Understanding Cipher Suites and WEP
Understanding Cipher Suites and WEP
This section describes how WEP and cipher suites protect traffic on your wireless LAN.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you
use full encryption on your wireless network.
WEP encryption scrambles the communication between the access point and client devices to keep the
communication private. Both the access point and client devices use the same WEP key to encrypt and
unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are
addressed to just one device on the network. Multicast messages are addressed to multiple devices on
the network.
Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides
dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging,
WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the
intruder can perform a calculation to learn the key and use it to join your network. Because they change
frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.
See
authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco
Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also
allowing use of authenticated key management, Cisco recommends that you enable WEP by using the
encryption mode cipher command in the CLI or by using the cipher drop-down menu in the
web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN,
and cipher suites that contain only WEP are the least secure.
These security features protect the data traffic on your wireless LAN:
•
Note
Cisco Aironet 1130 and 1230 series access points support WPA2. Cisco Aironet 1100, 1200, and 1300
series 802.11g radios support WPA2 with a Cisco IOS software upgrade to Release 12.3(2)JA or later.
Cisco Aironet 1200 series radio modules having part numbers AIR-RM21A or AIR-RM22A support
Note
WPA2 or AES.
Cisco 802.11n radios require that either no encryption or AES-CCMP be configured for proper
Note
operation.
•
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
10-2
Chapter 11, "Configuring Authentication Types,"
AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology's FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.
Chapter 10
Configuring Cipher Suites and WEP
for detailed information on EAP and other
OL-14209-01