Encryption Methods - Cisco 8961 Administration Manual

VoIP Wireless Network
• WPA/WPA2: Uses RADIUS server information to generate unique keys for authentication. Because
• Cisco Centralized Key Management (CCKM): Uses RADIUS server and a wireless domain server
With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically derived
between the AP and phone. But the EAP username and password that are used for authentication must be
entered on each phone.
Note Only WPA(TKIP) and 802.1x(WEP) support CCKM.

Encryption Methods

To ensure that voice traffic is secure, the Cisco Unified IP Phone supports WEP, TKIP, and Advanced
Encryption Standards (AES) for encryption. When these mechanisms are used for encryption, both the
signalling Skinny Client Control Protocol (SCCP) packets and voice Real-Time Transport Protocol (RTP)
packets are encrypted between the AP and the Cisco Unified IP Phone.
WEP
TKIP
AES
Note The Cisco Unified IP Phone does not support Cisco Key Integrity Protocol (CKIP) with CMIC.
REVIEW DRAFT - CISCO CONFIDENTIAL
these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more security than
WPA preshared keys that are stored on the AP and phone.
(WDS) information to manage and authenticate keys. The WDS creates a cache of security credentials
for CCKM-enabled client devices for fast and secure reauthentication.
With WEP use in the wireless network, authentication happens at the AP by using open or shared-key
authentication. The WEP key that is setup on the phone must match the WEP key that is configured at
the AP for successful connections. The Cisco Unified IP Phone supports WEP keys that use 40-bit
encryption or a 128-bit encryption and remain static on the phone and AP.
EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the
WEP key and passes a unique key to the AP after authentication for encrypting all voice packets;
consequently, these WEP keys can change with each authentication.
WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP provides
per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition,
a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes
the predictability of WEP that helps intruders decipher the WEP key.
An encryption method used for WPA2 authentication. This national standard for encryption uses a
symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher Blocking
Chain (CBC) encryption of 128 bits in size, which supports key sizes of 128, 192 and 256 bits, as a
minimum. The Cisco Unified IP Phone supports a key size of 256 bits.
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 10.0
Encryption Methods
(SIP)
95