As proponents of the WAPI and 802.11i templates for wireless-LAN security continue to trade insults in the wake of the ISO's rejection of the Chinese WAPI standard, IC designers who have looked at both proposals say there is merit in the direction China's government wants to take WAPI.

The problem, sources said, is that WAPI has not specified the encryption algorithms to be used in implementations supported by the Chinese government and by the new WAPI Industrial Union. Another issue is that WAPI's privacy-infrastructure and authentication-infrastructure procedures operate on the service data unit (SDU) sublayer of the media-access control, or MAC, layer. The 802.11i standard runs at the protocol data unit (PDU) sublayer preferred in most LAN operations, wired and unwired, that deal with influencing packet header behavior.

When WAPI first was proposed, the point of comparison was the poor encryption model of the 1999 Wired Equivalent Protocol (WEP) first-generation WLAN security tools. Since then, the 802.11i standard has moved to a different technique, the Counter-Mode with Cipher Block Chaining Message Authentication Code Protocol. CCMP uses the Advanced Encryption Standard, the follow-on to Data Encryption Standard.

While WAPI can use a variety of encryption methods, proposals offered to IEEE and ISO to date suggest that implementations accepted by the Chinese government and the WAPI Industrial Union will not be based on common public-key or private-key encryption algorithms, but instead will use algorithms that the Chinese government has yet to disclose. It is uncertain whether WAPI will require new encryption keys for each session, which 802.11i specified to prevent the reuse of encryption keys common in WEP.

There is also concern over the fact that the encryption infrastructure is divided into two domains, the WAPI Privacy Infrastructure and the WAPI Authentication Infrastructure. In practice, many wireline security infrastructures, including the predecessors to Internet Protocol Secure, used segmented bulk-encryption and authentication domains. But 802.11i advocates also worry that, even though WAPI authentication is based on the use of certificates, it does not employ the Extensible Authentication Protocol used in many transport-layer security models.

Thus, it might be impossible to adapt software developed for 802.1x authentication standards for WAPI.

"The harmonization ISO talks about will have to be based on [the emergence of] more details" about WAPI, said one source working on 802.11i issues. "We can get beyond the SDU and PDU differences. We can work on common authentication methods. We can look at the strength of [WAPI's] proposed encryption, once we know all the protocols. But all of this is based on getting more solid information in the proposals."

-- Loring Wirbel