Cisco Cisco Aironet 1200 Access Point 브로셔

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

Page 12 of 15

AES is a block cipher which is a type of symmetric key cipher that uses the same key for both encryption and decryption and uses groups of bits of

a fixed length—called blocks. Unlike WEP which uses a key stream acting across a plaintext data input stream for encryption, AES encrypts bits in

blocks of plaintext that are independently calculated. The AES standard specifies an AES block size of 128 bits with three possible key lengths 128,

192 and 256 bits. A 128 bit key length is used for WPA2/802.11i. One round of WPA2/802.11i AES encryption is made up of four stages. With

WPA2/802.11i, each round is iterated 10 times.

To provide both data confidentiality and authenticity, a new mode of construction called Counter-Mode/CBC-Mac (CCM) is used with AES. CCM

employs AES in Counter mode (CTR) to achieve data confidentiality and AES using Cipher Block Chaining Message Authentication Code (CBC-

MAC) to provide data integrity. This type of construction, one that uses one key for two modes (CTR and CBC-MAC) is a “new” construction that

has been accepted by NIST (Special Publication 800-38C) and the standard community (IETF RFC-3610).

A 48-bit IV is used for CCM. Like TKIP, AES does not use the IV in the same manner as WEP encryption methods. With CCM, the IV is used as an

input to the encryption and decryption processes to mitigate replay attacks. Also, since the IV space is expanded to 48 bits, the time required to incur

an IV collision is increased exponentially—providing greater data protection.

It is recommended that AES encryption (and decryption) be performed in hardware because of the computationally intensive nature of AES.

Cisco wireless products perform AES encryption in hardware. Performing AES encryption in software for multiple clients simultaneously requires

horsepower, such as that offered by a 2.5-GHz Pentium processor laptop for example. If an access point performed AES encryption/decryption in

software while serving numerous associated clients, the access point likely would incur performance degradation, especially if that access point

lacked a powerful processor and a large amount of RAM and ROM.

WPA and WPA2 Deployment

Cisco recommends that customers use WPA2 for client devices that support WPA2. Although WPA is still considered secure and TKIP has not been

broken, Cisco recommends that customers’ transition to WPA2 as soon as they can. Because WPA2 requires configuration changes to both access

points and client devices, the introduction of WPA2 should be planned and large sets of client devices and access points should be transitioned at

the same time to minimize network disruption. One opportunity for a transition to WPA2 is when a wireless network is introduced, upgraded, or

expanded.

To make the transition to WPA and WPA2 easier, Cisco Aironet autonomous access points support both WPA Migration Mode and WPA2 Mixed

Mode. WPA Migration Mode is an autonomous access point setting defined by Cisco that enables both WPA and non-WPA clients to associate to an

access point using the same SSID. WPA Migration Mode should only be used as a temporary transition mode since it supports the authentication of

WEP clients and is therefore potentially insecure. WPA2 Mixed Mode operation permits the coexistence of WPA and WPA2 clients on a common

SSID. WPA2 Mixed Mode is a Wi-Fi Certified feature. WPA2 Mixed Mode is considered secure since it uses both TKIP and AES for encryption.

Specialized WLAN client devices may not be able to run AES and may not be upgradable to AES (and WPA2). Therefore, Cisco recommends that

enterprise organizations continue to use and deploy WPA for these devices as applicable. All networks should run WPA as a minimum.

Read the

Wi-Fi Protected Access, WPA2 and IEEE 802.11i Q&A

for more information.