China Releases Own WLAN Security Standard

Lownewulf writes "This NetworkWorldFusion article describes the release of the GB15629.11-2003 wireless networking standard in China, a wireless standard similar to 802.11, but with better security. The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware." ziggyboy adds a link to CNET's article, noting that "all wireless devices sold in China are required to comply to this standard from December 1."

New Standard

[SilentSage]

I disagree with the assertion of the poster that the Chineese standard has better security. For starters it does not use AES (the new advanced encryption standard) and the article does not specify what (if any) encryption protocol the Chineese standard uses. What this seems to me to be is an attempt to give the Chineese government a larger voice in the implementation of new networking standards. If hardware vendors and the IEEE roll over on this one the next thing you will see out of China (and other like minded countries who will follow suit) are the emergence of protocols which make it easier to censor and control content on the web. The market pressure to comply with this standard will be huge however. Given the size and growth of the Chineese market the financial rewards for early adopters will be great not to mention the potential to establish a major vendor footprint in an emerging market.

Re:New Standard

[landoltjp]

Although I can understand the concern of having the Chineese government push privacy-eroding standards into networking protocols, how is this any different than the US-backed standards such as the "Fritz chip" (I believe), or key-escrow standards, or the requirement to adopt standards or technology that allow Federal Snooping Bodies to monitor internet traffic from their office Lay-Z-Boys?

The Chineese aren't the only sharks in the ocean. The US Government doesn't seem to be promoting much better; they just have the luxury of wrapping themselves in the Stars & Stripes whilst they do it.

Re:New Standard

[Angostura]

It isn't *that* different. And look how much support those initiatives you mention garnered. Not...a...lot Luckily the U.S government is still subject to a little democrating oversight, so some of its nuttier ideas can get filtered out.

Re:New Standard

[aminorex]

Your comment is the kind of knee-jerk that
discredits the autonomous nervous system.

IEEE is not an American standards organization.
It is an international professional organization
which promotes engineering standards globally,
defined by engineers from all over the world,
including China. IEEE is not ANSI.

No, somebody's cousin is gonna make billions
of yuan off of this little rule, and that's
why they came up with it. Corruption, pure
and simple.

So..

[Pingular]

a wireless standard similar to 802.11, but with better security
If it has better security why isn't it a worldwide standard?

Re:So..

[grub]

If it has better security why isn't it a worldwide standard?

um.. Windows is a worldwide standard. You can't equate the robustness of the product with the number of users.

Re:So..

[thrillseeker]

there is an inherent bias in the west against the Chinese due to their chosen form of government.

I'm pretty sure it was chosen for the people and not by the people.

Re:So..

[chundo]

Sure, racism. That explains why consumer electronics from Japan had such a hard time gaining popularity here in the 80's, right?

-j

Re:So..

[zulux]

I'm pretty sure it was chosen for the people and not by the people.

Even most desmocracies were set up by the powerfull and not the 'people' - usuall powerfull internal forces (the revolutionaries with big ideas and lots of guns) or by powerfull outside forces (the invading armby with big ideas and lots of guns).

Re:So now the 800lb gorilla...

[dmp123]

No, not at all.

The US has all of the above (or rather, US *Corporations* do)... I personally think that for this power to be shared among countries is good - too much one way is bad.

I'm not sure I trust US corporations to 'do the right thing' any more than I trust the Chinese government.

David

Get Used to It

[randall_burns]

China is likely to become the world's largest economy in the not so distant future. The technical community there _will_ want to make their mark on important standards in IT. The real way around this for the United States and the EU is to cultivate technical excellence among their own citizens-something the current corrupt governments and corporate elites are hesitant to do.

Re:Get Used to It

No. The real way around this is to encourage greater participation in these standards bodies by China so that they don't feel the need to come up with their own independent standards.

I haven't seen anything that China is introducing that is superior to current or future standards.

Re:Get Used to It

[randall_burns]

I'm much less concerned personally about outsourcing than I am H-1b/L-1. The major problem with outsourcing IMHO is that a) there are major issues of privacy and security involved b) the US government has made some really bad trade deals-which make it pretty much inevitable that the US will have a rather bad trade imbalance. On the other hand, H-1b/L-1 basically offer public resources(i.e. immigration rights which would be quite valuable if they were for sale) to foreigners that can replace US citizens in the workforce. It could be argued that isn't such a bad thing in a rapidly growing industry-but in a industry that is contracting, it makes a bad situation much worse than it needs to be. Literally no developed country has ever treated a specific skilled occupation this badly since the days of the Robber Barons.

Security on AP's is a BAD idea

[div_2n]

I still don't understand why people get so wrapped up on encryption at the AP level. Wired switches and routers don't encrypt data. That is reserved for firewall/vpn devices which makes sense because the overhead associated (beyond security concerns) doesn't make sense to burden your transport mechanism.

What do people want encrypted? Their credit card numbers? Encryption of sensitive information like CC#'s is (should) be handled by SSL where the data is encrypted BEFORE it leaves the pc. No wireless encryption needed. Their e-mail? If they are sending that sensitive of information, they probably shouldn't use standard e-mail in the first place. They should encrypt a document and then e-mail it or encrypt the e-mail itself.

I am still yet to find a situation where encrypted wireless signals make sense for home or even business situations. If it is a business that is in need of securing their communications, they should use VPN's anyway.

I think it makes more sense for an additional independent circuitry to be installed on AP's that does VPN's and build into wireless cards a VPN client or include VPN software. Hell, even make an externally pluggable device that attaches to an AP so that it can be upgraded as future VPN's get stronger in encryption.

Leave AP's to do what the do best--serve wireless clients.

Re:Security on AP's is a BAD idea

[FinestLittleSpace]

One easy example - you use a file server and reguarly transfer files over to it, which cannot be encrypted as they need to be accessed over an apache server firewalled internally. These files are then 'caught' as theyre sent from your machine to the file server.

Another example... you're using software which reguarly communicates between machines with data (i.e. a database software) but hasn't got the idea of encrypting the sent data build in and your company relies on said program. Therefore, you ge tit to be encrypted as it leaves your PC.

There. Good enough?

Re:Security on AP's is a BAD idea

[Chanc_Gorkon]

Security at the AP IS needed. First, if there's no security built into the AP, anyone can get on your network. It's like putting a Ethernet jack on your unsecured front porch or even worse....at the mailbox. Sure they may not be able to get to your servers, but they still can steal bandwidth from your applications.

Second, anything that is broadcast over the air can be picked up and recorded. If it's not encrypted, you run the risk of letting anything you do on your WiFi. They don't even have to connect to your AP....they could just fire up the laptop with the WiFi card in promiscuous mode and scan away. I agree with you that cc numbers and really important things SHOULD be encrypted befor sent, but personally, I really don't want just anyone else knowing what websites I go to even though I do have nothing to hide.

Lastly, even if you did have some security built into the AP (even if your using something more then WEP), I'd still require a VPN to get to the internal network. As it is, AP's probably don't have the horsepower to do user authentication plus you probably already have LDAP or something else internally for authentication. Plus adding the VPN as a requirement for WiFi users also adds another layer of security.

noncompatible wireless standards?

We've never heard of that before (like 802.11a, not compatible with 802.11b, and the lack of standardisation in bluetooth devices)

Re:So now the 800lb gorilla...

[akaina]

That being said, I don't think any US corporations are going to start executing competitors and charge their families for the cost of the bullet.

They're not supposed to be able to profit or spin off of the freeworld's innovation. What was the UN thinking?

I thought the whole point of building a government the right way was so that one day you could reap technelogical benefits for the greater good. But now, after we've made the cake, China gets to eat it too. Something is dreadfully wrong when a country like China is given a go-card to get 50 years of technology for nothing and continue in its old ways.

On Tinfoil hats and then some

[segment]

Tinfoil warrior (need I say more?)

Coincidentally, the majority of members of the WI-FI Alliance are American companies, so I would be skeptical to pass this off as nothing more than a `shit China is gonna kill us with their low manufacturing costs' response. If the security is supposedly better as the post states, than why not verify this, and migrate to it. Wouldn't that make more sense than basically stating "you're security is good! but it's not a standard so we don't want it"

Re:On Tinfoil hats and then some

[ErikTheRed]

One thing people keep forgetting (or don't learn) is that encryption standards tend to need many, many years of peer review before they are considered "trustworthy" (and that's if they're written by a well-respected member of the crypto community). Generally, if a popular cryptosystem can survive a decade's worth of scrutiny without any major weaknesses being discovered then it's probably worth investing some confidence.

If we all had a dime for every time someone came up with a new encryption scheme and it failed miserably (WEP, DeCSS, etc.), we'd all be rich enough to sit around reading Slashdot all day...

IEEE

[vchoy]

The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware.

MHO: I do not think the IEEE has anything to worry about. For all I care, any Government can release their own home grown networking stack/protocol standard in regards to IEEE's 802.3 ...or any other 'standards' for that matter.

Will people accept this new standard? Who will manufactures trust: One Government/Country, or a respected body encompassing more than 380,000 individual members in 150 countries..promoting consensus-based standards?

As a consumer, which would you choose/trust?

Re:IEEE

As a consumer, which would you choose/trust?

Which ever is cheaper, likely to be the the one without patents.

Re:IEEE

[slick_rick]

It is surprisingly hard to find any census data on China (probably for obvious reasons). The data I could find is from over a decade ago. At that time (1986) over 60% of the population fell into the "peasant" category. Even if that number is only 50% now, that is still 600 million peasants who certainly aren't really in the market for wireless access points. Even a majority of those who are "non-peasants" probably aren't doing well enough to squander money on a WAP considering GDP per capita was only $467 in 1997.

I would guess less then 10% of the population of china could realistically be considered a "market" for electronic goods. That is a non-trivial 120 million people, but it certainly does not dwarf the combined western markets.

IEEE worried?

[seekr_hidr]

Stop bashing China people... How many times have some American company came out with their own standard that's different from IEEE's? TOO MANY TIMES! A new standard from China is just another drop of water in an ocean full of non compatible standards......

Wireless Standards horse

[Oriumpor]

Has been dead a long time, so stop beating it. 802.11b is not a standard, Linksys has their own proprietary 22mb scheme. 802.11g uhh Dlink/Linksys etc all have their "own" 72+ mb g network products. Even the standards have been bastardized with (I'm guessing) compression layers. WEP is horrible, there are ways to get around it (that require nearly as much bitspace overhead per/packet) ssh, openvpn, winblows vpn, ipsec etc etc.

So what if china wants their own wireless standard, there are so damn many already, one more quasi-secure wireless network isn't going to be revolutionary.

Re:Tinfoil hat or not?

[Jason+Earl]

My guess is that this has to do more with patents than with anything else. China has been consistent in their drive to force the industry towards products that they can manufacture without having to pay patent licensing. Since the Chinese probably don't have much wireless equipment already installed, they don't really care about existing standards based on someone else's patents. They would much rather use their tremendous market power to drive industries towards commoditization.

In short, the relative security of 802.11[bg] is a red herring. They don't give a crap about that, and they won't change their mind if the security in their standard gets busted tomorrow.

The Chinese plan is to force current wireless manufacturers to be compatible with the Chinese standard, and then come out with their own chips that implement the Chinese standard. They can then sell these new chips without paying any patent licensing fees and use their inexpensive labor to undercut the foreign products.

Of course, if it means lower prices for wireless products I am all for it. Heck, I would gladly buy products that only supported the Chinese standard if it worked and was less expensive than the current standards.

This is the way the game is played

[Quixote]

Countries use standards to benefit their own companies, and put hurdles in the path of outsiders. With the WTO and all, standards are one way to put up trade barriers.

Example: the NTSC, PAL, SECAM, MESECAM, etc standards for broadcast TV. Why do we have so many of them?

Another example: HDTV (US picked 8-VSB, Japan picked COFDM).

China has now realised that it is heavy enough (in "Gorilla" terms) that it is beginning to throw its weight around. A recent example was the new DVD format, EVD

Re:Tinfoil hat or not?

[javatips]

The current standard security scheme in wireless device is weak enough that the Chinese governement has no need to supply a less secure protocol.

No, they'll get someone else to do it.

[DrMorpheus]

Corporations, and companies (let's not lend creadence to the myth that only corporations are irresponsible) have had private police forces in the US as late as the 1920s. These private police forces had the ability to arrest and jail people, just like the US government.

Oh, for those trolls who might want to respond, "Yeah, but that was a hundred years ago..." might do well to read this link. Here's a short excerpt;

For the first time, an American judge has ordered a U.S. corporation to stand trial for alleged human-rights violations committed by a joint-venture partner overseas. In a case with potentially far-reaching implications, Los Angeles Superior Court Judge Victoria Chaney ruled from the bench Monday that Unocal Corp. may be held liable for the conduct of the government of Myanmar, formerly known as Burma, Unocal's partner in the Yadana gas field in southern Myanmar. A trial is scheduled for September on the allegations raised in the suit, which was filed by several Myanmar villagers in 1996. They charge that they were forced to work on the oil project in slave-like conditions by Myanmar's military.

So governments are NOT the only organization that oppresses people!

Learning from Microsoft

[simbiotic]

Sounds like the Chinese government are learning from the experts. Take a standard. Modify it a bit. Use your monopoly (whether commercial or state) to make everyone use your version. The US justice system has made it clear it is okay to behave this way so why shouldn't the rest of the world?

that concern is unjustified

[penguin7of9]

The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware."

That concern is entirely unjustified: 802.11 currently doesn't have any meaningful security. So, there won't be "two different standards", there will be just one: the Chinese one. Let's hope it catches on.

The IEEE should bow its head in shame--802.11's WEP was a complete fiasco and an embarrassment to engineering profession.

Maybe China doesn't want people to steal bandwidth

[phoxix]

Think about it

In the USA, having bucket loads of bandwidth is easy and cheap. However I suppose that isn't the case in China.

Wifi makes it real easy for one to steal another's bandwidth. (Especially with WEP ...). While in the USA this isn't such a big problem (yet), it might be a bigger on in China where bandwidth isn't as cheap nor plentiful.

While China is a communist gov't that doesn't care for freedom of speeh blah blah blah blah. It does need to look out for its own people. I for one see this only has a preemptive measure against what might be a serious problem in the future (especially for China's high population density).

Sunny Dubey

Now I know why communism is bad

[Lao+Da]

...it's because you can't do anything right...even when you behave exactly like a real capitalist. Do you realize how brain-washed some of you are about china? You even live in a sociaty with free press :(

There is a reason for different TV standards

[Jim+McCoy]

Example: the NTSC, PAL, SECAM, MESECAM, etc standards for broadcast TV. Why do we have so many of them?

Because TV was invented before the computer chip. Back in the dark mists of time you needed a way to get a clock cycle for your video signal. The easiest way to do this was to use the cycles in your AC mains power. In the US that is 60Hz while in Europe 50Hz was used, leading to two different framerate standards (NTSC is not 30 fps because of a hack performed when color was added to the broadcast signal.) PAL was developed after NTSC and fixed a few problems with the earlier standard, and Brazil created a PAL variant (M-PAL) that worked with a 60 Hz clock signal from the mains power.

SECAM was closer to the example being set here with the China wireless standard, it was created to be different for the sake of being different (we are French so our standard must be different, vive la difference...) as a way to help the French electronics industry of the time. Of course it was then chosen as the Soviet-block standard and then modified for the Middle East market into MESECAM.

It is all too wierd for words, but there was a method to the madness...