Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Releases Own WLAN Security Standard

Posted by timothy on from the more-than-nomenclature dept.

Lownewulf writes "This NetworkWorldFusion article describes the release of the GB15629.11-2003 wireless networking standard in China, a wireless standard similar to 802.11, but with better security. The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware." ziggyboy adds a link to CNET's article, noting that "all wireless devices sold in China are required to comply to this standard from December 1."

25 of 248 comments (clear)

  1. Tinfoil hat or not? by grub · · Score: 5, Interesting

    While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004.

    This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the ..-2003 may be a hint)? How well has it been scrutinized by security people?

    These questions lead me to believe that there are two possibilities here:
    • A: This is a system that the Chinese government built weaknesses into to spy on its people.
    • B: The Chinese government is rushing to get beat the IEEE people to make this an early standard which will make worldwide adoption easier. Now re-read A and drop the "on its people". Tell me if you feel better.
    That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.
    --
    Trolling is a art,
    1. Re:Tinfoil hat or not? by Jason+Earl · · Score: 5, Insightful

      My guess is that this has to do more with patents than with anything else. China has been consistent in their drive to force the industry towards products that they can manufacture without having to pay patent licensing. Since the Chinese probably don't have much wireless equipment already installed, they don't really care about existing standards based on someone else's patents. They would much rather use their tremendous market power to drive industries towards commoditization.

      In short, the relative security of 802.11[bg] is a red herring. They don't give a crap about that, and they won't change their mind if the security in their standard gets busted tomorrow.

      The Chinese plan is to force current wireless manufacturers to be compatible with the Chinese standard, and then come out with their own chips that implement the Chinese standard. They can then sell these new chips without paying any patent licensing fees and use their inexpensive labor to undercut the foreign products.

      Of course, if it means lower prices for wireless products I am all for it. Heck, I would gladly buy products that only supported the Chinese standard if it worked and was less expensive than the current standards.

    2. Re:Tinfoil hat or not? by rifter · · Score: 5, Interesting

      "While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004."

      This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the ..-2003 may be a hint)? How well has it been scrutinized by security people?

      These questions lead me to believe that there are two possibilities here:

      A: This is a system that the Chinese government built weaknesses into to spy on its people.

      B: The Chinese government is rushing to get beat the IEEE people to make this an early standard which will make worldwide adoption easier. Now re-read A and drop the "on its people". Tell me if you feel better.

      That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.

      Personally, I see this as the beginning of the fulfillment of the warnings security experts have raised over the past 10 years which were ignored despite the thirty foot tall letters of fire that said "ignore this at your peril." US Companies and Governments have taken a consistently anti-security stance, fighting the addition and development of more secure products, fighting security research, fighting the exposure of insecure products, etc etc.

      Work on cryptography and encryption has to be done outside the US because of shortsighted laws and the aforementioned atmosphere. The crappiness of US wireless technology has been pointed out again and again only to be met with "STFU you terrorist! Do you want to destabilize our economy even more?" Now China is coming out with a better standard and US companies are scared to death people will switch since they refused to develop a decent one.

      I am not saying the Chinese method will be the best, either. On the contrary I think that it will be the beginning of a trend of better, more secure products being made in countries other than the US where innovation can actually occur without running afoul of our brain-dead IP and antisecurity laws. China not being a hotbed of innovation normally only suggests that we have much much worse to fear from countries which have a more individualistic culture.

    3. Re:Tinfoil hat or not? by ucsckevin · · Score: 5, Interesting

      This could be a part of the golden shield project.
      For the past few years, China has placed top priority on the development of its golden shield project, which with the help of American companies like Cisco and Canadian companies like lucent, is the most ambitious surveillance project in history. It essentially allows public security (gong'an ju) unprecendented access to citizen's data, both government (i.e. danwei information) and private (email, telephone conversations, text messages, etc.). They want to make sure its citizens aren't discussing democracy, praticing falun gong, or any other unauthorized religion like roman catholicism (or any church that doesn't have a "patriotic" association with the government, or having an unauthorized birth.
      I'm laughing at myself cuz I know I sound slightly paranoid, but it's true.
      More info on golden shield (these three links are the same report, i'm posting three links as a hedge against any slashdot effect)here here and here
      *** If you're really interested in this subject, check out Ethan Gutmann's upcoming book losing the new china his insight and understanding will really blow your mind.

  2. New Standard by SilentSage · · Score: 5, Insightful

    I disagree with the assertion of the poster that the Chineese standard has better security. For starters it does not use AES (the new advanced encryption standard) and the article does not specify what (if any) encryption protocol the Chineese standard uses. What this seems to me to be is an attempt to give the Chineese government a larger voice in the implementation of new networking standards. If hardware vendors and the IEEE roll over on this one the next thing you will see out of China (and other like minded countries who will follow suit) are the emergence of protocols which make it easier to censor and control content on the web. The market pressure to comply with this standard will be huge however. Given the size and growth of the Chineese market the financial rewards for early adopters will be great not to mention the potential to establish a major vendor footprint in an emerging market.

    1. Re:New Standard by landoltjp · · Score: 3, Insightful

      Although I can understand the concern of having the Chineese government push privacy-eroding standards into networking protocols, how is this any different than the US-backed standards such as the "Fritz chip" (I believe), or key-escrow standards, or the requirement to adopt standards or technology that allow Federal Snooping Bodies to monitor internet traffic from their office Lay-Z-Boys?

      The Chineese aren't the only sharks in the ocean. The US Government doesn't seem to be promoting much better; they just have the luxury of wrapping themselves in the Stars & Stripes whilst they do it.

  3. 802.11i? by Dave2+Wickham · · Score: 4, Funny

    I must say I've never heard of 802.11i before; have I missed everybody talking about it, or is it underreported? I don't pretend to be an expert in wireless technology, but I've not seen it mentioned anywhere... Then again, their status page (quickly looked up, yay Mysterious Future...) uses <blink>, was exported by MS Word, was "cleaned up" by Netscape 4, and has an incorrectly capitalised DOCTYPE, and I'm not sure if I'd trust wireless security to a group with a status page like that :-P (I know, they probably didn't make the page, but it still gives a bad impression).

  4. So now the 800lb gorilla... by akaina · · Score: 5, Funny

    ...a country with one of the worst records of human rights violations now has their own:

    Flavor of linux (RedFlag)
    DVD standards
    wireless encryption
    Video compression (AVS)
    Taikonauts
    Access to windows source code
    Web searching (Chinese Search Alliance)
    CPU architecture (Dragon)

    Is anybody else out there as concerned as I am about this?

    --
    Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
    1. Re:So now the 800lb gorilla... by dmp123 · · Score: 5, Insightful

      No, not at all.

      The US has all of the above (or rather, US *Corporations* do)... I personally think that for this power to be shared among countries is good - too much one way is bad.

      I'm not sure I trust US corporations to 'do the right thing' any more than I trust the Chinese government.

      David

  5. Very secure devices by Rosco+P.+Coltrane · · Score: 3, Funny

    The HTML configuration pages are all in Chinese, and the devices have strict orders to not talk to foreign capitalist pigdogs, under penalty of immediate brutal termination and dismantlement.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  6. standards joke by rexguo · · Score: 5, Funny

    "The great thing about standards, is that there are so many to choose from"

    --
    www.rexguo.com - Technologist + Designer
  7. Get Used to It by randall_burns · · Score: 4, Insightful

    China is likely to become the world's largest economy in the not so distant future. The technical community there _will_ want to make their mark on important standards in IT. The real way around this for the United States and the EU is to cultivate technical excellence among their own citizens-something the current corrupt governments and corporate elites are hesitant to do.

  8. B15629.11-2003 is a bit of a mouthfull... by Aardpig · · Score: 5, Funny

    ...wouldn't Wi-Chi be better?

    --
    Tubal-Cain smokes the white owl.
  9. I saw this in Command & Conquer Generals by Rahga · · Score: 4, Funny

    This is why Black Lotus and your hordes of hackers say "I can hack into anything."

    Forget accounting fraud and unethical stock manipulations... The real threat will be obvious when hundreds of men from China gather on the lawn 100 feet away from the Pentagon and pull out their laptops.

  10. Security on AP's is a BAD idea by div_2n · · Score: 3, Insightful

    I still don't understand why people get so wrapped up on encryption at the AP level. Wired switches and routers don't encrypt data. That is reserved for firewall/vpn devices which makes sense because the overhead associated (beyond security concerns) doesn't make sense to burden your transport mechanism.

    What do people want encrypted? Their credit card numbers? Encryption of sensitive information like CC#'s is (should) be handled by SSL where the data is encrypted BEFORE it leaves the pc. No wireless encryption needed. Their e-mail? If they are sending that sensitive of information, they probably shouldn't use standard e-mail in the first place. They should encrypt a document and then e-mail it or encrypt the e-mail itself.

    I am still yet to find a situation where encrypted wireless signals make sense for home or even business situations. If it is a business that is in need of securing their communications, they should use VPN's anyway.

    I think it makes more sense for an additional independent circuitry to be installed on AP's that does VPN's and build into wireless cards a VPN client or include VPN software. Hell, even make an externally pluggable device that attaches to an AP so that it can be upgraded as future VPN's get stronger in encryption.

    Leave AP's to do what the do best--serve wireless clients.

    1. Re:Security on AP's is a BAD idea by Kirill+Lokshin · · Score: 3, Interesting

      For most homes/businesses, encrypted wireless doesn't make sense. However, there are plenty of reasons to do encryption (or at least some other type of security measures) at the AP level in higher security situations (military/government stuff).

      For instance, suppose you send me an encrypted email that is transmitted over a wireless network at some point in its path. Someone eavesdropping on the wireless almost certainly can't decrypt the message - but they can tell that a message was transferred, and in many cases determine the approximate size of the message. There are certainly some situations where that would be considered a security breach.

      If the AP's were security-conscious, however, they could prevent such eavesdropping (for instance by continuously transmitting a signal stream, and splicing the actual transmissions into it). Having this done at the VPN level is less effective, since all the VPN clients would need to be built to ignore the junk data, rather than just the AP's.

    2. Re:Security on AP's is a BAD idea by Chanc_Gorkon · · Score: 4, Insightful

      Security at the AP IS needed. First, if there's no security built into the AP, anyone can get on your network. It's like putting a Ethernet jack on your unsecured front porch or even worse....at the mailbox. Sure they may not be able to get to your servers, but they still can steal bandwidth from your applications.

      Second, anything that is broadcast over the air can be picked up and recorded. If it's not encrypted, you run the risk of letting anything you do on your WiFi. They don't even have to connect to your AP....they could just fire up the laptop with the WiFi card in promiscuous mode and scan away. I agree with you that cc numbers and really important things SHOULD be encrypted befor sent, but personally, I really don't want just anyone else knowing what websites I go to even though I do have nothing to hide.

      Lastly, even if you did have some security built into the AP (even if your using something more then WEP), I'd still require a VPN to get to the internal network. As it is, AP's probably don't have the horsepower to do user authentication plus you probably already have LDAP or something else internally for authentication. Plus adding the VPN as a requirement for WiFi users also adds another layer of security.

      --

      Gorkman

  11. On Tinfoil hats and then some by segment · · Score: 4, Insightful
    Tinfoil warrior (need I say more?)

    Coincidentally, the majority of members of the WI-FI Alliance are American companies, so I would be skeptical to pass this off as nothing more than a `shit China is gonna kill us with their low manufacturing costs' response. If the security is supposedly better as the post states, than why not verify this, and migrate to it. Wouldn't that make more sense than basically stating "you're security is good! but it's not a standard so we don't want it"

    --
    MoFscker
  12. IEEE worried? by seekr_hidr · · Score: 5, Insightful

    Stop bashing China people... How many times have some American company came out with their own standard that's different from IEEE's? TOO MANY TIMES! A new standard from China is just another drop of water in an ocean full of non compatible standards......

  13. Wireless Standards horse by Oriumpor · · Score: 4, Insightful

    Has been dead a long time, so stop beating it. 802.11b is not a standard, Linksys has their own proprietary 22mb scheme. 802.11g uhh Dlink/Linksys etc all have their "own" 72+ mb g network products. Even the standards have been bastardized with (I'm guessing) compression layers. WEP is horrible, there are ways to get around it (that require nearly as much bitspace overhead per/packet) ssh, openvpn, winblows vpn, ipsec etc etc.

    So what if china wants their own wireless standard, there are so damn many already, one more quasi-secure wireless network isn't going to be revolutionary.

  14. This is the way the game is played by Quixote · · Score: 4, Insightful
    Countries use standards to benefit their own companies, and put hurdles in the path of outsiders. With the WTO and all, standards are one way to put up trade barriers.

    Example: the NTSC, PAL, SECAM, MESECAM, etc standards for broadcast TV. Why do we have so many of them?

    Another example: HDTV (US picked 8-VSB, Japan picked COFDM).

    China has now realised that it is heavy enough (in "Gorilla" terms) that it is beginning to throw its weight around. A recent example was the new DVD format, EVD

  15. Re:So.. by zulux · · Score: 3, Insightful

    I'm pretty sure it was chosen for the people and not by the people.

    Even most desmocracies were set up by the powerfull and not the 'people' - usuall powerfull internal forces (the revolutionaries with big ideas and lots of guns) or by powerfull outside forces (the invading armby with big ideas and lots of guns).

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  16. No, they'll get someone else to do it. by DrMorpheus · · Score: 3, Insightful
    Corporations, and companies (let's not lend creadence to the myth that only corporations are irresponsible) have had private police forces in the US as late as the 1920s. These private police forces had the ability to arrest and jail people, just like the US government.

    Oh, for those trolls who might want to respond, "Yeah, but that was a hundred years ago..." might do well to read this link. Here's a short excerpt;

    For the first time, an American judge has ordered a U.S. corporation to stand trial for alleged human-rights violations committed by a joint-venture partner overseas. In a case with potentially far-reaching implications, Los Angeles Superior Court Judge Victoria Chaney ruled from the bench Monday that Unocal Corp. may be held liable for the conduct of the government of Myanmar, formerly known as Burma, Unocal's partner in the Yadana gas field in southern Myanmar. A trial is scheduled for September on the allegations raised in the suit, which was filed by several Myanmar villagers in 1996. They charge that they were forced to work on the oil project in slave-like conditions by Myanmar's military.
    So governments are NOT the only organization that oppresses people!
    --
    Debunking the "59 Deceits"
  17. Learning from Microsoft by simbiotic · · Score: 5, Insightful

    Sounds like the Chinese government are learning from the experts. Take a standard. Modify it a bit. Use your monopoly (whether commercial or state) to make everyone use your version. The US justice system has made it clear it is okay to behave this way so why shouldn't the rest of the world?

  18. IEEE Worried? by Czernobog · · Score: 3, Interesting

    Why should I or the Chinese or anyone else care?
    Since when did the IEEE become the ultimate authority on standards? It's a USA institution remember. Other countries have their own institutions for this..
    And it's not as if the IEEE is the most unbiased institution of them all. Corporate money decides what's a standard more often than not nowadays...

    As far as the issue of standards themeselves. Since when do we have to always follow standards, especially others'? If something works better for more people, then bring it on. Progress occurs when breaking with tradition/standards and there is merit to the new system/whatever. Not by blindly following the old standards.

    --
    /. Where the truth