Chinese WAPI protocol?

David Wagner daw at cs.berkeley.edu
Thu Jun 15 00:35:40 EDT 2006 

hank you to everyone who corrected the errors in my earlier post.  As has
been pointed out, the SMS4 block cipher was disclosed earlier this year.

Nonetheless, many of my concerns about the security of WAPI remain.
We already have a perfectly good solution out there; 802.11i is a good
scheme, and has been vetted by many folks.  In contrast, WAPI has
received very little analysis by security folks.  WAPI's underlying
block cipher is some special proprietary design that has never been
published in a peer-reviewed academic conference and does not seem to
have received much, if any, scrutiny from experts in block cipher design
-- and certainly nothing approaching the degree of scrutiny that AES
(the cipher used in 802.11i) has seen.  Similar comments apply to the
protocols in 802.11i vs the protocols in WAPI.

The 802.11 working group has put together a lengthy, 40+ page technical
analysis full of defects, ambiguities, and security risks in WAPI.
Their technical analysis is compelling and pretty damning, in my view.
I think we should commend the IEEE 802.11 group for doing such an outstanding
job of technical analysis.

In comparison, when you read the documents from the Chinese national
body, you get a very different impression.  For instance, the Chinese
rebuttal tries to defend the use of a secret proprietary block cipher.
What the heck are they thinking?  Don't they know anything about how to
design secure systems?  It seems clear that the people who are writing the
Chinese advocacy documents are not technical experts in security; perhaps
they are politicians or lawyers, but they're not security engineers.

Of course, the elephant in the room is that China is a giant and growing
market.  China knows that, and seems to want to exploit that fact to
ensure kickbacks and profits for local Chinese companies.  Everyone who
is anyone wants to sell to that marketplace, and I'm sure they have
to be somewhat circumspect to avoid alienating potential customers.
I'm not trying to sell anything to China, so I guess I'm free to speak
my mind.  I persuaded by the analysis I've seen that WAPI is poorly
thought out, not ready for standardization, and shouldn't be approved
at this time.  It tries to solve an already-solved  problem, and does
it in an inferior way.  I'm concerned about the security risks of WAPI.
The Chinese national body gives no appearance of seeking the best solution
and gives every appearance of allowing profit and political considerations
to trump technical merit.  I think ISO has been put in a tough position,
and I think we should applaud them for (so far) resisting the pressure
to adopt WAPI despite the intense pressure that has been applied to them.

I remain concerned about the security risks of WAPI, even to those of us
who live outside China.  Anytime you ship a wireless card that supports
two different wireless standards, you run the risk of attacks that reduce
your strength to the weaker of the two standard.  For instance, one can
imagine "You are now in China" attacks that fool a wireless card into
(wrongly) thinking it is in China and entering the less-secure WAPI mode.
If WAPI has any security vulnerabilities, this could endanger everyone
whose wireless card supports WAPI, whether they think they are using
WAPI or not.  One can hope that such a risk won't come to pass, but why
take any chances?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list