Clouds hang low over Chinese WLAN standard

China’s implementation of a national standard for wireless LANs (WLANs) is bad news for Chinese end-users and could signal the start of a renewed push to exert greater government control over encryption technology in the world’s most populous country, according to U.S. industry groups.

The Chinese WLAN standard, GB15629.11-2003, is very similar to the Institute of Electrical and Electronics Engineers Inc.’s (IEEE’s) 802.11 standard, commonly known as Wireless Fidelity or Wi-Fi, but it uses a different security protocol developed locally, called WLAN Authentication and Privacy Infrastructure (WAPI).

The Standardization Administration of China (SAC) approved the standard on May 12 and it came into effect on Dec. 1. While vendors that want to sell WLAN gear in China are now required to conform to this standard, the SAC has granted a transition period that extends the compliance deadline for certain products until June 1.

China’s adoption of a different standard could hurt Chinese users as well as the global WLAN industry, said Dennis Eaton, chairman of the Wi-Fi Alliance, an organization that certifies and promotes 802.11 wireless LAN technology.

“It’s going to put those products at a pretty substantial cost disadvantage,” Eaton said. “The technical requirements for WAPI, from a processing standpoint, are much higher.”

The Chinese specification will probably require more memory as well and will make it harder to integrate into handheld devices such as phones and PDAs (personal digital assistants), Eaton said. The impact on WLAN hardware is likely to have a ripple effect on other products that incorporate wireless networking capabilities, such as notebook PCs, he added.

In addition, a separate standard could make the networking gear bought by Chinese customers unusable in other countries, Eaton added.

IEEE shares Eaton’s concerns. In a Nov. 23 letter to SAC Chairman Li Zhonghai and Wang Xudong, China’s minister of information industry, Paul Nikolich, the chairman of the IEEE 802 Local and Metropolitan Area Network Standards Committee, wrote: “We believe that mandatory implementation of the WAPI protocols would unnecessarily fracture the world market for WLAN products.”

Complicating the matter further, foreign vendors that want to produce products that comply with the Chinese WLAN standard must sign coproduction agreements with one of 11 local companies designated by the Chinese government, which justified the move by citing national security concerns, according to a briefing document prepared by the U.S. Information Technology Office (USITO), an industry group that represents a broad range of technology companies.

No rules have been set to govern how these coproduction arrangements must be handled, it said.

“The designated companies either compete with U.S. companies involved in WLAN or hope to compete with them. A ‘coproduction’ arrangement under these circumstances is highly disadvantageous to the foreign side,” USITO said.

Foreign companies will not know what technology is being added to their products, raising concerns over liability and appropriate compensation levels for the foreign company and the local partner, USITO said. Additionally, Chinese companies, which have been provided with detailed technical information on WAPI, may refuse to provide or delay providing the security protocol to a foreign company, giving Chinese companies an advantage in the marketplace, it said.

Coproduction partners could also demand detailed technical specifications from foreign companies with the excuse they cannot implement the required security protocols without a full understanding of the foreign technology, it said.

Very little is known about the technical specifics of the security protocol at the heart of the Chinese WLAN standard.

The State Encryption Management Committee (SEMC) and SAC have not provided detailed technical information on WAPI or the ownership of the intellectual property used in WAPI and licensing royalties have not been set, USITO said. However, SEMC and SAC have said only local companies will be allowed to apply for the certifications required to sell networking gear based on the Chinese WLAN standard and foreign vendors will be required to bear the costs for testing and certification, it said.

While groups like Wi-Fi Alliance and USITO have expressed their concerns over China’s WLAN standard and the licensing requirements, vendors have been more cautious.

Executives at Cisco Systems Inc. and Netgear Inc. in Beijing would only say they are studying the standard.

On the Chinese side, networking equipment vendor ZTE Corp. and the China Broadband Wireless IP Standard Working Group, a standards body set up by China’s Ministry of Information Industry that helped develop the Chinese WLAN standard, declined to comment. SEMC and SAC officials could not be reached for comment.

While detailed technical specifications of WAPI have not been made available, some details have emerged.

WAPI uses a block cipher for encryption and an authentication mechanism that appears to be similar to the IEEE 802.1x standard, which is part of the upcoming IEEE 802.11i security standard, Wi-Fi Alliance’s Easton said. A block cipher is a symmetric-key encryption algorithm that transforms a block of unencrypted data into a block of encrypted data with the same length.

Diagrams shown during technical discussions with Chinese officials indicated something like a RADIUS (Remote Authentication Dial-In User Service) server being used for authentication, with an interesting twist: They seemed to show a central RADIUS system for authenticating all users on all WLANs in China, he said.

However, that feature and others may not be required as part of WAPI, Easton said, noting many details are not clear.

That WAPI is veiled in mystery is no surprise. In 1999, China’s State Council, the country’s highest administrative body, issued a decree, called Directive 237, which regulates commercial encryption ciphers and requires encryption technology to be developed and sold under a blanket of secrecy.

“The scientific research and production of commercial encryption cipher products should be conducted under conditions that meet the needs of maintaining security and secrecy,” Directive 237 states. “Work units and personnel responsible for the scientific research, production and sales of commercial encryption cipher products must bear the responsibility of confidentiality with regard to the commercial encryption cipher technologies they come in contact with or control.”

Directive 237 also states that individuals who leak technical data related to commercial encryption ciphers will be prosecuted and, in cases where national security is deemed to be at risk, they will be arrested.

SEMC has confirmed that the encryption management methods being employed with the Chinese WLAN standard are being implemented in accordance with Directive 237, raising concerns that the Chinese WLAN standard could represent a renewed push to bring commercial encryption technology under government control, said Anne Stevenson-Yang, managing director of USITO in Beijing.

“WLAN is the first part of a broader plan,” Stevenson-Yang said, adding that Chinese officials had likely decided to implement Directive 237 with WLAN because China’s wireless networking market is in the early stages of development.

Stevenson-Yang said the objectives of Chinese officials are outlined in Directive 237, which states that only government-approved encryption technology may be used by companies and individuals in China and prohibits the use of encryption technology developed overseas. In addition, individuals are required to register any product that uses encryption and must notify the government when the product is discarded. The directive prohibits the transfer of ownership for any product that uses encryption.

When Directive 237 was announced in October 1999, concerns were raised by foreign businesses about its scope. In response, SEMC issued a clarification in March 2000 which stated the directive only applied to specialized hardware and software used for encryption and decryption and stated that mobile phones, computer operating systems, Internet browsers and other products would not be affected.

Whether that clarification still applies is not clear, Stevenson-Yang said, noting Chinese officials had told her “the clarification only applies to what was available in the market at that time.”

The implementation of Directive 237 with the Chinese WLAN standard significantly expands the directive’s scope beyond that defined in the clarification, and raises the possibility that the directive could be applied for encryption systems used in mobile phones, DVD players, Web browsers, media player software, and other products, the USITO briefing document said.

Source: www.infoworld.com