Authentication and Encryption

Here you will find answers to Authentication and Encryption Questions

Question 1

What are three primary components that describe TKIP? (Choose three)

A. Broadcast Key Rotation
B. Dynamic WEP
C. Message Integrity Check
D. Per-Packet Key Hashing
E. Symmetric Key Cipher
F. WPA2 Enterprise Mode

 

Answer: A C D

Explanation

TKIP offers three advantages over WEP:

* Per packet keying: Each packet is generated using a unique key so it is much more difficult to get from repetitive data back to the key.
* Message integrity check: (MIC – If the message integrity check does not pass, the message is seen as a forgery. If two forgeries are detected in one second, the radio assumes it is under attack. It deletes its session key, disassociates itself, then forces re-association)
* Broadcast key rotation: Broadcast key is required in 802.1X environments but it is vulnerable to same attacks as static WEP key. By using broadcast key rotation, key is delivered to client encrypted with client’s dynamic key.

Based on Per packet keying & Message integrity check, every packet has a unique encryption key and each packet is digitally signed to validate the source of the sender before decrypting it to make sure the packet is valid and that it’s coming from a trusted source and not being spoofed

Per Packeting Keying

 

Integrity Check

Question 2

What is the impact of configuring a single SSID to simultaneously support both TKIP and AES encryption?

A. The overhead associated with supporting both encryption methods will significantly degrade client throughput.
B. Some wireless client drivers might not handle complex SSID settings and may be unable to associate to the WLAN.
C. This is an unsupported configuration and the Cisco Wireless Control System will continuously generate alarms until the configuration is corrected.
D. This is a common configuration for migrating from WPA to WPA2. There is no problem associated with using this configuration.

 

Answer: D

Explanation

AES encryption uses hardware so there is almost no overhead when using it. TKIP is based on software. So when we support both TKIP and AES the client throughput will not significantly degrade -> A is not correct.

When choosing both AES and TKIP, the router will support both encryption algorithms. Because not all wireless NICs support AES, some only support TKIP,  so this option is probably the best choice -> B isnot correct.

As the picture below, Cisco Wireless Control System does support both simultaneously -> C is not correct.

Question 3

What is the Default Local Database size for authenticating local users?

A. 512 entries
B. 1024 entries
C. 2048 entries
D. 4096 entries
E. 8192 entries

 

Answer: A

Question 4

Which statement best represents the authorization aspect of AAA?

A. Authorization takes place after a successful authentication and provides the Cisco WLC the information needed to allow client access to network resources.
B. Authorization is the validation of successful DHCP address delivery to the wireless client.
C. Authorization must be successfully completed in order to proceed with the authentication phase.
D. Successful authorization will provide encryption keys that will be used to secure the wireless communications between client and AP.

 

Answer: A

Explanation

AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:

* Authentication: Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption.
* Authorization: Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.
* Accounting: Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

(Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html)

Question 5

Which Extensible Authentication Protocol types are supported by the Cisco Unified Wireless Network?

A. EAP-TLS, PEAP-MSCHAPv2 and PEAP-GTC only
B. LEAP and EAP-FAST only
C. EAP-TLS, PEAP-MSCHAPv2, PEAP-GTC, LEAP, EAP-FAST only
D. Any EAP supported by the RADIUS authentication server

 

Answer: D

Question 6

The 4-way handshake is used to establish which key during the WPA authentication process?

A. Pairwise Master Key
B. Pairwise Multiple Key
C. Pairwise Session Key
D. Pairwise Transient Key
E. Pairwise Transverse Key

 

Answer: D

Explanation

After a successful EAP authentication the 4-way handshake begins

Objective: Generate PTK and confirm the procession and freshness of PTK.

Assumption: PMK only known to Supplicant and Authenticator, never transmitted over network.

PTK: Pairwise Transient Key
PMK: Pairwise Master Key
ANonce: nonce generated by authenticator
SNonce: nonce generated by supplicant

Initial stage: The Supplicant generates a random number called SNonce and the Authenticator generates a random number called ANonce.

1) The AP first sends ANonce to the client, including its MAC address. The client then uses a common passphrase along with this random number to derive Pairwise Transient Key (PTK) that is used to encrypt data to the AP.

Note: The PTK is generated by the ANonce, authenticator MAC address as well as the SNonce and MAC address of the Supplicant.

2) The Supplicant then sends its own random number to the AP (called SNonce), along with a Message Integrity Code (MIC) and Security parameters (RSN), which are used to ensure that the data is not tampered with.

3) The AP generates GTK key used to encrypt unicast traffic to the client. To validate, the AP sends the random number again, encrypted using the derived PTK.

4) A final message is sent, indicating that the PTK is in place on both sides.

Therefore, the four-way handshake is used to obtain the Pairwise Transient Key that is used for communication between the device and the Access Point.

Question 7

Which four parameters need to be configured for local EAP-FAST on the controller? (Choose four)

A. Authority ID
B. Authority ID Information
C. Client Key
D. PAC
E. Server Key
F. TTL for PAC
G. Monitor Key
H. NTP Source

 

Answer: A B E F

Explanation

EAP-FAST is designed to speed re-authentication when a station roams from one AP to another. Here are the parameters that can be configured:

* Server Key (in hexadecimal): The key (in hexadecimal characters) used to encrypt and decrypt PACs.
* Time to Live for the PAC: Enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.
* Authority ID (in hexadecimal): Enter the authority identifier of the local EAP-FAST server in hexadecimal characters. It is possible to enter up to 32 hexadecimal characters,  but an even number of characters must be entered. This will identify the controller as the emitter of the PAC.
* Authority ID Information: Enter the authority identifier of the local EAP-FAST server in text format.
* Anonymous Provision: Enable this setting to allow anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If this feature is disabled, PACS must be manually provisioned. Disable this feature when using EAP-FAST with certificates. The default setting is enabled.

Question 8

When using the enterprise-based authentication method for WPA2, a bidirectional handshake exchange occurs between the client and the authenticator. Which five statements are results of that exchange using controller based network? (Choose five)

A. a bidirectional exchange of a nonce used for key generation
B. binding of a Pairwise Master Key at the client and the controller
C. creation of the Pairwise Transient Key
D. distribution of the Group Transient Key
E. distribution of the Pairwise Master key for caching at the access point
F. proof that each side is alive

 

Answer: A B C D F

Question 9

What are four features of WPA? (Choose four)

A. a larger initialization vector, increased to 48 bits
B. a message integrity check protocol to prevent forgeries
C. authenticated key management using 802.1X
D. support for a key caching mechanism
E. unicast and broadcast key management
F. requires AES-CCMP

 

Answer: A B C E