OID_802_11_ENCRYPTION_STATUS
When set, the OID_802_11_ENCRYPTION_STATUS OID requests that the miniport driver change its encryption mode. A single encryption mode value can be set, though this may enable one or more cipher suites or disable all cipher suites on the device. A transmit key is not required to set the encryption mode.
Encryption modes define the set of cipher suites that can be enabled on the 802.11 device:
Encryption1
WEP encryption is supported and enabled on the device. The device either does not support TKIP and AES or these cipher suites are disabled.The WEP cipher suite as defined through this OID uses either 40-bit or 104-bit key lengths. Other extended key lengths are not supported for the WEP cipher suite.
Encryption2
WEP and TKIP encryption are supported and enabled on the device. The device either does not support AES or this cipher suite is disabled.Encryption3
WEP, TKIP, and AES encryption are supported and enabled on the device.The AES cipher suite as defined through this OID is AES-CCMP. If the device supports other variants of the AES cipher suite, it cannot advertise support for the Encryption3 encryption mode unless the device also supports AES-CCMP.
For more information regarding encryption modes, refer to 802.11 Encryption.
If the miniport driver cannot accept the specified encryption mode, it must return NDIS_STATUS_NOT_ACCEPTED.
If an invalid type is specified in the set request, the miniport driver must return NDIS_STATUS_INVALID_DATA.
If the device does not support Temporal Key Integrity Protocol (TKIP), the miniport driver must fail any set request that specifies Ndis802_11Encryption3Enabled or Ndis802_11Encryption2Enabled, and return NDIS_STATUS_NOT_SUPPORTED.
If the device does not support Advanced Encryption Standard (AES), the miniport driver must fail any set request that specifies Ndis802_11Encryption3Enabled, and return NDIS_STATUS_NOT_SUPPORTED.
If Wireless Equivalent Privacy (WEP), TKIP, or AES are enabled, but a transmit key is not available, the device must send only 802.1X packets unencrypted. In this scenario, the device must not send other types of packets, such as TCP or UDP packets.
When queried, this OID requests that the miniport driver return its current encryption mode. In response, the miniport driver can indicate which encryption mode is enabled or disabled, that the transmit key is absent, or that encryption is not supported.
The data passed in a query or set of this OID is the NDIS_802_11_ENCRYPTION_STATUS enumeration, which defines the following encryption status values:
Ndis802_11EncryptionNotSupported
Encryption using the WEP, TKIP, and AES cipher suites is not supported.Ndis802_11EncryptionDisabled
AES, TKIP, and WEP are disabled, and a transmit key is available.Ndis802_11Encryption1Enabled
WEP is enabled; TKIP and AES are disabled. A transmit key may or may not be available.Ndis802_11Encryption1KeyAbsent
WEP, TKIP and AES are disabled. A transmit key is not available.Ndis802_11Encryption2Enabled
TKIP and WEP are enabled; AES is disabled. A transmit key is available.Ndis802_11Encryption2KeyAbsent
TKIP and WEP are enabled; AES is disabled. A transmit key is not available.Ndis802_11Encryption3Enabled
AES, TKIP, and WEP are enabled, and a transmit key is available.Ndis802_11Encryption3KeyAbsent
AES, TKIP, and WEP are enabled. A transmit keys is not available.
When a device is neither associated with an access point nor operating in ad hoc mode, the transmit key status is based on the availability of a transmit key in the set of default keys.
This OID enables or disables the cipher suites (and, for AES and TKIP, the integrity suites) in groups. For example, specifying Ndis802_11Encryption3Enabled enables TKIP, AES, and WEP. This behavior does not reflect any network-policy decisions made elsewhere that determine which ciphers an access point must support to allow a client to associate with it.
The device must not associate with an access point that advertises any cipher suite that is not supported by the device or is not enabled in the device's current encryption mode.
The following values are valid for set operations:
Ndis802_11Encryption1Enabled
Ndis802_11Encryption2Enabled
Ndis802_11Encryption3Enabled
Ndis802_11EncryptionDisabled
The following table shows the encryption modes that the miniport driver returns when queried by this OID. The returned value is based on the status of the device's cipher suites and availability of a transmit key.
Encryption mode returned | AES status | TKIP status | WEP status | Transmit key available |
---|---|---|---|---|
Ndis802_11EncryptionNotSupported | Not supported | Not supported | Not supported | No |
Ndis802_11EncryptionNotSupported | Not supported | Not supported | Not supported | Yes |
Ndis802_11Encryption1KeyAbsent | Disabled / not supported | Disabled / not supported | Disabled | No |
Ndis802_11EncryptionDisabled | Disabled / not supported | Disabled / not supported | Disabled | Yes |
Ndis802_11Encryption1Enabled | Disabled / not supported | Disabled / not supported | Enabled | No |
Ndis802_11Encryption1Enabled | Disabled / not supported | Disabled / not supported | Enabled | Yes |
Ndis802_11Encryption2KeyAbsent | Disabled / not supported | Enabled | Enabled | No |
Ndis802_11Encryption2Enabled | Disabled / not supported | Enabled | Enabled | Yes |
Ndis802_11Encryption3KeyAbsent | Enabled | Enabled | Enabled | No |
Ndis802_11Encryption3Enabled | Enabled | Enabled | Enabled | Yes |
The encryption state affects some of the values in the 802.11 WPA and RSN information element (IE) of the device's associate and reassociate requests. The encryption state also determines whether the device associates with the access point or authenticates in ad hoc mode.
AP unicast cipher | AP multicast cipher | Encryption mode | ESS associate or IBSS authenticate | Associate unicast cipher | Associate multicast cipher |
---|---|---|---|---|---|
None | WEP | Ndis802_11Encryption1Enabled | Yes | None | WEP |
None | WEP | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
None | WEP | Ndis802_11Encryption3Enabled | No | Not applicable | Not applicable |
None | TKIP | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
None | TKIP | Ndis802_11Encryption2Enabled | Yes | None | TKIP |
None | TKIP | Ndis802_11Encryption3Enabled | No | Not applicable | Not applicable |
None | AES | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
None | AES | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
None | AES | Ndis802_11Encryption3Enabled | Yes | None | AES |
TKIP | WEP | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
TKIP | WEP | Ndis802_11Encryption2Enabled | Yes | TKIP | WEP |
TKIP | WEP | Ndis802_11Encryption3Enabled | No | Not applicable | Not applicable |
TKIP | TKIP | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
TKIP | TKIP | Ndis802_11Encryption2Enabled | Yes | TKIP | TKIP |
TKIP | TKIP | Ndis802_11Encryption3Enabled | No | Not applicable | Not applicable |
TKIP | AES | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
TKIP | AES | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
TKIP | AES | Ndis802_11Encryption3Enabled | No | Not applicable | Not applicable |
AES | WEP | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
AES | WEP | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
AES | WEP | Ndis802_11Encryption3Enabled | Yes | AES | WEP |
AES | TKIP | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
AES | TKIP | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
AES | TKIP | Ndis802_11Encryption3Enabled | Yes | AES | TKIP |
AES | AES | Ndis802_11Encryption1Enabled | No | Not applicable | Not applicable |
AES | AES | Ndis802_11Encryption2Enabled | No | Not applicable | Not applicable |
AES | AES | Ndis802_11Encryption3Enabled | Yes | AES | AES |