When encryption modes are enabled, the 802.11 device can associate with an access point (AP) or IBSS cell by using the intersection of the following cipher suites:
The most secure cipher suite from the encryption mode enabled on the 802.11 device
The most secure cipher suite advertised by the received beacon or probe response
For example, a driver set to Encryption3 does the following during its association with an AP:
If the beacon or probe response advertises that the AES cipher suite is supported, then the driver chooses AES and advertises this in the WPA or RSN information element (IE) of its association request.
If the beacon or probe response advertises that the TKIP cipher suite is supported, then the driver chooses TKIP and advertises this in the WPA or RSN IE of its association request.
If the beacon or probe response advertises that the WEP cipher suite is supported, then the driver chooses WEP and advertises this by setting the Privacy subfield in the Capability Information field of its association request. For more information about the Capability Information field, refer to section 18.104.22.168 of the IEEE 802.11-1999 specification.
The 802.11 device must not attempt to associate unless there is a match between the authentication mode and cipher suites enabled on the 802.11 device and advertised in the beacon or probe response.
When associating, the miniport driver can allow separate cipher suites for broadcast and unicast packets. For example, an AP could be sending broadcast packets by using WEP while the 802.11 device and AP are communicating by using AES for unicast packets.
When the device is roaming to another BSSID within the same BSS, the device must not change the encryption mode that is currently enabled. However, the selected cipher suites can change with the new association.
For example, if the device's encryption mode is set to Encryption3, then the device must be prepared for the following situations:
Device associates with BSSID1
BSSID1 advertises AES for unicast and broadcast packets. The device associates and enables AES for all packets.
Device roams to BSSID2
BSSID2 advertises TKIP for unicast packets and WEP for broadcast packets. The device associates and enables TKIP for unicast packets and WEP for broadcast packets.