Specifications
9-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 9 Configuring Cipher Suites and WEP
Understanding Cipher Suites and WEP
Understanding Cipher Suites and WEP
This section describes how WEP and cipher suites protect traffic on your wireless LAN.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you
use full encryption on your wireless network.
WEP encryption scrambles the communication between the access point and client devices to keep the
communication private. Both the access point and client devices use the same WEP key to encrypt and
unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are
addressed to just one device on the network. Multicast messages are addressed to multiple devices on
the network.
Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides
dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging,
WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder
can perform a calculation to learn the key and use it to join your network. Because they change
frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.
See Chapter 10, “Configuring Authentication Types,” for detailed information on EAP and other
authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco
Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also
allowing use of authenticated key management, Cisco recommends that you enable WEP by using the
encryption mode cipher command in the CLI or by using the cipher drop-down menu in the
web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN,
and cipher suites that contain only WEP are the least secure.
These security features protect the data traffic on your wireless LAN:
• AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
• WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.
• TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
–
A per-packet key mixing function to defeat weak-key attacks
–
A new IV sequencing discipline to detect replay attacks
–
A cryptographic message integrity Check (MIC), called Michael, to detect forgeries such as bit
flipping and altering packet source and destination
–
An extension of IV space, to virtually eliminate the need for re-keying
• CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early
algorithm presented by the IEEE 802.11i security task group.
• CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check
mechanism is designed to detect forgery attacks.