China has reportedly filed an appeal with the ISO standards body over its proprietary wireless LAN encryption algorithm: WAPI (Wired Authentication and Privacy Infrastructure) continues to make waves in international security and standards circles. The Chinese official news agency Xinhua reported today that a domestic industry trade group filed appeals in April and May with the international ISO standards body over ethics issues involved in the fast-track rejection of WAPI alongside IEEE 802.11i.
The Xinhua agency reports that the China Broadband Wireless IP Standard Group (BWIPS)--the recently formed WAPI Industrial Union isn't mentioned here--has collected 49 pieces of evidence proving ethics violations. The 802.11i standard was fast-tracked for consideration of approval; WAPI was rejected, in part, according to reports in March of this year, that China failed to disclosed key portions of the specification, including cryptography.
The group of 22 firms that are involved with WAPI's future were earlier reported to include many with government and military investments and control, which is a typical occurrence in China.
I've written a lot about WAPI; you can find earlier posts here. My ongoing concern, shared by many Wi-Fi industry insiders, is that without WAPI being fully published for examination, there's no way to determine the strength and integrity of the protocol--including whether backdoors are part of the standard. I've been told by some readers this is a paranoid attitude, but I'd suggest that events of the last six months make it clear that China wants to be able to monitor all data traversing its local networks and the Internet.
Update: PC Magazine provides a little more background detail on the dispute which centers on the IEEE recommending its own amendment to the ISO standard to IEEE international members, where the Chinese standards' backers believe the IEEE should have presented its members with an impartial representation of the two amendments.
A University of New Haven School of Business professor with a background in Chinese business operations sides with my take on WAPI. She says in this article, "China's WAPI standard could allow backdoor access to the technology, which is not really allowed. And China has no motivation to prevent backdoor access to the technology so this is one of the tussles. It's very characteristic of Chinese business. China has all kinds of on-the-books and off-the-books trade barriers."
"...events of the last six months make it clear that China wants to be able to monitor all data traversing its local networks and the internet."
So, how is this any different than what the U.S. Government is doing through the NSA with the help of AT&T? It seems clearly evident from news reports and the suit filed in Federal Court by the Electronic Frontier Foundation against AT&T that the U.S. has no problems doing the same thing.
[Editor's note: I'm not defending unconstitutional activities by the U.S. against possibly domestically legal but abhorrent monitoring by China.
Rather, I'm pointing out that the IEEE 802.11i specification can be read and its encryption methods examined. WAPI cannot. It's likely WAPI is kept secret for multiple reasons, but one of them is almost certainly for tapping. 802.11i doesn't include tapping as a feature.
Specific companies could modify 802.11i in their implementation to include tapping, but that is true with all telecommunications equipment in which encrypted sessions terminate within the unit itself.
If an AP handles WPA Enterprise (802.1X with WPA), there's no good way for an AP maker to create an interception as a man in the middle if the certificates for the secure session between a user and a back-end server are handled correctly because that would fail without a valid certificate.--gf]
it's just somebody else business. why would u concern yourself of another country's standard of doing thing in THEIR home? isn't it part of the "freedom" that you always chant about?
[Editor's note: Apparently, you didn't read what I wrote nor the articles I linked to. China is attempting to get WAPI, in its undisclosed form, made into an international standard.
I don't chant much, but I don't believe human rights and freedom are a movable feast. Thus, developing a standard for internal consumption designed to provide another tool of interception for suppression of rights isn't just a matter of "freedom."--gf]
I'm astounded by the ignorance in the two comments below by darin and freedom, and completely agree with the editor's notes.
In particular, darin, the wiretapping done by the US Government is by possibly coercing AT&T (possibly) illegaly to let the NSA look at the data travelling on the AT&T network. On the other hand, China is trying to get a not fully open architecture an international standard recognition. This, my friend, means that one day, there may be international citizens using the closed technology; a technology which possibly has backdoors which the Chinese government most likely has in the closed part of the standard.
Keeping a technology closed and proprietary never helps it's adoption as a standard. If you find yourself siding with China in the article above, replace 'China' with 'Microsoft' and see if your feelings change. As far as the US/AT&T conspiracy goes, if one person gets away with murder, does that mean everyone else should get away with murder too?
Having read one of the Chinese complaints, it's a fascinating example of cultural differences. The main thrust of China's ethical complaints is that technical experts who were not members of the committee expressed their opinions on the subject, and hence did not show the right amount of "respect" to committee members.
It's easy to see why this would be shocking to a country with a one-party system, and no real freedom of speech. I think most of us (and most of ISO) would just view it as healthy debate.
Its obious that the Chinese government has backdoors implanted in their software. Why do you think they are not releasing the source. Not beacuse they are are paranoid that people will steal it but because it has so many doors in it that its screaming to get caught. Dont you realize that China is COMMUNIST and that they have been controlling their internet for YEARS. They censor what they don't approve of and now they are going paranoid over security. But China Ive got news for you...nobody cares about invading you guys.. we've got missles not horses with swords.