China walked out of a wireless standards meeting this week, accusing the International Organization for Standardization of favoring the IEEE’s 802.11i ANSI-certified wireless LAN security scheme over its own controverisal proposal, EE Times has learned.

China’s Wireless Authentication and Privacy Infrastructure (WAPI) security scheme was withdrawn and placed on a slower track by the ISO, triggering the protest.

The draft IEEE 802.11i (also known as WPA2), was ratified on 24 June 2004. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. It implemented a subset of 802.11i.

China initially agreed last year to refrain from making its WAPI security scheme mandatory for wireless LAN equipment in China. It then approached ISO with a fast-track submission in an effort to make WAPI an international security standard.

The 802.11i proposal is also on the fast-track for ISO approval, possibly by April. Until this week, the ISO group was focused on whether or not both 802.11i and WAPI should be cemented as enhanced but optional security standards.

However, sources said tempers flared when China’s original fast-track submission, designated 1N7506 of China National Standard GB15629.11 (WAPI), was withdrawn from consideration. It was replaced by a revised submission, designated 6N12687, that removed the China proposal from the organization’s fast-track approval process.

Sources said China walked out specifially over disputes centering on which members have authority to seek a withdrawal and the timing of the request. Chinese delegates also accused ISO of favoring the IEEE 802.11i proposal.

It remains unclear for now whether the dispute will affect the current suspension of China’s original law requiring mandatory implementation of WAPI. The IEEE is currently drafting a formal response, but declined to comment.

Glenn Fleishman believes the Chinese object to 802.11i because it includes a 128-bit key length version of AES which they believe the NSA has the ability to decipher.

The corresponding problem with WAPI is that it is a proprietary protocol controlled by the government which leads one to believe that it has either a back-door or a weak known flaw in it that would allow interception.

The recent ratification of 802.11i (WikiPedia), make it a good time for enterprises to consider wireless networks, says E-Week. While products enabled for 802.11i are available, eWEEK Labs found that issues ranging from incompatible legacy hardware to uneven migration strategies may slow adoption of 802.11i technology.

Similar to WPA (Wi-Fi Protected Access) a stopgap solution based on Draft 3 of the 802.11i specification 802.11i provides port-based authentication to a RADIUS server to provide user authentication. However, 802.11i streamlines WPA’s key exchange process among the client, access point and authorization server by requiring fewer messages.

It’s best to think of 802.11i not as a single protocol but rather a security framework (above), explains Wireless Design Line like a recipe listing the ingredients to bake a cake.

Unlike other authentication protocols, EAP does not force users into certain types of authentication. Each type of EAP authentication is called a method. Some EAP methods use certificates and others use smart cards or usernames and passwords. Some EAP methods do mutual authentication while others only authenticate the client. Since 802.11 security requires mutual authentication, not all EAP methods are appropriate for use in a wireless network, says Wireless Design Line.

The motivation of the Chinese to walk out on the ISO rejection of WAPI is still unclear. Perhaps it has less to do with WAPI then general trade issues.

Posted by Sam Churchill on Friday, February 25th, 2005 at 12:41 am.