Wireless Encryption and Integrity

Lesson Contents

In the wireless authentication lesson, you learned that the original 802.11 standard only supported WEP and open authentication. WEP is insecure and shouldn’t be used anymore. In this lesson, we’ll take a look at some of the other algorithms and protocols to encrypt and protect the integrity of wireless traffic.

In the wireless authentication lesson, you learned that the original 802.11 standard only supported WEP and open authentication. WEP is insecure and shouldn't be used anymore. In this lesson, we'll take a look at some of the other algorithms and protocols to encrypt and protect the integrity of wire

TKIP

WEP uses the RC4 algorithm for encryption, which is supported in hardware. Most wireless equipment only supported RC4 and not a more advanced encryption algorithm like AES. We know that WEP is insecure, so to make sure that the older hardware could still use a secure encryption method, IEEE developed the Temporal Key Integrity Protocol (TKIP).

TKIP adds the following security features:

  • MIC: We have an extra message integrity check called Michael, which adds a hash value to each frame. We use this so we can detect if someone made changes to the frame.
  • TKIP sequence counter: This counter provides a record of frames sent by each MAC address. We use this so an attacker can’t perform a replay attack by retransmitting frames.
  • Key mixing algorithm: This algorithm calculates a unique 128-bit WEP key for each frame.
  • A longer initialization vector (IV): The IV size is 48 bits, versus 24 bits for WEP. This makes it much harder to brute force calculate all WEP keys.
  • Timestamp: We add a timestamp to the MIC to prevent replay attacks. A replay attack attempts to retransmit a frame that was previously sent.
  • Sender MAC address: The MIC includes the sender’s MAC address. This is used to prove who the actual sender of the frame is.

TKIP was a temporary solution, while IEEE worked on the 802.11i standard. Nowadays, TKIP also has vulnerabilities, and you shouldn’t use it anymore. TKIP is deprecated in the 802.11-2012 standard.

WPA (version 1) uses TKIP.

CCMP

CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. That’s a mouthful. CCMP consists of two algorithms:

  • AES counter mode encryption
  • CBC-MAC

Advanced Encryption Standard (AES) is a widely used encryption algorithm and the most secure encryption method available at the moment.

The National Institute of Standards and Technology (NIST) has defined five modes of operation for AES (and other FIPS-approved block ciphers).  The five modes are:

  • Electronic Code Book (ECB)
  • Cipher Block Chaining (CBC)
  • Cipher Feedback (CFB)
  • Output Feedback (OFB)
  • Counter (CTR)

Cipher Block Chaining Message Authentication Code (CBC-MAC) is a technique that constructs a message authentication code from a block cipher. The data is encrypted with AES and creates a chain of blocks. Each block depends on the encryption of the previous block.

Before you can use CCMP, your wireless hardware has to support AES and CBC-MAC. You can’t use CCMP on older hardware that only supports WEP or TKIP.

WPA2 uses CCMP, so if you want to know if your hardware supports CCMP, look for the WPA2 symbol. WPA2 has been out since ~2006 so most hardware supports CCMP.

GCMP

802.11ad offers even higher data rates than 802.11ac and requires faster encryption than CCMP can offer. Galois/Counter Mode Protocol (GCMP) can be run in parallel, so it’s more efficient and provides higher performance than CCMP.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 707 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

454 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!