Ckip - Cisco SD2008T-NA Configuration Manual

Configuring WLANs

CKIP

Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11
media. CKIP improves 802.11 security in infrastructure mode using key permutation, message integrity
check (MIC), and message sequence number. Software release 4.0 supports CKIP with static key. For
this feature to operate correctly, you must enable Aironet information elements (IEs) for the WLAN.
A lightweight access point advertises support for CKIP in beacon and probe response packets by adding
an Aironet IE and setting one or both of the CKIP negotiation bits [key permutation and multi-modular
hash message integrity check (MMH MIC)]. Key permutation is a data encryption technique that uses
the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC
prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity
code.
The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the
WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If
the WLAN is configured for only one of these features, the client must support only this CKIP feature.
CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to
perform key expansion happens at the access point. The key is appended to itself repeatedly until the
length reaches 16 bytes. All lightweight access points except the AP1000 support CKIP.
You can configure CKIP through either the GUI or the CLI.
Using the GUI to Configure CKIP
Follow these steps to configure a WLAN for CKIP using the controller GUI.
To enable Aironet IEs for this WLAN, check the Aironet IE check box under Cisco Client Extension
Step 1
(CCX).
Click WLANs to access the WLANs page.
Step 2
Cisco Wireless LAN Controller Configuration Guide
6-12
Chapter 6 Configuring WLANsWireless Device Access
OL-1926-06OL-9141-03