User's Guide
Table Of Contents
TTLS: Tunneled TLS uses a TLS tunnel to create a secure connection between the device and 
the AP before user credentials are exchanged. The TLS tunnel is created using a server based 
certificate only. Once the TLS tunnel exists, the supplicant authenticates with the server with 
CHAP or MSCHAP. The credentials can even use clear text because the traffic is protected. 
Advantages: easy to manage (one server certificate, no client certificate), very strong security 
because of mutual authentication, uses legacy CHAP or most other protocol for client 
authentication, user is authenticated, not the device. Disadvantages: not industry standard, not 
universally supported by all clients. 
PEAP: Protected EAP is nearly identical in authentication mechanism to TTLS. Advantages: 
see TTLS, IETF standard (soon). Disadvantages: doesn’t support legacy CHAP procedures. 
ENCRYPTION 
Encryption requires a cipher and a key. The cipher is the algorithm used to modify clear text 
based on the key. Two ciphers used in the wireless world are Wired Equivalent Privacy (WEP) 
and Advanced Encryption Standard (AES). The security of the cipher is greatly affected by the 
size of the key and how often it’s changed. A cipher is either stream based or block based, and 
both fall under the category of Electronic Code Book (ECB) encryption. In general, the clear 
text is XORed with the key stream to produce the encrypted text. Since it would be extremely 
easy to crack an encryption key if it were NEVER changed, the concept of a rolling initialization 
vector (IV) was introduced which combines with the key so the same clear text isn’t sent out 
with the same encryption every time. The size of the IV is relatively small (24 bits) which 
introduces the issue of reuse and only slightly prolongs the network security. An even more 
robust method of encryption uses concept of feedback to remember the current encrypted 
packet as the next key, thus creating a chain of dependent frames referred to as Cipher Block 
Chaining (CBC). 
WEP: WEP is based on the RC4 cipher which has been around for quite some time. It uses a 
stream cipher with a key length of 64, 128 or 152 bits and a 24 bit IV. Since it doesn’t have a 
feedback mechanism like Counter Block Chaining (CBC), it is not computationally intense. 
AES: AES is a standard designed to replace the current DES scheme and is minimally 152 bits. 
There are two prevailing schemes (of about 20 total) using the AES cipher: Offset Code Book 
(OCB) and Cipher Block Chaining with Counter Mode (CCM). Both are extremely secure, 
CCM was chosen as the mandatory scheme for 802.11i. 
Static Default Key Operation: The Access Point and the device both maintain a table of four 
available key slots while using static keys. Each key slot is assigned a number (0-3) and one slot is 
selected as the default transmit key slot. Every encrypted packet includes the key slot number 
used to encrypt the data so the receiver can decrypt it. This requires each station and the Access 
Point to have identical keys configured in identical slots. The default transmit key slot can be 
different on the device and the AP allowing the use of a different key in each direction of 
transmission. The static session key has a security risk in that the same key is used for all 
transmissions, making it more vulnerable to long term attacks. Additional static key security is 
available with a unique key. 
67










