WLAN Authentication and Privacy Infrastructure

WLAN Authentication and Privacy Infrastructure ( WAPI ) is a Chinese security technology for wireless networks. WAPI is an alternative to the security protocol, which is defined in the IEEE 802.11 standard.

technology

WAPI has two architectural components:

• WAI (WLAN Authentication Infrastructure) for the mutual authentication of users and wireless access points
• WPI (WLAN Privacy Infrastructure) for message confidentiality and integrity.

WPI enables the selection of the AES or the SMS4 encryption algorithm.

WAI has two options for the cryptographic keys:

• WAPI-PSK uses pre-shared keys
• WAPI-CERT uses X.509 certificates

WAPI-PSK differs only slightly from the pre-shared key option of IEEE 802.11, while WAPI-CERT has a significantly different concept, different functions and different cryptographic mechanisms.

WAPI-CERT has a central component, the Authentication Service Unit (ASU) . Their certificate is known to both the user and the access point, and as the central authority it verifies the validity of the certificates of the user and the access point when the connection is established. Access point and user authenticate each other with their certificates and establish the so-called Base Key (BK) using Diffie-Hellman key exchange . The WAI mechanism corresponds to ISO / IEC 9798-3 Amendment 1 "Information technology - Security techniques - Entity authentication - Part 3: Mechanisms using digital signature techniques AMENDMENT 1: Mechanisms involving a trusted third party".

Historical background

National

WAPI was published as a national standard in 2003 by the Standardization Administration of the People's Republic of China (SAC). The Chinese government announced in 2003 that every device sold there must have support for WAPI. Foreign companies have to cooperate with one of eleven authorized Chinese companies that are in possession of the proprietary details for the implementation.

International

The first two attempts to launch WAPI as an international standard failed. At the ISO / IEC JTC / SC06 / WG1 conference in Frankfurt am Main , the ISO rejected the request to discuss WAPI and IEEE 802.11i together. The revised standard was submitted again in October 2005 and was ultimately rejected as a standard in a vote on March 7, 2006 . On the same day, the Chinese Ministry of Information Industry announced the establishment of the WAPI Industrial Union. It consists of a total of 22 members. These include Lenovo , Huawei and China's four telecommunications companies.

In 2006 the originally secret SMS4 algorithm was downgraded and subsequently checked by independent experts.

In 2009, SAC submitted a revised proposal to the International Organization for Standardization , which was approved in January 2010 by the members of JTC1 / SC6 (against the votes of the UK and US) (see document JTC1 / Sc6 / 6N14228). The standardization project is currently underway under the standard number ISO / IEC 20011. The current draft of the ISO standard bears the document number JTC1 / Sc6 / N14619.

However, in October 2011, China withdrew the proposal and filed a complaint with the ISO Central Secretariat. This is currently still pending.

Web links

• silicon.de - China treats itself to its own encryption standard for WLAN
• Heise.de - China does not use its own WLAN encryption
• Heise.de Dispute over WLAN encryption in China is coming to a head
• Standardization Administration of China (SAC)