Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Which security feature encrypts wireless data ?

Among LEAP, MIC and TKIP, which one is responsible for encrypting wireless data ?

I think LEAP only authenticates users; MIC ensure no one alter the packets. TKIP makes it hard to figure out the keys

1. Is wireless data (if someone sniffers each packet) encrypted or clear text ?

2. if Yes, which feature is doing this job ?

thanks !

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Which security feature encrypts wireless data ?

LEAP, as with all EAP types is an authentication protocol.

At the successful conclusion of a LEAP authentication both the WLAN client and the RADIUS server dynamically derive an encryption key (the RADIUS server passes the key to the AP).

Until AES is ratified by the IEEE and inplemented, WEP is still the encryption protocol used on IEEE/WiFi compliant WLANs.

WEP has several well-known cryptographic weaknesses which are fixed by TKIP and MIC.

-- TKIP fixes the WEP implementation of the RC4 algorithm by creating a per-packet key (by hashing the derived key and a per-packet Initialization vector). TKIP provides immunity from the "airsnort" attack amoungst others.

-- MIC provides message integrity Checking and provides a cryptographically strong method of ensuring that the encrypted frame has not been altered between transmission and reception.

As another poster has noted, LEAP *authentication* has proven to be vulnerable to an offline dictionary attack. To mitigate against this it is necessary to be able to enforce a strong windows password policy (one that ensures a >=10 character password with a mix of alphanumeric and special characters etc...)

Detai;ed information of Cisco WLAN security is available at the following URL;

www.cisco.com/go/aironet/security

5 REPLIES
Cisco Employee

Re: Which security feature encrypts wireless data ?

Leap does encryption . At end of leap process , wireless client and AP both independently generate

key based on challange and response they get .That

key is used to encrypt the unicast data . Beauty is

this key is not passed over wireless so no man in middle attack . Also after that Ap will generate broadcast key to encrypt broadcast traffic .

If you sniff wireless leap encrypted data you will not able to read data portion .

I hope this helps

Community Member

Re: Which security feature encrypts wireless data ?

thanks for the answer from ndoshi !

however, from what point, does data start to be encrypted ?

for example, we use NT domain login as LEAP login.

When I type my username & password from the laptop PC, do they get transmitted to AP as

1. clear text

2. or encrypted (by which key ? WEP is not revelant with leap) ?

Community Member

Re: Which security feature encrypts wireless data ?

your username will be passed in clear text. I am not 100% which hashing technique is used for password with LEAP authentication(MS-CHAP,maybe) but it is not sent in clear text. However, make a note this is one of the vulnerabilities of LEAP, Ciso released last year stating that the password was suceptible to dictionary attacks. If you run some type of wired or wireless sniffer you will see the username passed in clear text. After successful login, the data payload will be encrypted.

HTH

Cisco Employee

Re: Which security feature encrypts wireless data ?

LEAP, as with all EAP types is an authentication protocol.

At the successful conclusion of a LEAP authentication both the WLAN client and the RADIUS server dynamically derive an encryption key (the RADIUS server passes the key to the AP).

Until AES is ratified by the IEEE and inplemented, WEP is still the encryption protocol used on IEEE/WiFi compliant WLANs.

WEP has several well-known cryptographic weaknesses which are fixed by TKIP and MIC.

-- TKIP fixes the WEP implementation of the RC4 algorithm by creating a per-packet key (by hashing the derived key and a per-packet Initialization vector). TKIP provides immunity from the "airsnort" attack amoungst others.

-- MIC provides message integrity Checking and provides a cryptographically strong method of ensuring that the encrypted frame has not been altered between transmission and reception.

As another poster has noted, LEAP *authentication* has proven to be vulnerable to an offline dictionary attack. To mitigate against this it is necessary to be able to enforce a strong windows password policy (one that ensures a >=10 character password with a mix of alphanumeric and special characters etc...)

Detai;ed information of Cisco WLAN security is available at the following URL;

www.cisco.com/go/aironet/security

Community Member

Re: Which security feature encrypts wireless data ?

LEAP authenticates users and RADIUS server (mutual authentication) and provides dynamic WEP keys.

You're essentially right on TKIP and MIC

If WEP encryption is enabled, packets going through RF are encrypted by the WEP-key. TKIP provides additional security against cracking the base WEP key and if enabled ensures each packet is encrypted with a different encryption key.

133
Views
0
Helpful
5
Replies
CreatePlease to create content