults to using the highest algorithm of a pair like TKIP+AES?

That seems likely.Encrypted WiFi connections are established by a piece of software called wpa_supplicant.
This is an issue of imprecise use of terminology.

The original WPA standard used TKIP/MIC (Temporal Key Integrity Protocol/Message Integrity Check) to negotiate encryption keys and sign data packets, and RC4 (Rivest Cipher #4) to encrypt the data. A later revision of WPA allowed for AES instead of RC4, and some routers will present these options (erroneously) as "WPA-TKIP" and "WPA-AES".

WPA2 ditched TKIP and MIC for CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol, now there's a mouthful), and also entirely dropped support for RC4.

So WPA may be referred to as "WPA" or "TKIP", while WPA2 is sometimes called "AES" and other times "CCMP/AES". And what something like "TKIP/AES" means is anybody's guess; is it a way of saying that both WPA and WPA2 are supported, or that only the AES variant of TKIP is allowed, or that both the original WPA with RC4 and then later revision using AES will work?

In short, it's a mess.One would hope so, but in fact there's no guarantee that a client will choose the best available encryption when a router supports multiple options. In addition to that, it may be possible for an attacker to disrupt the negotiation and force both parties to downgrade the encryption.

I'd recommend disabling as many of the old encryption standards as your client equipment will allow. Anything referencing "WPA", "TKIP", or "RC4" should go.

Thanks, Ser Olmy.
1st, pardon my ignorance. I assumed that a router & wireless network adapter (Linksys & Intel) would show the info they are both using, in a reasonably understandable way.
But part is my fault as well.

I feel like you regarding when any networking device shows two (protocols? standards? - more on that later),e.g., WPA / WPA2 as a single choice, I don't know for sure what will happen under different scenarios. After lots of searching & reading, I haven't found anything in writing on that which I'd consider reputable. But I'm sure an explanation exists.

Here's what I found on some of my questions. Part of the problem is even experts use different terms and explanations - for the same thing.
Example: One site w/ a whole book on wifi & the different standards & protocols & detailed history of EVERYTHING wifi, said,
So THEY call AES (& others similar in function) a "Standard" for encryption.
And call WPA, WPA2
Don't use olderWEP, WAP. Getting clearer? Hold on.

Another spiffy looking site said,
So it's like Double Mint Gum - "It's two, two, two things in one."
Yes, when you select different value under Linksys' router - wireless security entry they call "security mode" (WEP, WPA, WPA2 - and they don't say which VERSION(s) of those or anything else), you're likely to see different router values under (WPA) Algorithms. Also different values under NetworkManager. But they don't necessarily list the exact same name for router or network adapter settings, that are in fact talking about the same thing.

For example, this Linksys router lists WPA & WPA2 separately (they are entirely different). So I'm not sure why a wireless network adapter lists it as "WPA/WPA2."
Maybe there's a reason, but they're not sayin in the honking bit manual. Under what circumstance might the adapter fall back to WPA? For those listening in, after WPA has been shown to have problems - long ago, you don't want to be using WPA.

What I gleaned from (yawn!) reading, is AES is like a whole car. CCMP (you look it up) is a new, improved (50% more absorbent) engine that makes AES go.
So when (something) shows "AES/CCMP", or in Network Manager for my Intel wifi adapter, may show just "CCMP" (depending), they think that you should KNOW that,
As long as you remember that, you'll be fine.

The only way you can find out (some) of what is being used in Linux - by your wifi connection setup, is running some cli commands. Your distro's Network Manager may show more or less data than another. Mine doesn't show what frequency channel is used or what cipher algorithm (e.g., AES, AES-CCMP, CCMP) (but my router shows all that).

If you can't see the cipher algorithm, or channel is actually being used & you NEED to know, because running certain old, buggy "parts" in the wifi security settings may come back to bite you, there are plenty of simple cli commands to find what isn't shown elsewhere. Since Network Manager didn't show WHICH of WPA/WPA2 (shown together) it was using & I didn't want it using WPA, I ran CLI commands.

Find the logical name of the wireless network adapter: iwconfig

It'll be something like wlp5s0 & will have wireless or network connection in the description (not eth or ethernet - that's the adapter for wired connection).
Then use the adapter name in a command, like "iwlist [adapter's name] scanning".

That should show if it's using WPA & TKIP(better wear a tinfoil hat) or WPA2 & cipher: AES+CCMP or just CCMP. Plus a lot of other useful data.
That's it for today, Buckaroos. For next class, read ch. 2 -> 27, in Everything You Need to Know About Wireless Security.

Yep, and 99+ % of users are not concerned about what is under the hood, but only that it works. Different manufacturers are free to use whatever they choose and label it accordingly. There is no requirement that any one standard, protocol or naming convention is used, although most try to stay with the latest for their newest products for reliability, security, and reputation purposes. They update firmware for many of the same reasons.

Ten software developers will find at least twelve different ways to solve the same problem.
Keep digging in that rabbit hole.