CWSP Chapter 3 – Encryption Ciphers and Methods

Phew this is quite a meaty topic and I’m curious to see how much depth the exam goes into on these, particularly with legacy encryption methods. That said, there are some important fundamentals that will certainly come up so this review will cover what I think will be the “must knows” for the exam. Encryption is required because the wireless medium has no boundaries and anyone with a sensitive antenna can “listen” in on conversations without ever entering the building. This means conversations need to not only be secure during their time in the air between endpoints but also, if possible, secure against offline dictionary attacks.

Symmetric and Asymmetric Algorithms

In simple terms symmetric algorithms involves both end points sharing a common key at each end whereas asymmetric algorithms use different keys at each end. Examples of symmetric algorithms are WEP, TKIP and CCMP and an example of an asymmetric algorithm is using certificates with public/private keys.

A notable drawback of symmetric algorithms is that some sort of communication must take place prior to the securing of the traffic and that is the vulnerable point. Asymmetric algorithms require more overhead both on the processing side but also with actual deployment of the public keys used for encryption.

Stream and Block Ciphers

Stream ciphers are a symmetric method where the data to be passed is combined with a cipher bit stream called a keystreamAn example of this is WEP using a shared key to encrypt traffic which is then combined with the RC4 cipher which generates a keystream to further encrypt the payload of varying size. In comparison, block cipher always encrypts a particular size of data e.g. 64-bit, 128-bit etc.

RC4 – Stream cipher first used with WEP. Spawned ARC4 which is the same but not trademarked.
RC5 – Block cipher. 0-2040 bit key size with 32, 64 or 128 bit block size.
DES – Data Encryption Standard – Symmetric block cipher – 64-bit key size with 8 bit parity check.
3DES – Triple DES – Improvement on DES. Symmetric block cipher which essentially keys the data 3 times using separate keys. 64-bit key size with 8 bit parity check.
AES – Advanced Encryption Standard – Most common in use. Adopted by US Government. Symmetric block cipher with key sizes of 128, 192, 256 bits.

WLAN Encryption Methods

I’ve talked about ciphers but how is the traffic secured specifically at Layer 2? This is important to note as data in the higher layers (3-7) will be encrypted by these methods.

Not all frames are protected however as that would cause unnecessary overhead. 802.11 Control Frames (acknowledgements, CTS frames etc) aren’t encrypted and nor are Management Frames (authentication frames, probe requests etc).

WEP – Wired Equivalent Privacy

Uses ARC4 streaming cipher with 64-bit or 128-bit WEP.
WEP Encrytpion adds 8 bytes of overhead to an 802.11 MPDU

IV – Initialization Vector – Randomly generated and combined with static WEP key
CRC – Cyclic Redundancy Check – Used to ensure data integrity along with the ICV
ICV – Integrity Check Value – Appended to the end of the data

TKIP – Temporal Key Integrity Protocol

Designed to replace WEP after it was broken.
Allowed devices to be upgraded via firmware without requiring new hardware.
Put in place as a temporary measure until something better could be designed.
Wi-Fi Alliance defines TKIP in their WPA certification (don’t confuse with WPA2).
Still uses ARC4 streaming cipher.

Temporal keys – Dynamically generated keys instead of static keys.
Sequencing – per-MPDU TKIP sequence counter (TSC) to sequence the data.
Key Mixing – Improved process to prevent key-attacks.
Enhanced Data Integrity – Uses the MIC (Message Integrity Code/Check) to ensure integrity.
Logging – MIC failure events are logged.
60 Second shutdown – If two MIC failure occur within 60 seconds the client of AP will disable all TKIP transmissions for 60 seconds. Used to prevent DOS attacks.

CCMP – Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol

Is part of the 802.11i security standard.
Is mandatory for Robust Security Network (RSN) compliance. (IMPORTANT).
CCMP must be used with the Wi-Fi Alliance’s WPA2 Certification. TKIP is optional with this certification.

CTR – CounterMode  – Referred to as – Used to provide data confidentiality.
CBC – Cipher-Block Chaining – Used for authentication and integrity.
CBC-MAC – Cipher-Block Chaining Message Authentication Code – As above.
Temporal Keys – As with TKIP – Dynamically generated keys.
Packet Number – Sequencing of frames.
Nonce – Random numerical value generated once. Not the same as nonces used within 4-way handshake.
802.11 data frame (MPDU) – Encapsulates MSDU and protects it through the MIC (Message Integrity Check.
AAD – Additional Authentication Data – Used for data integrity.


As mentioned earlier, the Wi-Fi Alliance introduced the WPA certification with TKIP as a requirement.
For WPA-Enterprise 802.1X/EAP was required.
The WPA2 certification was then release with the ratification of the  802.11i security ammendment.
This requires AES/CCMP to be used and TKIP is an additional option.
On a random note – using CCMP and TKIP together can slow down your network. It is best to use CCMP only where possible unless there are specific client requirements.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s