WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese National Standard for Wireless LANs. WAPI became China’s mandatory national standard in May, 2003 by AQSIQ (General Administration of Quality Supervision, Inspection and Quarantine of the People’s Republic of China). For a few years now it has been impossible to implement WAPI on Linux due to the proprietary nature of the specification and the classification of the SMS4 encryption algorithm. On 2005 the 'National body of China' tried to clarify via the ISO/IEC WAPI N33 that their WAPI ISO proposal was in compliance with ISO's standardization process, they argued that "WAPI defines the interface of cipher algorithm according to the ISO’s common regulation of cipher algorithm". Essentially they argued that their ISO proposal allowed countries to choose the encryption algorithm used, SMS4 was just one optional encryption algorithm and since it was classified it would be used only in China. Eventually though the WAPI ISO proposal was rejected.
In January 2006 the SMS4 encryption algorithm was declassified. In October, 2009 the 'National body of China' resubmitted WAPI for ISO standardization. With the declassification of SMS4 and the intent behind the National body of China of making WAPI an ISO standard we should be able implement a full WAPI solution on Linux using public documentation as reference. The new ISO submission was voted on on in January 2010 with a majority of votes in favor for the ISO proposal. The major opponents were the US and UK standardization bodies with comments concerned over the unsynchronized effort this would create given that the ISO/IEC 8802-11 tends to be updated based on IEEE's own 802.11 group.
Despite the issues with the standardization bodies the ISO proposal got a majority favorable vote which means we likely need to support WAPI upstream somehow. Market-wise there is not much evidence of WAPI being used anywhere except sometimes in China. Even in China WAPI does not seem to be exclusively used. For this reason WAPI will help those users in China connect and sell products where WAPI is required.
There are two components to WAPI:
- wpa_supplicant changes
- mac80211 changes
Some hardware supports the SMS4 encryption algorithm in hardware, we can start off supporting those devices first.
We need to scope out the effort required for the two components above.
The WAPI ISO proposal is to provide a alternative security mechanism by trying to annex the Annex ISO/IEC8802‐11. The ISO/IEC8802‐11 is the international standardization of the IEEE-802.11 work, and as such annexing ISO/IEC8802‐11 without first updating the respective IEEE-802.11 standards can create interoperability with future 802.11 working group amendments such as IEEE 802.11e/j/k/n/r/w and work in progress amendments such as IEEE 802.11 p/s/u/v/z/aa/ac/ad.
Due to the possible current/future interoperability/conflict issues with WAPI and IEEE if WAPI gets added upstream and into wpa_supplicant it must be a selectable option which can be disabled.
When implementing WAPI you'll likely want to read