Secure wireless encryption in PTP 500/600/650/800

Cambium’s PTP 500, PTP 600, PTP 650 and PTP 800 products offer AES encryption of the wireless link as an optional upgrade.The same solution is provided in PTP 700 in System Release 700-01-00.

The wireless encryption solution is easy to configure, it provides very secure protection of your valuable data, and it does not reduce wireless capacity or packet processing rate.

How to configure wireless encryption

At each end of the link, check that the AES Encryption capability is included in the Capability Summary in the Installation Wizard like this:

Encryption in License Key.png

Then select the key size in the Encryption Algorithm control in the System | Configuration page of the web-based interface like this:

If the unit has the AES-256 license, you have the choice of 128-bit or 256-bit key size. If the unit has the AES-128 license, the 256-bit option is (understandably enough) hidden. Both ends of the link MUST have the same key size.

Enter a randomly-generated number in the Encryption Key attribute, and then enter exactly the same key in the Confirm Encryption Key attribute. The keys are obscured in the web page.

AES is a symmetric algorithm, meaning that the same key is used for encryption and decryption, so you’ll need to enter exactly the same key at the other end of the link.

A key for the 128-bit option consists of 16 bytes, entered as 32 hexadecimal characters, for example:

8FD34C42B21C9F0286A62E0C8496DDC2

A key for the 256-bit option consists of 32 bytes, entered as 64 hexadecimal characters, for example:

56823A8C96256028D9581B42EC3E4C455DBE8F703D361C2C256DEB9D77CA1C77

Security

Wireless encryption in PTP 500, PTP 600, PTP 650, PTP 700 and PTP 800 encrypts the entire data stream between the two ends of the link. This means that, not only is your customer’s data encrypted, but so are the protocol headers in the bridged Ethernet frames, and the protocol headers of the wireless itself.

An attacker who monitors the radiated wireless signal is not able to distinguish Ethernet frames or IP packets, is not able to see details of the protocols or IP addresses used in your network, and is not even able to tell whether a link is loaded or completely idle.

The AES encryption in these products has been validated for compliance with the FIPS 197 standard, so you can be confident that the implementation is secure.

To maintain a high degree of security we suggest that you generate a different encryption key for each link. In that way, the rest of the network is not compromised if one unit is stolen. Also, we advise against generating AES keys from a pass-phrase. A randomly-generated 128-bit number is very, very difficult to guess. On the other hand, a number generated from a pass-phrase is not so difficult to guess if the pass-phrase is simple enough.

Performance

AES encryption in PTP 500, PTP 600, PTP 650, PTP 700 and PTP 800 is implemented in hardware with no additional overhead so the capacity of the wireless link is not affected by enabling encryption. Furthermore, the packet processing rate is not reduced when encryption is enabled. This is not always the case in network products like security gateways where a CPU is used to provide encryption and decryption; in such cases, the normal capacity of the device can be noticeably reduced when encryption is enabled.

PTP 670 and PTP 700

We made some changes to wireless encryption starting in 670-02-00 and 700-02-50. These newer products provide the same high level of security as the older products described above, but the new features provide more options, and are better suited for HCMP. For more details, see here: Device Authentication in PTP topology for PTP 670/700

1 Like