Thursday, November 27, 2025

Securing Wireless Networks — Full Definitions & Explanations

 



📌 1. Core Terms

WEP — Wired Equivalent Privacy (⚠️ Broken & obsolete)

  • Original 802.11 security method.

  • Used RC4, a weak stream cipher.

  • Key sizes: 40-bit and 104-bit.

  • Vulnerabilities:

    • IV reuse → keys crackable within minutes.

    • No strong integrity check.

  • Never used today, not on CCNA exams except historically.

PSK — Pre-Shared Key (WPA/WPA2/WPA3-Personal)

  • Authentication mode using a shared passphrase.

  • Used in home / small business networks.

  • Key becomes a Pairwise Master Key (PMK).

  • Vulnerability:

    • Anyone with the PSK can decrypt other users’ traffic (WPA2).

  • WPA3 fixes this with SAE.

TKIP — Temporal Key Integrity Protocol (WPA1 only)

  • Introduced as a quick fix for WEP.

  • Still uses RC4, but:

    • Per-packet key mixing.

    • Sequence counter to prevent replay.

    • MIC ("Michael") added.

  • Allowed old WEP hardware to upgrade to WPA.

  • Considered deprecated.

MIC — Message Integrity Code (in TKIP)

  • Also called “Michael.”

  • Prevents packet tampering.

  • Still weak by modern standards.

  • Required in WPA/TKIP networks.

AES — Advanced Encryption Standard

  • Industry-standard encryption used across WPA2/3.

  • Strong 128-bit block cipher.

  • Used with:

    • CCMP (WPA2)

    • GCMP (WPA3 / 802.11ac)

📡 2. EAP (Extensible Authentication Protocol) & Frameworks



EAP — Extensible Authentication Protocol

  • A framework for authentication, not a single method.

  • Commonly used with 802.1X (Enterprise Wi-Fi).

  • Allows:

    • certificates (EAP-TLS)

    • usernames/passwords (PEAP)

    • tunneled credentials (FAST)

  • APs don’t authenticate users — the RADIUS server does.

EAP-FAST — Flexible Authentication via Secure Tunneling

  • Cisco-developed replacement for LEAP.

  • Uses a PAC (Protected Access Credential) instead of certificates.

  • Designed to avoid tunnel vulnerabilities in PEAP/LEAP.

  • Good for environments where PKI is hard to deploy.

EAP-TLS — EAP Transport Layer Security (🔒 Strongest method)

  • Uses client + server certificates.

  • Provides:

    • Mutual authentication.

    • Strong encryption.

    • No passwords to steal.

  • Considered the gold standard for Enterprise Wi-Fi (WPA2-Enterprise, WPA3-Enterprise).

LEAP — Lightweight EAP (⚠️ Insecure/obsolete)

  • Cisco proprietary.

  • Used MS-CHAPv2 for authentication → broken.

  • No longer used; replaced by EAP-FAST and modern methods.

PEAP — Protected EAP

  • Uses a TLS tunnel first.

  • Credentials (username/password) exchanged inside the tunnel.

  • Supported everywhere.

  • Used by:

    • Windows NPS

    • Microsoft RADIUS servers

  • More secure than LEAP, weaker than certificate-based EAP-TLS.

🛡️ 3. WPA Generations (Wi-Fi Alliance)

WPA (Wi-Fi Protected Access — 2003)

  • Quick replacement for WEP.

  • Security components:

    • TKIP

    • MIC

    • 802.1X (Enterprise) or PSK (Personal)

  • Now deprecated.

WPA2 (2004–2018)

  • Uses AES with CCMP as the security standard.

  • Still most common today.

  • Modes:

    • WPA2-Personal (PSK)

    • WPA2-Enterprise (802.1X/EAP)

WPA3 (2018–present)

  • Current generation.

  • Enhancements:

    • SAE replaces PSK → stronger Personal mode.

    • Mandatory Protected Management Frames (PMF).

    • Enterprise mode supports 192-bit security suite (GCMP-256).

  • Best protection against offline dictionary attacks.

🔐 4. Cipher Suites

CCMP — Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

  • Encryption component used with AES.

  • Security provided:

    • Confidentiality → AES-128

    • Integrity → CBC-MAC

    • Replay protection

  • The standard encryption method for WPA2.

GCMP — Galois/Counter Mode Protocol

  • Newer, more efficient cipher used in:

    • 802.11ac Wave 2

    • WPA3-Enterprise (192-bit version)

  • Security provided:

    • Confidentiality → AES-GCM

    • Integrity → Galois Message Authentication Code.

  • Faster and more efficient than CCMP.

📌 One-Sentence Summary Table

TermMeaningModern Status
WEPOriginal security (RC4)❌ Broken
PSKShared password method✔️ Used (WPA2/WPA3-Personal)
TKIPWPA1 encryption fix❌ Deprecated
MIC/MichaelTKIP integrity check❌ Weak
AESEncryption algorithm✔️ Current standard
EAPAuthentication framework✔️ Core of Enterprise Wi-Fi
EAP-FASTCisco PAC-based EAP✔️ Legacy but acceptable
EAP-TLSCert-based EAP (strongest)✔️ Best practice
LEAPCisco MS-CHAPv2 EAP❌ Broken
PEAPTLS tunnel + password auth✔️ Common
WPATKIP-based❌ Deprecated
WPA2CCMP/AES✔️ Still widely used
WPA3SAE + PMF✔️ Latest
CCMPAES-based WPA2 cipher✔️ Standard
GCMPFaster AES-GCM cipher✔️ WPA3/Enterprise modern
at
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)

LWAPP (Lightweight Access Point Protocol)

  LWAPP was Cisco’s original tunneling + control protocol used between lightweight APs and a Wireless LAN Controller (WLC) before CAPWAP bec...

  • CCNA Topic 3.6 — VPN Fundamentals
      CCNA Topic 3.6 — VPN Fundamentals Blueprint Verb: Explain the purpose and use of VPNs Mastery Level: Conceptual — understand operation...
  • Cisco AP Modes
    Cisco APs can operate in one of the following modes, depending on how they are configured:  Local: This default lightweight mode offers one...
  • Port Security & Switch Hardening
      Access vs trunk considerations What happens during violations (and WHY) How to read show port-security and show port-security in...