Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-12
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Encryption
Figure 4-7
WPA TKIP
The two primary functions of TKIP are the generation of a per-packet key using RC4 encryption of the
MAC service data unit (MSDU) and a message integrity check (MIC) in the encrypted packet. The
per-packet key is a hash of the transmission address, the frame initialization vector (IV), and the
encryption key. The IV changes with each frame transmission, so the key used for RC4 encryption is
unique for each frame. The MIC is generated using the Michael algorithm to combine a MIC key with
user data. The use of the Michael algorithm is a trade-off because although its low computational
overhead is good for performance, it can be susceptible to an active attack. To address this, WPA
includes countermeasures to safeguard against these attacks that involve temporarily disconnecting the
WLAN client and not allowing a new key negotiation for 60 seconds. Unfortunately, this behavior can
itself become a type of DoS attack. Many WLAN implementations provide an option to disable this
countermeasure feature.
MAC service data unit (MSDU) and a message integrity check (MIC) in the encrypted packet. The
per-packet key is a hash of the transmission address, the frame initialization vector (IV), and the
encryption key. The IV changes with each frame transmission, so the key used for RC4 encryption is
unique for each frame. The MIC is generated using the Michael algorithm to combine a MIC key with
user data. The use of the Michael algorithm is a trade-off because although its low computational
overhead is good for performance, it can be susceptible to an active attack. To address this, WPA
includes countermeasures to safeguard against these attacks that involve temporarily disconnecting the
WLAN client and not allowing a new key negotiation for 60 seconds. Unfortunately, this behavior can
itself become a type of DoS attack. Many WLAN implementations provide an option to disable this
countermeasure feature.
AES Encryption
shows the basic AES counter mode/CBC MAC Protocol (CCMP) flow chart. CCMP is one
of the AES encryption modes, where the counter mode provides confidentiality and CBC MAC provides
message integrity.
message integrity.
132359
Data to transmit
Key
mixing
Michael
Fragmentation
CRC-32
RC4
XOR
+
Temporal encryption key
Transmit address
TSC
MSDU
MIC key
MSDU + MIC
WEP seed
MPDU
ICV
Keystream
Mac header IV KID EIV Ciphertext
Packet to transmit