Cipher Suites and WEP
Configuring Cipher Suites
2
Cisco 3200 Series Wireless MIC Software Configuration Guide
•
AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
•
WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.
•
TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
–
A per-packet key mixing function to defeat weak-key attacks
–
A new IV sequencing discipline to detect replay attacks
–
A cryptographic Message Integrity Check (MIC), called
Michael
, to detect forgeries such as bit
flipping and altering packet source and destination
–
An extension of IV space, to virtually eliminate the need for rekeying
•
CKIP (Cisco Key Integrity Protocol)—The Cisco WEP key permutation technique based on an early
algorithm presented by the IEEE 802.11i security task group. (CKIP and CKIP-CMIC are supported
only on the 2.4-GHz (802.11b/g) Cisco wireless mobile interface card (WMIC).)
•
CMIC (Cisco Message Integrity Check)—Like TKIP, the Cisco message integrity check mechanism
is designed to detect forgery attacks.
Configuring Cipher Suites
These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC
and TKIP:
•
Configuring WEP, page 2
•
Enabling Cipher Suite, page 5
Encryption cipher suite and WEP are disabled by default.
Configuring WEP
Configuring WEP with 12.4(3)JK or Later Releases
Cisco 3201 WMICs with 12.4(3)JK or later release move encryption settings from the dot11 interface to
each SSID configuration. Csico 3202 WMIC and 3205WMIC supports this feature change starting
12.4(3)JL release.
To configure WEP encryptions, follow these steps,
beginning in privileged EXEC mode:
Command
Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
dot11
ssid sample_ssid
Enters SSID Configuration.