Understanding Wireless Encryption and Ciphers
Wireless network security relies on a combination of encryption, authentication, and authorization to provide maximum protection for a WLAN. Encryption is focused on protecting the information within a session, reading information in a data stream and altering it to make it unreadable to users outside the network. This topic discusses encryption.
Juniper Networks access points support all three standard types of wireless access point-client encryption: the legacy encryption Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2 (also called RSN). Encryption type is configured in WLAN Service profiles under the Security Settings tab. For information about applying encryption, see Creating and Managing a WLAN Service Profile.
This topic describes:
Wired Equivalent Privacy (WEP) was the Original Wireless Encryption
WEP was the original security algorithm for IEEE 802.11 wireless networks, introduced as part of the original 802.11 standard.
WPA Encryption Replaced WEP
WPA addressed the vulnerabilities of WEP, the original, less secure 40 or 104-bit encryption scheme in the IEEE 802.11 standard. WPA also provides user authentication—WEP lacks any means of authentication.
WPA replaced WEP with a stronger encryption technology called Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC). It also provides a scheme of mutual authentication using either IEEE 802.1X/Extensible Authentication Protocol (EAP) authentication or pre-shared key (PSK) technology.
You can simultaneously apply both WPA and WPA2 to an SSID. Clients use WPA2 if they have the capability—otherwise the client uses WPA. WPA2 is recommended unless you need to provide access to for legacy devices. All 802.11n devices support WPA2.
WPA2 Is the Strongest Encryption Available
WPA2 is the certified version of the full IEEE 802.11i specification. Like WPA, WPA2 supports either IEEE 802.1X/EAP authentication or PSK technology. It also includes a new advanced encryption mechanism using the Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).
WPA was based on the 802.11i draft, while WPA2 is based on 802.11i final standard. Where WPA encryption was specifically designed to work with some wireless hardware that supported WEP, WPA2 offers stronger security but is not supported by earlier hardware designed for WEP.
The Wi-Fi Alliance requires that high-throughput (802.11n) transmissions use WPA2 and CCMP. You can simultaneously apply both WPA and WPA2 to an SSID. Clients use WPA2 if they have the capability—otherwise the client uses WPA.
Security Ciphers for WPA and WPA2
Standard security ciphers are part of both WPA and WPA2 encryption. You choose whether you want to apply either the newer CCMP, or TKIP (an upgrade of original WEP programming), or both for each WLAN Service profile. Both cipher suites dynamically generate unique session keys for each session and periodically change the keys to reduce the likelihood of a network intruder intercepting enough frames to decode a key. The two available ciphers are:
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)—CCMP provides Advanced Encryption Standard (AES) data encryption for WPA and WPA2. To provide message integrity, CCMP also uses the Cipher Block Chaining Message Authentication Code (CBC-MAC).
A radio using WPA/WPA2 with CCMP encrypts traffic for only WPA CCMP clients but not for TKIP clients. The radio disassociates from TKIP clients unless you selected both CCMP and TKIP.
The Wi-Fi Alliance requires that high-throughput (802.11n) transmissions use WPA2 and CCMP.
Temporal Key Integrity Protocol (TKIP)—TKIP uses the RC4 encryption algorithm, a 128-bit encryption key, a 48-bit initialization vector (IV), and a message integrity code (MIC). A radio using WPA/WPA2 with TKIP encrypts traffic for only WPA TKIP clients but not for CCMP clients. The radio disassociates from CCMP clients unless you selected both CCMP and TKIP.
TKIP is most useful for upgrading security on devices originally using WEP — it does not address all of the security issues facing WLANs and may not be reliable or efficient enough for sensitive corporate and government data transmission. The 802.11i standard specifies the Advanced Encryption Standard (AES) in addition to TKIP. AES is an additional cipher stream that adds a higher level of security and is approved for government use.
TKIP is not permitted for 802.11n-based transmissions. It is only supported for legacy (802.11b, 802.11g and 802.11a) transmissions, which are limited to a maximum of 54 Mbps.
Which Encryption Method Should I Use?
WPA2 is the most secure encryption method available for wireless networks—we recommend using WPA2 with the CCMP cipher whenever possible. WPA2 with CCMP is the only option permitted for high throughput 802.11n transmissions. Eventually, WPA encryption with TKIP will be obsolete as you replace older devices that use only TKIP.
If you need to accommodate legacy devices with an SSID, enable WPA encryption with the TKIP cipher. Keep in mind that this has an effect on performance. The additional AES cipher takes more computing power to run than simple TKIP does, therefore older, smaller devices may not support it.
You can create different WLAN Service profiles (SSIDs) for different levels of encryption. This maximizes the use of WPA2 security.
Security always affects performance, so it is really up to you how much bandwidth and processing time you want to devote to it. With newer devices, this is much less of an issue because new devices have plenty of resources for the highest level of security, WPA2 with CCMP.