Technical data
120 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Encryption Support
WLANs because the walls containing the network do not necessarily bind radio waves.
WEP seeks to establish protection similar to that offered by the wired network's phys-
ical security measures by encrypting data transmitted over the WLAN. Data encryp-
tion protects the vulnerable wireless link between clients and access points. Once
this measure has been taken, other typical LAN security mechanisms such as authen-
tication, password protection, and end-to-end encryption, can be put in place to
protect privacy.
With the WEP protocol, all access points and client radio NICs on a particular wireless
LAN must use the same encryption key. Each sending station encrypts the body of
each frame with a WEP key before transmission, and the receiving station decrypts
it using an identical key. This process reduces the risk of someone passively moni-
toring the transmission and gaining access to the information contained within the
frames.
The WEP implementation allows the Security Profile configuration to specify one of
four possible WEP keys that can be configured by a user station key management
program.
To configure WEP, see the section Configure 802.11 WEP Encryption.
Operation of the WEP Protocol
If a user activates WEP, the NIC encrypts the payload, which consists of the frame
body and cyclic redundancy check (CRC), of each 802.11 frame before transmission
using an RC4 stream cipher provided by RSA Security. The receiving station, such as
an access point or another radio NIC, performs decryption when it receives the
frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the
frame enters the wired side of the network, such as between access points, WEP no
longer applies.
As part of the encryption process, WEP prepares a key schedule (“seed”) by concat-
enating the shared secret key supplied by the user of the sending station with a
randomly-generated 24-bit initialization vector (IV). The IV lengthens the life of the
secret key because the station can change the IV for each frame transmission. WEP
inputs the resulting “seed” into a pseudo-random number generator that produces a
key stream equal to the length of the frame's payload plus a 32-bit integrity check
value (ICV).
The ICV is a checksum that the receiving station later recalculates and compares to
the one sent by the sending station to determine whether the transmitted data
underwent any form of tampering while in transit. In the case of a mismatch, the
receiving station can reject the frame or flag the user for potential security viola-
tions.
With WEP, the sending and receiving stations use the same key for encryption and
decryption. WEP specifies a shared 40- or 104-bit key to encrypt and decrypt data
(once the 24-bit IV is added in, this matches System Director’s 64- or 128-bit WEP
specification, respectively). Each radio NIC and access point, therefore, must be
manually configured with the same key.