Table of Contents
Advertisement
Understand Encryption Types
Understand Encryption Types
This section describes how encryption types protect traffic on your wireless LAN.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because encryption is the first line of defense against intruders, Cisco recommends that
you use full encryption on your wireless network.
One type ofwireless encryption is Wired Equivalent Privacy (WEP). WEP encryption scrambles the
communication between the access point and client devices to keep the communication private. Both the
access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys
encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the
network. Multicast messages are addressed to multiple devices on the network.
Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides
dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging,
WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder
can perform a calculation to learn the key and use it to join your network. Because they change
frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.
See
authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA). Because
cipher suites provide the protection of WEP while also allowing use of authenticated key management,
Cisco recommends that you enable encryption by using the encryption mode cipher command in the
CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain
AES-CCM provide the best security for your wireless LAN, and cipher suites that contain only WEP are
the least secure.
These security features protect the data traffic on your wireless LAN:
•
•
•
•
Cisco Wireless ISR and HWIC Access Point Configuration Guide
5-2
Chapter 6, "Configuring Authentication Types,"
AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology's FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
WEP—WEP is an 802.11 standard encryption algorithm originally designed to provide your
wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP
construction is flawed, and an attacker can compromise the privacy with reasonable effort.
TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
A per-packet key mixing function to defeat weak-key attacks
–
A new IV sequencing discipline to detect replay attacks
–
A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit
–
flipping and altering packet source and destination
An extension of IV space, to virtually eliminate the need for re-keying
–
Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the
access point to generate the best possible random group key and update all key-management capable
clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key
updates. See the
"Using WPA Key Management" section on page 6-6
Chapter 5
Configuring Encryption Types
for detailed information on EAP and other
for details on WPA.
OL-6415-04
Advertisement
Table of Contents
