[Cryptography] From Nicaragua to Snowden - why no national standards should be considered in cryptosec
Ian G
iang at iang.org
Fri Feb 26 17:36:35 EST 2016
Long article on why IETF and similar bodies should *not* pander to
national bodies in adopting encryption algorithms.
http://www.bu.edu/jostl/files/2016/01/21.1_Tobias_Final_web.pdf
III. CHINESE WIRELESS TRANSMISSION STANDARDS AND THEIR COUNTERPARTS The
standards with which this Note is concerned show the truth behind
Smoot’s claim that the information technology industry “uses every kind
of standardization process imaginable.”93 The three relevant Chinese
standards are WLAN Authentication and Privacy Infrastructure (“WAPI”),
Ultra HighThroughput WLAN & its counterpart Enhanced Ultra
High-Throughput WLAN (“UHT/EUHT”), and ZUC – taken together, the
Encryption Standards. The table below lays out basic information about
the standards, their applications, and their foreign competition.
The first row of standards94 all pertain to WLAN systems, as is evident
from the formal names of both WAPI and UHT.95 At its most basic, WLAN
refers to a system of connecting two or more devices96 without the need
for wires between them.97 As network connectivity has become an integral
part of using a computer, wireless networks have grown in number and
popularity.98 A wireless network allows quick and convenient access to a
network. A common use of WLAN systems is to connect a laptop to an
access point for the World Wide Web.99 WLAN can also be used to connect
a small set of devices (such as a smart phone, laptop, tablet, video
game console, and television set) into a home multi-media entertainment
system.100 Instead of wires, WLAN uses radio frequencies to transmit
data between connected devices.101
802.11 is a set of internationally recognized standards that facilitate
WLAN connectivity.102 The Institute of Electrical and Electronics
Engineers (“IEEE”), a formal standards development organization based in
New York City,103 created 802.11.104 IEEE continually modifies 802.11,
incorporating new security and transmission techniques.105 In 1999, when
802.11a was approved by the International Organization for
Standardization as a formal international standard, it had a maximum
transfer rate of fifty-four megabits per second.106 The upcoming
revision, 802.11ad, has a maximum transfer rate of seven gigabits per
second – almost 130 times as fast.107 Users and businesses benefit from
faster internet connections. Higher speeds make the Internet more
economically viable as a business transmission medium, a field once
dominated by man-carried or animal-carried letters.108 The added
convenience of radio-enabled wireless networks raises significant
security issues. Interception of or tampering with radio waves is
“trivial to anyone with a radio.”109 By intercepting radio waves, an
unauthorized person can effectively eavesdrop on the other parties, and
for example, uncover a private password or Social Security Number
transmitted over the network. An unauthorized person could also tamper
with the signal and trick other devices into thinking his own system has
authorization it does not actually have – and here, that person could
enter private networks, such as a restricted intranet upon which a
company stores its trade secrets or other private and sensitive
information.110 Identity thieves often target unsecured wireless
networks to steal identifying information.111 Early versions of 802.11
used an encryption scheme known as Wired Equivalent Privacy (“WEP”).112
WEP was intended to bring to wireless transmissions a level of security
which would compete with more secure wired transmissions, and thus
prevent eavesdropping on, and tampering with, private signals.113 Every
transmission subject to WEP underwent a two-stage process of encryption
at its point of origin, and the receiver would reverse the process to
decrypt and access the information.114 The communicating parties shared
a secret key upon which the entire process relied; without the proper
key, the information could not be decrypted. 115 However, in 2001,
researchers discovered significant security flaws in WEP’s encryption
scheme.116 Thieves and other unauthorized persons could easily exploit
these flaws to gain access to encrypted transmissions.117 After these
discoveries, the IEEE 802.11 Task Group on Security “began significant
changes to WEP” to plug the holes in security.118 These changes
culminated in the Wi-Fi Protected Access scheme (“WPA”).119 In 2004, the
IEEE integrated WPA into the 802.11 set of standards as 802.11i.120
The rift between WAPI and 802.11 revolves around the standards’
respective handling of security. WAPI is an offshoot of the
WEP-encrypted versions of 802.11, born of Chinese dissatisfaction with
the security flaws in WEP.121 The Standardization Administration of
China (“SAC”) “initially approved WAPI in May 2003 to become effective
later in December of that year.”122 The core of WAPI is a redone
security scheme. The Chinese claim that WAPI’s encryption rectifies the
security deficiencies inherent in WEP.123 A “necessary secret encryption
algorithm” controls WAPI’s security scheme.124 The Chinese state
provides only a half-dozen Chinese companies with access to the
algorithm.125 Any company seeking to integrate WAPI into its radio
designs would thus have to negotiate with one of those six companies.
Additionally, 802.11 and WAPI are mutually incompatible.126
During 2003 and 2004, the Chinese government planned to instate WAPI as
a mandatory standard.127 By June 2004, all WLAN devices would be
required to support WAPI.128 The United States government formally
protested the mandatory standard.129 Perhaps more importantly,
information technology giants Intel, Texas Instruments, and Broadcom
promised to cease sales of any product affected by WAPI.130 Craig
Barret, Intel CEO, personally visited Beijing in an attempt to resolve
the crisis.131 Amid the tension, China agreed to “indefinitely postpone”
government enforcement of mandatory compliance with WAPI during
bilateral trade negotiations with the United States.132 However, the
United States Trade Representative’s 2013 Report on Technical Barriers
to Trade said that, as of 2011, “China’s Ministry of Industry and
Information Technology (“MIIT”) remained unwilling to approve any
Internetenabled mobile handsets or similar hand-held wireless devices
unless the devices were WAPI-enabled.”133
The UHT/EUHT standards follow in much of the same vein as WAPI. UHT/
EUHT are Chinese domestic alternatives to the internationally-accepted
802.11n standard.134 The Chinese claim that UHT/EUHT can coexist with
802.11.135 However, because UHT/EUHT both operate on the same frequency
as their 802.11 counterparts, a device operating on one standard may
cause considerable interference with the transmissions of a device
operating on the other standard.136 A European information technology
standards organization concluded that “adequate coexistence between
UHT/EUHT standards based devices and devices based on standard 802.11 is
not possible.”137 The United States Trade Representative has also
expressed concerns about incompatibility between UHT/EUHT and 802.11.138
4G LTE differs from the above standards in that it is designed for use
in mobile smartphones, as opposed to use in laptops or other larger
devices. 139 The 4G LTE set of standards is developed by the 3rd
Generation Partnership Project (“3GPP”).140 Although 3GPP is an
industry-specific standards organization, instead of a general formal
standards organization like IEEE, 3GPP controls the 4G LTE standards and
promulgates enhancements to the set, similar to the various iterations
of 802.11x developed by IEEE.141 3GPP developed 4G LTE in part through
recommendations from the Next Generation Mobile Networks initiative – of
which China Mobile Communications Corporation is a member.142 With
Sprint Corporation’s cessation of support for WiMAX in 2012, all
American smartphone carriers now support 4G LTE standards
exclusively.143 The market has thus established 4G LTE as a de facto
hegemon.144
ZUC is an additional encryption system operating over the top of 4G
LTE.145 The Data Assurance and Communication Security Center (“DCS”) of
the Chinese Academy of Sciences is developing the standard, and held the
first international workshop on ZUC in December 2010.146 In 2011, 3GPP
approved ZUC as one of several voluntary encryption standards.147 In
early 2012, China’s MIIT informally announced that networks and mobile
devices operating on China’s TD-LTE standard must only use
domestic-developed encryption algorithms, a set that includes ZUC.148 At
subsequent bilateral negotiations between the US and China, China agreed
not to mandate a specific encryption standard.149 The US Trade
Representative is still closely monitoring ZUC developments.150
[Long snip on why the WTO is likely to conclude against USA and for
China, citing US - Nicaragua as precedent, and /national security/ as
the right of sovereigns to break markets.]
VII. CONCLUSION A WTO Panel, in a dispute over the Encryption Standards
invoking Article XXI’s national security exception, is very likely to
produce a dual ruling akin to the GATT Panel Report in US – Nicaragua:
that China has breached its obligations, yet that breach is justified
under Article XXI’s national security exception. Any ruling to the
contrary would require the Panel to ignore the terms of reference set in
US — Nicaragua and rule on the validity or motivation of China’s
invocation of Article XXI. As national security goes to the core of a
sovereign’s responsibility, the consequences of a new formal
interpretation of Article XXI would be severe – and beyond the scope of
this Note.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160226/243a3b60/attachment.html>
More information about the cryptography
mailing list