permitted access to a resource. Encryption is the mechanism that is used to protect the data that flows over the actual data pathway. A common example of encryption is Triple Data Encryption Standard (3DES), which is used in many Cisco System wired network environments. Typically, a data connection between two devices is encrypted after the user is authenticated and authorized to use the resource. Current security standards require that both authentication and encryption be used to protect client devices from having their data intercepted and to protect the network from unauthorized clients attempting to access internal data files.

Content 6.2 Introducing Wireless Security 6.2.2 802.11 WEP Figure shows how WLAN security has evolved. When WLAN security was first introduced, devices supported WEP encryption only. This nonscalable solution used static breakable keys that use weak authentication. Responding to customer requests, Cisco enhanced wireless security by introducing Lightweight Extensible Authentication Protocol (LEAP). LEAP is a Cisco proprietary wireless encryption technique that offers dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows clients to reauthenticate frequently. LEAP made WLANs more secure, but the encryption was not strong enough. New attacks proved that improvements were required. An interim solution called Wi-Fi Protected Access (WPA) provides standardized improved encryption and stronger user-based authentication (Protected EAP [PEAP], Extensible Authentication Protocol [EAP], and EAP-Flexible Authentication via Fast Tunneling [FAST]). The interim solution WPA evolved into WPA2, which provides stronger encryption through Advanced Encryption Standard (AES). WPA2 includes 802.1x authentication as well as dynamic key management. WPA2 additionally includes a wireless intrusion detection system (IDS), which identifies and protects against attacks, including DoS attacks. Cisco delivers intrusion prevention system (IPS) capability for Cisco access points to serve as sensors that provide rich RF data to an IPS server. WEP
While the bulk of this lesson focuses on LEAP and WPA2, it is worthwhile to begin with a review of WEP:

The 802.11 standard defines a type of security in which 64-bit WEP specifies a shared secret key to encrypt and decrypt the data. Originally, WEP used a 40-bit key, which is concatenated with a 24-bit Initialization Vector (IV) to form the RC4 traffic key. U.S. Government export restrictions on cryptographic technology initially limited the key size. Once the government lifted the key size restrictions, most major manufacturers implemented an extended 128-bit WEP protocol using a 104-bit key size. Cisco Aironet 128-bit devices support both 40-bit and 128-bit encryption. Once the WEP key is revealed, a hacker may transform the cipher text into its original form and understand the meaning of the data. Based on the understanding of the algorithm, a hacker may use the cracked WEP key to modify the cipher text and forward the changed message to the receiver.
WEP uses a wireless client and access point sharing static WEP keys. This key is checked during the authentication process. If the client WEP key does not match the access point WEP key, the client is not allowed to associate and is unable to connect to the network. Unfortunately, there are no mechanisms to renew the stored WEP key.
WEP uses the RC4 algorithm, a stream cipher with known vulnerabilities. Both the encrypting and decrypting endpoints must share the key. Neither key distribution nor key negotiation is mentioned in the standard. Note that WEP keys can be referenced as 40- or 64-bit and 104- or 128-bit, depending on whether the IV of 24 bits is included.

Cisco Aironet security features overcome some of these weaknesses using a more secure key derivation technique and by assigning dynamic WEP keys:

Secure key derivation: Using the original shared secret secure key derivation is used to construct responses to the mutual challenges. It undergoes irreversible one-way hashes that make password-replay attacks impossible. The hash values sent over the wire are useful for one-time use only at the start of the authentication process, and therefore, never after.
Dynamic WEP keys: Using Cisco Aironet security features means that each wireless client can be granted a new, dynamic WEP key each time the client accesses the network. Because these keys are dynamic and session-based, an intruder cannot learn the system WEP keys and then use them to access the WLAN. WEP keys that are administered in this fashion are referred to as session keys. Each user has a unique WEP key. The access point has all the WEP keys for each associated client, allowing the access point to communicate with each client. Other users who receive information are unable to decrypt the information.

Figure lists key points that concern 802.11 WEP.

Content 6.2 Introducing Wireless Security 6.2.3 WLAN Authentication The 802.11 standard defines two types of authentication: open and shared key. This topic examines both of these types and the process that the client undergoes during the authentication and association process. 802.11 Open Authentication
The open authentication method shown in Figure allows authorization and associations with or without a WEP key. If the client does not use a WEP key, the client undergoes the normal authentication without any kind of key or password, followed by association with the access point. The user is then granted access to the network. This method is the standard method for public hot spot areas that offer Internet access. If a WEP key is used, the client goes through the normal authentication and association process. When the client is associated and data transmission begins, a client using a WEP key encrypts the data. If the WEP key on the access point does not match, then the access point is unable to decrypt the data, so it is impossible to send the data via the WLAN. Note that the header is not encrypted; only the payload (or data) is encrypted. 802.11 Shared Key Authentication
The example shown in Figure shows the wireless client using shared key authentication to attempt to associate with an access point. Steps 1 through 3 are the same as those for the open authentication process shown in Figure . There are three more steps as follows: Step 4 Access point A sends an authentication response. The access point sends the authentication response that contains challenge text to the client. This packet is unencrypted. Step 5 The client then uses the text from the authentication response to form another authentication packet, which is encrypted using one of the client WEP keys, and sends this as a response to the access point. Step 6 Access point A then compares the encrypted challenge text against the access point copy of the encrypted challenge text. If the encrypted text is the same, then the access point allows the client on the WLAN. Shared key authentication is considered less secure than open authentication because of the challenge text packet. Because this packet is sent unencrypted and then returned as an encrypted packet, it may be possible to capture both packets and determine the stream cipher.

Content 6.2 Introducing Wireless Security 6.2.4 Cisco Enhanced 802.11 WEP Security Starting in 2001 and continuing into 2002, Cisco introduced a prestandard form of enhanced 802.11 security that incorporates two elements to improve standard or basic 802.11 security. Improved authentication and encryption enhance security to check user credentials before granting access and increase the security integrity of the user session after association to the network. Encryption for 802.11 is enhanced with multiple mechanisms to aid in protecting the system from malicious exploits against the WEP key as well as to protect the investment in the system by facilitating encryption