Cisco Systems OL-6415-04 manual Understand Encryption Types

Chapter 5 Configuring Encryption Types

Understand Encryption Types

Understand Encryption Types

This section describes how encryption types protect traffic on your wireless LAN.

Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions. Because encryption is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network.

One type ofwireless encryption is Wired Equivalent Privacy (WEP). WEP encryption scrambles the communication between the access point and client devices to keep the communication private. Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network.

Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See Chapter 6, “Configuring Authentication Types,” for detailed information on EAP and other authentication types.

Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA). Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable encryption by using the encryption mode cipher command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain AES-CCM provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.

These security features protect the data traffic on your wireless LAN:

•AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP encryption and is defined in the IEEE 802.11i standard.

•WEP—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort.

•TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP:

–A per-packet key mixing function to defeat weak-key attacks

–A new IV sequencing discipline to detect replay attacks

–A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination

–An extension of IV space, to virtually eliminate the need for re-keying

•Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the access point to generate the best possible random group key and update all key-management capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. See the “Using WPA Key Management” section on page 6-6for details on WPA.

Cisco Wireless ISR and HWIC Access Point Configuration Guide