• The No.1 concern in wireless LAN is security. IEEE developed the 802.11i to address security vulnerabilities the legacy WLAN exposed. But it seems not enough - at least Chinese engineers consider that the IEEE driven standard is insufficient for WLAN deployment in the enterprise environment. This is why China developed its own Wi-Fi security standard WLAN Authentication and Privacy Infrastructure (WAPI) in 2003.

    WAPI is not an IEEE 802.11 standard. You can call it an enhancement of 802.11i security standard.

    A WAPI-based WLAN consists of the access point (AP), wireless client (STA), and authentication server (AS). AS is responsible for the issuance, verification, and revocation of public-key certificate. The certificate is installed on both of the AP and STA as their digital credential. Before a STA is able to access the network resources, a mutual authentication conducted by the AS must occur. Not only does the AP authenticate the STA, but the STA also needs to verify the AP to prevent from connecting to a rouge AP.

    The physical layer is almost same for WAPI and 802.11i, with differences on MAC layer. So it is possible to support two standards on the same WLAN chipset.

    You may know that the iPhone shipped to China is currently Wi-Fi disabled. The local regulatory body requires the mandatory support for both WAPI and Wi-Fi. Apple refused at first, but it now begins negotiation with China Unicom, the distributor in the Chinese mainland.




    <!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:PunctuationKerning /> <w:DrawingGridVerticalSpacing>7.8 ?</w:DrawingGridVerticalSpacing> <w:DisplayHorizontalDrawingGridEvery>0</w:DisplayHorizontalDrawingGridEvery> <w:DisplayVerticalDrawingGridEvery>2</w:DisplayVerticalDrawingGridEvery> <w:ValidateAgainstSchemas /> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:Compatibility> <w:SpaceForUL /> <w:BalanceSingleByteDoubleByteWidth /> <w:DoNotLeaveBackslashAlone /> <w:ULTrailSpace /> <w:DoNotExpandShiftReturn /> <w:AdjustLineHeightInTable /> <w:BreakWrappedTables /> <w:SnapToGridInCell /> <w:WrapTextWithPunct /> <w:UseAsianBreakRules /> <w:DontGrowAutofit /> <w:UseFELayout /> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" LatentStyleCount="156"> </w:LatentStyles> </xml><![endif]--> <!-- @font-face {font-family:??; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:SimSun; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} @font-face {font-family:"@??"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; text-align:justify; text-justify:inter-ideograph; mso-pagination:none; font-size:10.5pt; mso-bidi-font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:??; mso-font-kerning:1.0pt;} @page {mso-page-border-surround-header:no; mso-page-border-surround-footer:no;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} -->

  • Well, can anyone let me know how to clean up the mess code...

  • By (Deleted User)

    Copy and paste into notepad first.

    Then edit if necessary.  If you post directly into here, sometimes the hidden html or other code get thrown right in with your post.

    Try it.


  • Thanks for quick reply, Darby.

    I tried but it's still not working well. May spend some time getting familiar with the WYSIWYG editor...

  • The WAPI "standard" isnt really a standard as although it may be very good the details of the architecture are not available in the public domain. I don't want to get into an international trade argument as I believe that is a two way street. The US restrict and China restricts and whatever China deems fit to do is politically upto them.

    However for a standard to be a standard or considered as part of a standards architecture then it must be public NOT secret.

    Also it would be interesting to understand where similarities exist with AP and client association to the AS assuming issuing certs via a PKI there seem to be similarities to EAP-TLS on the client architecture and LSCs on the apa architecture.

    Security in breadth and depth is great, LSCs I think is relatively new and the wireless security arena is still evolving.

    It would be interesting to understand more about WAPI and how it can be related to 802.11i and 802.1x

  • I prefer calling WAPI the security subset of the 802.11 standard, though others consider it a standard independent of the IEEE-backed WLAN standard.

    The US-China trade dispute puts WAPI in an embarrassed position: China wanted its own WLAN security standard, but the United States firmly opposed 6 years ago. When the IEEE 802.11i proposal got an overwhelming majority of votes and was selected by ISO as the international WLAN security standard in 2006, Intel cheered their victory. The WAPI proposal was rejected then, but was resubmitted to ISO for review last year. And this time, China and the US reached a consensus to support the WAPI proposal to evolve into an independent standard.

    Well, this is more like a game between the two powers. I myself am not biased. What we need is just a more secure wireless network.

  • A simple comparison between 802.11i and WAPI:


    (1) Authentication mechanism

    802.11i: one-way authentication and mutual authentication (between STA and RADIUS server)

    WAPI: mutual authentication (between STA and AP via AS)

    (2) Credentials

    802.11i: username and password

    WAPI: public-key digital certificate

    (3) Key management

    802.11i: keys need to be manually set on AP and RADIUS server

    WAPI: centralized management by AS

    (4) Algorithm

    802.11i: depends on specific protocol

    WAPI: 192-bit elliptic curve cryptography (ECC-192)

    (5) Security vulnerabilities

    802.11i: credentials relatively simple; easy to be captured

    WAPI: unknown so far



    (1) Key

    802.11i: dynamic

    WAPI: dynamic

    (2) Algorithm

    802.11i: 128-bit RC4 and 128-bit AES

    WAPI: 128-bit SMS4

  • It would appear to be more like EAP-TLS with the mutal auth via certificates to me .

    You also say AS for WAPI and RADIUS for 802.11i, would not the AS be a RADIUS Server?

    And with security you suggest that the 802.11i is easily captued, yes granted easily captured is not easily compromised, I would assume that it is jut as easy tpo capture WAPI traffic.

    It would be interesting to read more to understand as from what you have said this may now become a standard.

    One thigs for sure regarding wireless security is that we will be talking about differeent things in 5 years time.

  • Yes to me the WAPI seems to be a lot like EAP-TLS. Except that they are using a different encryption method (128bit SMS4). I can really see the pluses to requiring mutual authentication, but I know that one of the problems with managing digital certs on the client side was what to do if there are multiple certs, how to pick the correct one. It is interesting this has come out of China though. Very interesting insight though, thanks!.

  • Ive never had an issue managing multiple certs the issues most people shy away from EAP-TLS is the administrative overhead even with auto enrollment and the initial manual configuration ie putting the cert on hundreds of laptops.

    I do need to do some testing with multiple certs as I sa an issue once but it appeared to be a laptop build problem.

Page 1 of 2