cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95108
Views
64
Helpful
34
Replies

WPA and WPA2 - both using TKIP and AES??

dazza_johnson
Level 5
Level 5

Hi all. My understanding is the following;

TKIP + 802.1x                =            WPA(1)

CCMP(AES) + 802.1x     =             WPA2

However, I notice on the Cisco WLCs that you can configure;

WPA with TKIP and/or AES (by default TKIP is enabled)

WPA2 with TKIP and/or AES (by default AES is enabled)

My questions;

  1. Why would you use WPA2 with TKIP *AND* AES?
  2. What would you use WPA and WPA2 with both using TKIP *AND* AES?

Thanks in advance for the clarifications

Darren

34 Replies 34

Also, many devices don't like when you have both WPA-TKIP and WPA2-AES configured in a WLAN. 

Like iDevices.

One thing that I found about IE:

on WLC CLI when I want to see the WLAN configuratin (show wlan ), I can see the following:

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Enabled

         TKIP Cipher............................. Enabled

         AES Cipher.............................. Disabled

      WPA2 (RSN IE).............................. Disabled

Cisco writes explicitly that with WPA the SSN is used. while RSN is used with WPA2 with either AES or TKIP.

Rating useful replies is more useful than saying "Thank you"

Scott Fella
Hall of Fame
Hall of Fame

Here is a good read

https://learningnetwork.cisco.com/thread/4143

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi all. I have re-read the comments in the post and looked at the links provided - all of which have been very useful. We know that the packet structure of WPA differs to WPA2 with the RSN information element.

I have also done private research on this using Cisco books and the internet. I have deduced a conslusion. I have not read anything that explicitly backs up my theory, but it make sense to me

I'd be very interested to hear your comments guys. TKIP translates to WPA(1) and CCMP translates to WPA2 for the purpose of this post.

TKIP itself (put to one side PSK and 802.1x for simplicitly) is a method of creating a 'secure' WEP seed. I think most of us will agree with this. In addition, it offers more security features - a hash, etc. So, TKIP has a mechanism to create a secure WEP seed AND has a new packet format. What do we do with this WEP seed? By default, the secure WEP seed is fed into the RC4 algorithm to generate the encryption key which is used to encrypt the user data. This encrypted data is then inserted into the TKIP packet.

BUT, if the AES algorithm was selected then I believe that the secure WEP seed would be fed into the AES algorithm to generate the key which is used to encrypt the user data. In other words, with TKIP the actual encryption can be either RC4 (the default) or AES - hence the options available on the controller......

Similarly, CCMP is the overall framework with its own frame format. The encryption algorithm that you decide to use is up to you - either AES or RC4. Obviously, the way the encryption key is generated follows the CCMP protocol, but once you have this key I believe you can then use AES or RC4 to actually create the cipher text (encrypted data) and insert this into the CCMP packet.

If my theory above is correct, I believe the WLAN controller GUI is not accurate. It should be as per the attached screenshot;

I'm tempted to open a TAC case on this for the official low-down.....

dazza,

Try to look at it also from other vendors. Most, if not all, specify WPATkip or WPA2AES. I don't think personally there is anything wrong, it just the way it has been for a long time:) Here is a thread with Eric N from TAC, explaining the difference between wpa and wpa2.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Hi Scott. When the other vendors specify WPA/TKIP and WPA2/AES - is that simply because they only support the defaults (WPA with RC4 and WPA2 with AES)??? Maybe they don't support WPA with AES for example, or WPA2 with RC4 like Cisco do.....??

Well the thing is, there are vendors like Microsoft and some handheld devices that give you all the options. Now most of the time it's the OS that allows you to specify it but who know want the actual wireless card can do. I understand what you are saying, but just imagine if they were to change that... Soooo many people should get confused:). At least you have an understand of both.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Little confused by the term "WEP seed". But its funny you mention this becuase I would tend to agree with you, on a few items.

Lets get back to basics.

WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.

WIFI Alliance implemented WPA TKIP, because wep was broken, hence why you see WPA in devices today. At that time devices (chips) couldnt handle AES.

TKIP and CCMP are both protocols that encrypt data. The algorithm they use are TKIP(RC4) and CCMP(AES).  RC4 is a stream and AES is a block.

Folks normally dont get this deep. Are you studing for something ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George. The 'WEP Seed' is used in the Cisco book I'm using that talks about TKIP. In WEP the WEP seed was created using the IV(24-bit)+WEP key(40-bit or 104-bit), that was then fed into RC4 to generate the encryption key. In TKIP, a much more convulated process is used to generate the resultant 128-bit WEP Seed, which is then fed into the RC4 process....

I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?

I'm really interested in Cisco wireless security, hence why I am being so anal about this query. I have opened a TAC case because a customer enquired about this recently... I will let you know the result!

What book are you reading the 802.11 Wireless Security book from 2004?

I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?


WPA and WPA 2 are identical for all intensive purposes. No one has or could point out to me the difference.

Standard (which means what vendors should follow, but sometimes doesnt) states WPA2 AES, but TKIP (optinal). Both are RSN.

Let me further add, why is AES and TKIP RSN ? It becuase they share mutal authentication (4 way handshake)

You ever read the CWSP ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

BTW ---

I do the same. If I read something and it doesnt make sense and we have smartnet --- TAC CASE ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick wrote:

WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.

Geroge:

When using WPA2-TKIP the RSN element is there:

When using WPA with either AES or TKIP there is no RSN IE appears.

Rating useful replies is more useful than saying "Thank you"

George Stefanick
VIP Alumni
VIP Alumni

Amajd

How are ya buddy? My mention is that not all sniffers will state that. I looks like the one you are using does.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hey George, I am doing great. what about you?

I got your idea. thanks for explanation.

BTW, I sent you a private message two days ago, have you seen it?

Rating useful replies is more useful than saying "Thank you"

Amjad -- Sorry I didnt see your post till now. I responded ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Review Cisco Networking for a $25 gift card