Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Walks Out of Wireless LAN Security Talks

Posted by Zonk on from the that's-one-way-to-get-what-you-want dept.

Ant writes "A CommsDesign article reports that China walked out of a wireless standards meeting this week, accusing the International Organization for Standardization of favoring the IEEE's 802.11i ANSI-certified wireless LAN security scheme over its own controverisal proposal, EE Times has learned. The gambit came after China's Wireless Authentication and Privacy Infrastructure (WAPI) security scheme was withdrawn and placed on a slower track by the ISO." From the article: "China initially agreed last year to refrain from making its WAPI security scheme mandatory for wireless LAN equipment in China. It then approached ISO with a fast-track submission in an effort to make WAPI an international security standard."

9 of 313 comments (clear)

  1. WAPI is old by christoofar · · Score: 5, Informative

    According to this rant WAPI is "on old technology, performs poorly and is insecure"

  2. Re:Nothing for you to see here. Please move along. by Anonymous Coward · · Score: 1, Informative

    Because China is one of the fastest growing economies in the world. Thar's money in dem hills!

  3. You can't sell shit to a cow farmer by TechyImmigrant · · Score: 5, Informative

    Repeat after me... WAPI is Crappy.

    WAPI is insecure, doesn't scale, late and undeployable.

    If you read the specs and had any involvement in the 802.11i process, you will understand what an amature piece of work WAPI is. It was compounded with the blatant IP grab that China was trying to make with WAPI (you have to send China your RTL, they *THEY* can integrate it into your chip - yeah right).

    The only way you can effectively write 802.11 specifications for anything as intertwined with the base spec is to go to the 802 meetings and propose your scheme. From 802, down through 802.11 and the 802.11 task groups, the documents are heavily cross dependent and part of the purpose of these massive meetings is to make sure that all the bits fit together and are kept up to date with respect to each other.

    Trying to write an 802.11i replacement in isolation is doomed to failure and fail is exactly what they did.

    Now they are forum shopping. ISO rubber stamps the 802 documents because 802 has a long history of succesful open standards development. Whining 'it's not fair! They won't take our spec but they will take the IEEE specs' is disingenuous bullshit and they know it. There is a basic quality threshold you have to pass first.

    --
    Evil people are out to get you.
    1. Re:You can't sell shit to a cow farmer by TechyImmigrant · · Score: 2, Informative

      If its bit strength on the link cipher you're worried about then define a stronger link cipher. If it's the authentication method then define a new EAP method.

      802.11i is extensible like that. It it only the base modes for interoperability that are mandated. Support for vendor proprietary additions are included and are distinguised using the standard IEEE OUI.

      WAPI throws the whole lot out (they delete clause 8 and start over) and replaces it with something broken.

      --
      Evil people are out to get you.
  4. What is WAPI anyway? by Daedala · · Score: 3, Informative
    Now that's security theater...

    Here is a paper that describes the WAPI standard. As a cryptodilettante, damned if I know if it's any good.

    --
    What I say does not represent the views of my employers, my friends, my cats, or myself.
    1. Re:What is WAPI anyway? by thomasa · · Score: 5, Informative

      From the paper:

      "The only secret part of the protocol is the symmetric encryption algorithm used between a wireless device and the access point, after both of them have been authenticated." and "The regulation also requires that any company who develops products that use encryption to keep the encryption algorithm a secret from anyone who is not authorized to know the algorithm"

      To have a secret algorithm is a bit untrustworthy!
      Would you trust your secrets to a secret Chinese algorithm? It might be good but clearly the Chinese can break it.

  5. Re:Nothing for you to see here. Please move along. by TiggertheMad · · Score: 2, Informative

    Except that China isn't really Communist any more, and hasn't been Communist since Mao's death.

    One might even go so far as to say China has never been communists according to the doctrine laid out by Marx, but some form of Socialist Dictatorship. Even when Mao was in charge, they had constant battles with Moscow over the fact that China's communisim didn't match up with Russia's communisim. And neither was what Marx had envisioned.

    They make good fortune cookies, though.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  6. Re:Detestable Pro-American Pansies by Guppy06 · · Score: 2, Informative

    " Neither the IEEE nor ANSI is American."

    And what does the "A" in "ANSI" stand for again?

  7. Forget the Chinese part by Sycraft-fu · · Score: 2, Informative

    You don't trust crypto that is secret, period. For everything I'm aware of short of a one time pad (and even that sort of) you don't prove it to be strong, you prove it to be not weak. Ok sounds like a silly language game but here's what I mean:

    A proof something is strong would mean you could conduct a single test that would prove that an algorithm didn't have any flaws. That test would be all that's needed. It'd get redone a number of times to ensure there were no errors in testing, but if it passed, you'd know it's good.

    Well, can't do that. What you can do, and do in reality, is try over and over to break it. You have all kinds of experts back away at an algorithm and see if they can crack it. When nobody can, and when they do all sorts of mathematical tests showing that probably it can't be broken, you feel confident in calling it strong.

    There's a reason why it took so long for Rijndael to become AES. It had to undergo a lot of testing (past what it already had) before FIPS was convinced that yes, it really was secure. It wasn't proved in one magic test, rather the continual failures to break it were seen as a mounting amount of evidence that, indeed no break is possible.

    So you never, ever, trust an encryption that uses a secret method. If it hasn't been tested by the world mathematical and cryptographic communities, it isn't worth its shit. For all you know there could be a gaping hole that even the developers don't know about, but will be discovered soon. You only ever use tested, reviewed, public crypto.

    Hell, for the reason of testing, some peopel still recommend the use of 3DES instead of AES. Why? Well though AES is superior in the long term, since it'll be harder to crack brute force, it just don't have the history 3DES does. There has been a couple of decades of DES usage, with no breaks. Thus you can pretty confidently say there will be no breaks, until computers are of sufficient power to brute force 3DES, you are safe, and that's going to be a while. AES is almost certianly as good or better, but still, there's not that history of proof, it's the new kid.

    So regardless you your trust for a particular nation, don't ever trust secret crypto. EVen if the intent isn't ot have it breakable, it very well could be.