Diagrams shown during technical discussions with Chinese officials indicated something like a RADIUS (Remote Authentication Dial-In User Service) server being used for authentication, with an interesting twist: They seemed to show a central RADIUS system for authenticating all users on all WLANs in China, he said.
However, that feature and others may not be required as part of WAPI, Easton said, noting many details are not clear.
That WAPI is veiled in mystery is no surprise. In 1999, China's State Council, the country's highest administrative body, issued a decree, called Directive 237, which regulates commercial encryption ciphers and requires encryption technology to be developed and sold under a blanket of secrecy.
"The scientific research and production of commercial encryption cipher products should be conducted under conditions that meet the needs of maintaining security and secrecy," Directive 237 states. "Work units and personnel responsible for the scientific research, production and sales of commercial encryption cipher products must bear the responsibility of confidentiality with regard to the commercial encryption cipher technologies they come in contact with or control."
Directive 237 also states that individuals who leak technical data related to commercial encryption ciphers will be prosecuted and, in cases where national security is deemed to be at risk, they will be arrested.
SEMC has confirmed that the encryption management methods being employed with the Chinese WLAN standard are being implemented in accordance with Directive 237, raising concerns that the Chinese WLAN standard could represent a renewed push to bring commercial encryption technology under government control, said Anne Stevenson-Yang, managing director of USITO in Beijing.
"WLAN is the first part of a broader plan," Stevenson-Yang said, adding that Chinese officials had likely decided to implement Directive 237 with WLAN because China's wireless networking market is in the early stages of development.
Stevenson-Yang said the objectives of Chinese officials are outlined in Directive 237, which states that only government-approved encryption technology may be used by companies and individuals in China and prohibits the use of encryption technology developed overseas. In addition, individuals are required to register any product that uses encryption and must notify the government when the product is discarded. The directive prohibits the transfer of ownership for any product that uses encryption.