Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2008 Cisco Systems, Inc. All rights reserved.
Cipher Suites and WEP
This document describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check
(MIC), Temporal Key Integrity Protocol (TKIP), and Advanced Encryption Standard (AES). This
document contains these sections:
•
Understanding Cipher Suites and WEP, page 1
•
Configuring Cipher Suites, page 2
Understanding Cipher Suites and WEP
Just as anyone within range of a radio station can tune to the station’s frequency and listen to the signal,
any wireless networking device within range of a bridge can receive the bridge’s radio transmissions.
Because WEP is the first line of defense against intruders, Cisco recommends that you use full
encryption on your wireless network.
To keep the communication private, WEP encryption scrambles the radio communication between
bridges. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP
keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on
the network. Multicast messages are addressed to multiple devices on the network.
Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless
devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder
passively receives enough packets encrypted by the same WEP key, the intruder can perform a
calculation to learn the key and use it to join your network. By changing frequently, dynamic WEP keys
prevent intruders from performing the calculation and learning the key. See
“Authentication Types”
for
detailed information on EAP and other authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco
Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also
allowing use of authenticated key management, Cisco recommends that you enable WEP by using the
encryption mode cipher
command in the command-line interface (CLI). Cipher suites that contain AES
provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least
secure.
These security features protect the data traffic on your wireless LAN: