Understanding Wep; Configuring Wep And Wep Features; Creating Wep Keys - Cisco Aironet 1100 Series Installation And Configuration Manual

Understanding WEP

Understanding WEP
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you
use full encryption on your wireless network.
WEP encryption scrambles the communication between the access point and client devices to keep the
communication private. Both the access point and client devices use the same WEP key to encrypt and
unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are
addressed to just one device on the network. Multicast messages are addressed to multiple devices on
the network.
Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless users.
Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively
receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn
the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent
intruders from performing the calculation and learning the key. See
Authentication Types,"
Three additional security features defend your wireless network's WEP keys:
•
•
•

Configuring WEP and WEP Features

These sections describe how to configure WEP and additional WEP features such as MIC, TKIP, and
broadcast key rotation:
•
•
•
WEP, TKIP, MIC, and broadcast key rotation are disabled by default.
Cisco Aironet 1100 Series Access Point Installation and Configuration Guide
9-2
for detailed information on EAP and other authentication types.
Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets called bit-flip attacks.
During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and
retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC,
implemented on both the access point and all associated client devices, adds a few bytes to each
packet to make the packets tamper proof.
TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)—This feature defends
against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in
encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies
on to determine the WEP key by exploiting IVs.
Broadcast key rotation—EAP authentication provides dynamic unicast WEP keys for client devices
but uses static broadcast keys. When you enable broadcast WEP key rotation, the access point
provides a dynamic broadcast WEP key and changes it at the interval you select. Broadcast key
rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices
that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices.
Creating WEP Keys, page 9-3
Enabling and Disabling WEP and Enabling TKIP and MIC, page 9-3
Enabling and Disabling Broadcast Key Rotation, page 9-4
Chapter 9 Configuring WEP and WEP Features
Chapter 10, "Configuring
OL-2851-01