China Releases Own WLAN Security Standard

Lownewulf writes "This NetworkWorldFusion article describes the release of the GB15629.11-2003 wireless networking standard in China, a wireless standard similar to 802.11, but with better security. The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware." ziggyboy adds a link to CNET's article, noting that "all wireless devices sold in China are required to comply to this standard from December 1."

Tinfoil hat or not?

[grub]

While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004.

This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the ..-2003 may be a hint)? How well has it been scrutinized by security people?

These questions lead me to believe that there are two possibilities here:

• A: This is a system that the Chinese government built weaknesses into to spy on its people.

• B: The Chinese government is rushing to get beat the IEEE people to make this an early standard which will make worldwide adoption easier. Now re-read A and drop the "on its people". Tell me if you feel better.

That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.

Re:Tinfoil hat or not?

[rifter]

"While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004."

This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the ..-2003 may be a hint)? How well has it been scrutinized by security people?

These questions lead me to believe that there are two possibilities here:

A: This is a system that the Chinese government built weaknesses into to spy on its people.

B: The Chinese government is rushing to get beat the IEEE people to make this an early standard which will make worldwide adoption easier. Now re-read A and drop the "on its people". Tell me if you feel better.

That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.

Personally, I see this as the beginning of the fulfillment of the warnings security experts have raised over the past 10 years which were ignored despite the thirty foot tall letters of fire that said "ignore this at your peril." US Companies and Governments have taken a consistently anti-security stance, fighting the addition and development of more secure products, fighting security research, fighting the exposure of insecure products, etc etc.

Work on cryptography and encryption has to be done outside the US because of shortsighted laws and the aforementioned atmosphere. The crappiness of US wireless technology has been pointed out again and again only to be met with "STFU you terrorist! Do you want to destabilize our economy even more?" Now China is coming out with a better standard and US companies are scared to death people will switch since they refused to develop a decent one.

I am not saying the Chinese method will be the best, either. On the contrary I think that it will be the beginning of a trend of better, more secure products being made in countries other than the US where innovation can actually occur without running afoul of our brain-dead IP and antisecurity laws. China not being a hotbed of innovation normally only suggests that we have much much worse to fear from countries which have a more individualistic culture.

Re:Tinfoil hat or not?

[ucsckevin]

This could be a part of the golden shield project.
For the past few years, China has placed top priority on the development of its golden shield project, which with the help of American companies like Cisco and Canadian companies like lucent, is the most ambitious surveillance project in history. It essentially allows public security (gong'an ju) unprecendented access to citizen's data, both government (i.e. danwei information) and private (email, telephone conversations, text messages, etc.). They want to make sure its citizens aren't discussing democracy, praticing falun gong, or any other unauthorized religion like roman catholicism (or any church that doesn't have a "patriotic" association with the government, or having an unauthorized birth.
I'm laughing at myself cuz I know I sound slightly paranoid, but it's true.
More info on golden shield (these three links are the same report, i'm posting three links as a hedge against any slashdot effect)here here and here
*** If you're really interested in this subject, check out Ethan Gutmann's upcoming book losing the new china his insight and understanding will really blow your mind.

Re:Tinfoil hat or not?

The condescending nature of your first sentence is unnecessary

I've always felt there needs to be a "post is interesting, but poster is an asshole" moderation option.

Multiple radio standards not an issue

[heironymouscoward]

As general-purpose chips get smaller and cooler, there is less and less need to code a particular radio standard into the chips - it becomes possible to support multiple standards (Wifi, BlueTooth, GSM, etc.) Either switching between them, or even in parallel.

I applaud this!

[Jacco+de+Leeuw]

Most vendors refuse to release updated drivers with WPA/TKIP support for their 802.11b gear. They knowingly sell broken (read: WEP) hardware that they don't intend to fix. They rather want you to buy 802.11g gear for WPA support!

You know what, I'm fed up with this. Might just as well buy this Chinese gear then... (And run IPsec over it).

Re:Security on AP's is a BAD idea

[Kirill+Lokshin]

For most homes/businesses, encrypted wireless doesn't make sense. However, there are plenty of reasons to do encryption (or at least some other type of security measures) at the AP level in higher security situations (military/government stuff).

For instance, suppose you send me an encrypted email that is transmitted over a wireless network at some point in its path. Someone eavesdropping on the wireless almost certainly can't decrypt the message - but they can tell that a message was transferred, and in many cases determine the approximate size of the message. There are certainly some situations where that would be considered a security breach.

If the AP's were security-conscious, however, they could prevent such eavesdropping (for instance by continuously transmitting a signal stream, and splicing the actual transmissions into it). Having this done at the VPN level is less effective, since all the VPN clients would need to be built to ignore the junk data, rather than just the AP's.

IEEE Worried?

[Czernobog]

Why should I or the Chinese or anyone else care?
Since when did the IEEE become the ultimate authority on standards? It's a USA institution remember. Other countries have their own institutions for this..
And it's not as if the IEEE is the most unbiased institution of them all. Corporate money decides what's a standard more often than not nowadays...

As far as the issue of standards themeselves. Since when do we have to always follow standards, especially others'? If something works better for more people, then bring it on. Progress occurs when breaking with tradition/standards and there is merit to the new system/whatever. Not by blindly following the old standards.

It is not a choice

[MacFury]

It is not a choice. To sell WiFi in China, you must use their standard.

This poses a couple of issues for international companies. Why spend development money on both a US and China standard? The US does not mandate that you have to use 802.11b, so why not ditch it and go with the Chinese standard, cutting development and support costs in half?

I work in retail. Trust me, consumers really don't care. Hell, half the time they don't even care if what they buy works, so long as they like what it looks like and it's cheap.

Re:On Tinfoil hats and then some

[aminorex]

So what makes you think that the chinese
national standard ISN'T a vintage, time-worn
cryptosystem? Just because a standard was
issued recently doesn't mean that the material
being standardized isn't old.

...from Google...

[Hobart]

http://www.chinabwips.org/en/tech.htm

When encrypting to the transmitting data, the course of encryption and decryption is realized by the algorithm hardware supplied by the National Commercial Key Management Office, which fully guarantees the security of transmitting data.

Sounds like Clipper/Skipjack.

The security mechanism WAPI in GB 15629.11-2003 adopts the key certification mechanism based on ellipse

IANACryptogrypher, but isn't Elliptic Curve cryptography the most thoroughly patent-laden field out there? Working, strong security is an already-solved problem, implemented in both SSL and SSH, [3DES/AES, RSA/DSA, SHA] ... Anything that strays from these, to the best of my understanding, is asking for trouble.

ha ha!

[sir_cello]

How about this: the LSB is about to formalise its own unix standard based upon Linux at ISO, despite the 90% similarity between LSB and POSIX. Apparently, the LSB folks claim Linux is sufficiently different and many other bogus Microsoft like arguments.

You think that I am joking ?