Home Authentication and Encryption

Authentication and Encryption

Here you will find answers to Authentication and Encryption Questions

Question 1

What are three primary components that describe TKIP? (Choose three)

A. Broadcast Key Rotation
B. Dynamic WEP
C. Message Integrity Check
D. Per-Packet Key Hashing
E. Symmetric Key Cipher
F. WPA2 Enterprise Mode

 

Answer: A C D

Explanation

TKIP offers three advantages over WEP:

* Per packet keying: Each packet is generated using a unique key so it is much more difficult to get from repetitive data back to the key.
* Message integrity check: (MIC – If the message integrity check does not pass, the message is seen as a forgery. If two forgeries are detected in one second, the radio assumes it is under attack. It deletes its session key, disassociates itself, then forces re-association)
* Broadcast key rotation: Broadcast key is required in 802.1X environments but it is vulnerable to same attacks as static WEP key. By using broadcast key rotation, key is delivered to client encrypted with client’s dynamic key.

Based on Per packet keying & Message integrity check, every packet has a unique encryption key and each packet is digitally signed to validate the source of the sender before decrypting it to make sure the packet is valid and that it’s coming from a trusted source and not being spoofed

Per Packeting Keying

per-packet-keying.jpg

 

Integrity Check

integrity-check.jpg

Question 2

What is the impact of configuring a single SSID to simultaneously support both TKIP and AES encryption?

A. The overhead associated with supporting both encryption methods will significantly degrade client throughput.
B. Some wireless client drivers might not handle complex SSID settings and may be unable to associate to the WLAN.
C. This is an unsupported configuration and the Cisco Wireless Control System will continuously generate alarms until the configuration is corrected.
D. This is a common configuration for migrating from WPA to WPA2. There is no problem associated with using this configuration.

 

Answer: D

Explanation

AES encryption uses hardware so there is almost no overhead when using it. TKIP is based on software. So when we support both TKIP and AES the client throughput will not significantly degrade -> A is not correct.

When choosing both AES and TKIP, the router will support both encryption algorithms. Because not all wireless NICs support AES, some only support TKIP,  so this option is probably the best choice -> B isnot correct.

As the picture below, Cisco Wireless Control System does support both simultaneously -> C is not correct.

AES_TKIP.gif

Question 3

What is the Default Local Database size for authenticating local users?

A. 512 entries
B. 1024 entries
C. 2048 entries
D. 4096 entries
E. 8192 entries

 

Answer: A

Question 4

Which statement best represents the authorization aspect of AAA?

A. Authorization takes place after a successful authentication and provides the Cisco WLC the information needed to allow client access to network resources.
B. Authorization is the validation of successful DHCP address delivery to the wireless client.
C. Authorization must be successfully completed in order to proceed with the authentication phase.
D. Successful authorization will provide encryption keys that will be used to secure the wireless communications between client and AP.

 

Answer: A

Explanation

AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:

* Authentication: Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption.
* Authorization: Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.
* Accounting: Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

(Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html)

Question 5

Which Extensible Authentication Protocol types are supported by the Cisco Unified Wireless Network?

A. EAP-TLS, PEAP-MSCHAPv2 and PEAP-GTC only
B. LEAP and EAP-FAST only
C. EAP-TLS, PEAP-MSCHAPv2, PEAP-GTC, LEAP, EAP-FAST only
D. Any EAP supported by the RADIUS authentication server

 

Answer: D

Question 6

The 4-way handshake is used to establish which key during the WPA authentication process?

A. Pairwise Master Key
B. Pairwise Multiple Key
C. Pairwise Session Key
D. Pairwise Transient Key
E. Pairwise Transverse Key

 

Answer: D

Explanation

After a successful EAP authentication the 4-way handshake begins

Objective: Generate PTK and confirm the procession and freshness of PTK.

Assumption: PMK only known to Supplicant and Authenticator, never transmitted over network.

4-way_handshake_WPA.jpg

PTK: Pairwise Transient Key
PMK: Pairwise Master Key
ANonce: nonce generated by authenticator
SNonce: nonce generated by supplicant

Initial stage: The Supplicant generates a random number called SNonce and the Authenticator generates a random number called ANonce.

1) The AP first sends ANonce to the client, including its MAC address. The client then uses a common passphrase along with this random number to derive Pairwise Transient Key (PTK) that is used to encrypt data to the AP.

Note: The PTK is generated by the ANonce, authenticator MAC address as well as the SNonce and MAC address of the Supplicant.

2) The Supplicant then sends its own random number to the AP (called SNonce), along with a Message Integrity Code (MIC) and Security parameters (RSN), which are used to ensure that the data is not tampered with.

3) The AP generates GTK key used to encrypt unicast traffic to the client. To validate, the AP sends the random number again, encrypted using the derived PTK.

4) A final message is sent, indicating that the PTK is in place on both sides.

Therefore, the four-way handshake is used to obtain the Pairwise Transient Key that is used for communication between the device and the Access Point.

Question 7

Which four parameters need to be configured for local EAP-FAST on the controller? (Choose four)

A. Authority ID
B. Authority ID Information
C. Client Key
D. PAC
E. Server Key
F. TTL for PAC
G. Monitor Key
H. NTP Source

 

Answer: A B E F

Explanation

EAP-FAST is designed to speed re-authentication when a station roams from one AP to another. Here are the parameters that can be configured:

* Server Key (in hexadecimal): The key (in hexadecimal characters) used to encrypt and decrypt PACs.
* Time to Live for the PAC: Enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.
* Authority ID (in hexadecimal): Enter the authority identifier of the local EAP-FAST server in hexadecimal characters. It is possible to enter up to 32 hexadecimal characters,  but an even number of characters must be entered. This will identify the controller as the emitter of the PAC.
* Authority ID Information: Enter the authority identifier of the local EAP-FAST server in text format.
* Anonymous Provision: Enable this setting to allow anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If this feature is disabled, PACS must be manually provisioned. Disable this feature when using EAP-FAST with certificates. The default setting is enabled.

Question 8

When using the enterprise-based authentication method for WPA2, a bidirectional handshake exchange occurs between the client and the authenticator. Which five statements are results of that exchange using controller based network? (Choose five)

A. a bidirectional exchange of a nonce used for key generation
B. binding of a Pairwise Master Key at the client and the controller
C. creation of the Pairwise Transient Key
D. distribution of the Group Transient Key
E. distribution of the Pairwise Master key for caching at the access point
F. proof that each side is alive

 

Answer: A B C D F

Question 9

What are four features of WPA? (Choose four)

A. a larger initialization vector, increased to 48 bits
B. a message integrity check protocol to prevent forgeries
C. authenticated key management using 802.1X
D. support for a key caching mechanism
E. unicast and broadcast key management
F. requires AES-CCMP

 

Answer: A B C E

Comments (18) Comments
  1. Edicisco
    May 25th, 2011

    In question 2. Why is not answer B? I think is best option bofeore D

    Thanks!

  2. boris the russian
    June 23rd, 2011

    Tesking also puts the answer to question 2 as B

  3. mastan
    July 29th, 2011

    i booked the CCNA wireless exam on 4th of AUG .can any one conform which dumps are running for ccna wireless exam.can any one share the latest dumps.

    thanks in advance

  4. arina
    August 23rd, 2011

    Hi, I looking for latest dump for ccna wireless any body who can help out there?
    rodipo@connectedhealth.co.ke

  5. Dovinant
    December 6th, 2011

    Yeah, in the question 2 the good answer should be D.

    “WPA2 Mixed Mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA2 Mixed Mode is a Wi-Fi Certified feature. WPA2 Mixed Mode is considered secure since it uses both TKIP and AES for encryption.”

    Look at “WPA and WPA2 Deployment” http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_brochure09186a00801f7d0b.html

  6. Swati
    January 31st, 2012

    Question 2 the good answer should be D.

    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_brochure09186a00801f7d0b.html

    Enhanced Security
    ————————
    Enhanced security is recommended for those customers requiring enterprise-class security and protection. The Cisco Unified Wireless Network delivers an enhanced wireless security solution that provides full support for WPA and WPA2 with its building blocks of 802.1X mutual authentication and TKIP or AES encryption. The Cisco Unified Wireless Network includes the following:

    • 802.1X for strong, mutual authentication and dynamic per-user, per-session encryption keys

    • TKIP for enhancements to RC4-based encryption such as key hashing (per-packet keying), message integrity check (MIC), initialization vector (IV) changes, and broadcast key rotation

    • AES for government-grade, highly secure data encryption

    • Integration with the Cisco Self-Defending Network and NAC

    • Intrusion Prevention System (IPS) capabilities and advanced location services with real-time network visibility

    • Management Frame Protection (MFP) for strong cryptographic authentication of WLAN management frames

    Detailed information about the Cisco Unified Wireless Network’s enterprise-class wireless security is provided later in this document.

  7. Hussam
    February 26th, 2012

    No. Question #2 the answer is ‘B’. I got this info from talking to Cisco TAC engineers.

  8. Michael
    March 12th, 2012

    all the dumps state that question #2 should be answer B, though the explanation by Dovinant and Swati conclude it should be D.

    Has anyone encountered this question during the exam?
    What is the defenit correct answer to question #2?

  9. Mojje
    March 29th, 2012

    I got question 2 on exam, seems to be quite a lot of conflicting info about this… :/

  10. Michael
    April 2nd, 2012

    I had the question too, I answered D.
    Seen the fact that I scored 989, there’s a fair chance that D is correct.

  11. Lucky
    April 25th, 2012

    On Q2 answer is B.

  12. Brian
    May 9th, 2012

    Question 6: A pairwise master key is used to establish a pairwise transient key. (PMK -> PTK)

  13. Rafael
    July 12th, 2012

    On Q2 answer is B

    CCNA WIRELESS (640-722)

    WPA2 (and 802.11i) also allows TKIP for backward compatibility. Nevertheless, configuring a WLAN to use WPA2 while allowing
    both AES/CCMP and TKIP is not recommended because some clients get confused by this mode and cannot associate. 802.11i also
    describes two new mechanisms:

  14. 250lbs
    January 23rd, 2013
  15. Pablo
    April 5th, 2014

    I agree that on question 2, answer is B.

  16. دانلود فیلم
    November 15th, 2014

    Thank
    دانلود فیلم http://www.4.2film.in/

  17. NAshnoush@Libya
    January 27th, 2015

    After looking on Cisco doc the answer of Q2 is B

    With the Cisco Unified Wireless Network, both Cisco TKIP and WPA TKIP algorithms are available on Cisco Aironet autonomous access points and Cisco Aironet and Cisco Compatible WLAN client devices. Although Cisco TKIP and WPA TKIP do not interoperate, Cisco Aironet Series autonomous access points can run both Cisco TKIP and WPA TKIP simultaneously when using multiple VLANs. System administrators will need to choose one set of TKIP algorithms to activate on the enterprise’s client devices because clients cannot support both sets of TKIP algorithms simultaneously. Cisco recommends that WPA TKIP be used for client devices and access points wherever possible. Cisco wireless LAN controllers and Cisco Aironet lightweight access points support only WPA TKIP.

    References: Cisco “http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/prod_brochure09186a00801f7d0b.html “

  18. ????????
    September 27th, 2015

    陈力看到这一幕,直接向前闯去:“你们是谁的手下,我让我小姨去跟他说说。”
    ???????? http://5fj.com.cn