Security Model

Authentication

Encryption

Security Level

Transitional  

(only a temporary solution)

Shared Key – Up to four WEP keys should be rotated between clients

SSID Beaconing – turn off if AP permits and or cryptic name SSID

MAC Address Filtering – Pre-approved at the AP and no guests

WEP – Even 128-bit WEP has vulnerabilities. 16 ASCII passphasing generate predictable keys and should be discouraged. Only secure against Script-kiddies and casual eavesdroppers.

Low

WPA Personal  (ten or fewer devices)

PSK – Manually entered and used as starting seed for encryption generation

Must be entered in both the AP and client

TKIP – Is strong than WEP but uses same hardware. TKIP has three components. MIC to prevent forgeries; the IV is increased from 24 to 48-bits and changed for each packet; TKIP key mixing generates keys that are replaced frequently.

Medium

WPA2 Personal

PSK – Keys are automatically changed after set number of packets.

AES-CCMP – Superior to TKIP and based on the 802.11i standard. Produces 128-bit blocks with 128 to 256-bits. Computation intensity strongly suggests hardware processing.

Med/High

WPA Enterprise

802.1x – Port based authentication employing a Supplicant (client), an Authenticator (server isolating client and RADIUS) and Authentication Server (RADIUS).

TKIP – Same as WPA2 Personal

High/Med

WPA2 Enterprise

802.1x – Same as WPA Enterprise

AES-CCMP - Same as WPA2 Personal

High/High

SSID –Service Set Identifier

WPA –Wi-Fi Protected Access

WEP- Wired Equivalent Privacy

PSK –Pre-Shared Key

TKIP –Temporal Key Integrity Protocol

MAC –Media Access Control

MIC –Message Integrity Check

AES –Advanced Encryption Standard

CCMP -Counter Mode CBC-MAC Protocol

RADIUS –Remote Dial-In User Service