Guest blogger: Kurt Sauter, Region Manager, Federal Sales, Cisco Systems
Kurt Sauter is responsible for Cisco Federal sales efforts specifically focusing on secure wireless products for Federal customers. He brings 20 years of experience of developing and marketing products for the wireless, networking, networking industry. Mr. Sauter is a long time member of the Wi-Fi Alliance and IEEE 802.11 working group and has a number of patents awarded. Mr. Sauter holds a Bachelors in Computer Science and an MBA.
In recent months, there have been erroneous competitor claims about Cisco access points. Responding to industry gossip and incorrect rumors isn’t something that we normally do, but we want to make sure that our customers are getting the correct message.
According to these rumors, competitors are telling customers that encryption keys could somehow be extracted from Cisco access points. These claims further say that such a purported key could be used to decrypt a recorded wireless session. Simply put, this is entirely fiction.
Fact: Cisco does not store Pairwise Master Keys on our Cisco access points. There is a Transient Key that is used for a single user session which is write-only to the radio ASIC chip. The ability to read a key from this chip level register while the access point is running is simply not possible. Furthermore, the chip and system board are mechanically and electronically guarded.
Fiction: There are additional claims that storing all keys in the controller is somehow “safer.” That’s not true either. The reality is, as we’ve all seen in the recent Krack key-reinstallation attack, the attacker did not need the key. The attack’s ability to fool a client or access point showed it did not matter where the key was stored, and most access points and controllers were just as vulnerable.
Fact: Cisco access points have been FIPS-140 certified, Common Criteria Certified, and UC APL listed. They are approved for use in all areas of the Government and Department of Defense. If keys in the AP presented a security risk, these agencies would not approve their use.
I want to ensure our customers that we take their security very seriously. In addition to the physical security a Cisco access point has, there are a number of runtime protections that prevent access and safeguard the memory of Cisco APs. How? In our next blog post we will go into some of the platform protections that Cisco APs and Controllers employ.
For more information on the Cisco Aironet Wave 2 Access Points, click here.
Great synopsis and understanding of "key" concepts for storing and using keys.