Slashdot Mirror


FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack

Aggrajag and Mortimer.CA, among others, wrote to inform us that Theo de Raadt has made public an email sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago. The claim is that the FBI paid contractors to insert backdoors into OpenBSD's IPSEC stack. Mr. Perry is coming forward now that his NDA with the FBI has expired. The code was originally added ten years ago, and over that time has changed quite a bit, "so it is unclear what the true impact of these allegations are" says Mr. de Raadt. He added: "Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products." (Freeswan and Openswan are not based on this code.)

8 of 536 comments (clear)

  1. Re:But but but by snowraver1 · · Score: 4, Interesting

    I wonder if Linux has a similar backdoor. I think that it would be quite likely that MS products have one.

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  2. Only two remote holes... by chill · · Score: 4, Interesting

    Considering OpenBSD has performed extensive code audits and this is part of the core code, this is going to bring the argument about the importance of security code audits to the forefront.

    They have their place, but...10 years and by one of the most anal-retentive, paranoid coding groups out there. Ouch.

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. French ssh port (ssf) suggested strange weaknesses by Anonymous Coward · · Score: 5, Interesting

    from ftp://ftp.nluug.nl/pub/metalab/docs/linux-doc-project/linuxfocus/English/Archives/lf-2003_03-0273.html

    I often like to point out an incomprehensible weakness of the protocol concerning the "padding" (known as covered channel): in both version 1 and 2 the packets, have a length which is a multiple of 64 bits, and are padded with a random number. This is quite unusual and therefore sparing a classical fault that is well known in encrypting products: a "hidden" (or "subliminal") channel. Usually , we "pad" with a verified sequence as for example, give the value n for the byte rank n (self describing padding). In SSH, the sequence being (by definition) randomized, it cannot be checked. Consequently, it is possible that one of the parties communicating could pervert / compromise the communication for example used by a third party who is listening. One can also imagine a corrupted implementation unknown by the two parties (easy to realize on a product provided with only binaries as generally are commercial products). This can easily be done and in this case one only needs to "infect" the client or the server. To leave such an incredible fault in the protocol, even though it is universally known that the installation of a covered channel in an encryption product is THE classic and basic way to corrupt the communication, seems unbelievable to me . It can be interesting to read Bruce Schneier's remarks concerning the implementation of such elements in products influenced by government agencies. (http://www.counterpane.com/crypto-gram-9902.html#backdoors).

    I will end this topic with the last bug I found during the portage of SSH to SSF (French version of SSH), it is in the coding of Unix versions before 1.2.25. The consequence was that the random generator produced ... predictable... results (this situation is regrettable in a cryptographic product, I won't go into the technical details but one could compromise a communication while simply eavesdropping). At the time SSH's development team had corrected the problem (only one line to modify), but curiously enough without sending any alert, not even a mention in the "changelog" of the product... one wouldn't have wanted it to be known, he wouldn't have acted differently. Of course there is no relationship with the link to the above article.

  4. Re:If this was ten years ago... by chill · · Score: 5, Interesting

    No, but it was part of the post-Wassenaar agreement (Dec. 1998) that de-weaponized open source crypto. 10 years ago would have been around OpenBSD 2.8 (12/1/2000) which introduced AES and was the first release after the expiration of the RSA patent.

    v2.7 saw the introduction of hardware-accelerated IPSec only 6 months before.

    They were moving fast and furious on IPSec. This would have been an opportune time to spike them.

    --
    Learning HOW to think is more important than learning WHAT to think.
  5. Re:But but but by ratboy666 · · Score: 5, Interesting

    It isn't necessarily obvious.

    Basically, the idea is that bits of the key leak. And how is this accomplished?

    For example - if a key bit is 0, you take one code path, if 1, another. Make the two paths different lengths. It may be possible to affect packet timing. Or... A function may end with "x - y" and then return "z". No leak? Not so clear, the carry/borrow may be leaking information to the caller (on x86 style hardware).

    Anyway, it probably isn't a "back door", just some means of determining enough key bits to make brute force practical is enough. And this sort of thing can be subtle. It can even be based on the machine code generated for certain sequences by a particular compiler (the "x-y; return z" sequence above, for example).

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  6. Smear Campaign? by nurb432 · · Score: 4, Interesting

    Good way to kill a project. Give the paranoids something to be paranoid about.

    --
    ---- Booth was a patriot ----
  7. Re:But but but by jon787 · · Score: 5, Interesting

    Ah the old NSA DES conspiracy theory. The NSA suggested two changes to DES: 1) shorten the key 2) changed the S-boxes. They gave no public explanation for the latter and for years the story was that this somehow introduced a backdoor into the algorithm. The truth came out over a decade later:

    "Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes. According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret."

    Of course, they could still be lying, better keep the tinfoil hat on.

    --
    X(7): A program for managing terminal windows. See also screen(1).
  8. Re:French ssh port (ssf) suggested strange weaknes by ArsenneLupin · · Score: 4, Interesting

    So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.

    No, that a deliberately "broken" implementation of ssh (either on server or on client) could use the padding to leak the session key, and that without access to the code there would be no way to tell (... because the padding is "supposed" to be random...).

    Quite clever actually, and reminescent about the ways how the French subverted the Luxembourgish Luxtrust system.

    Luxtrust token are hardware crypto token containing a private key. The key (supposedly) is generated randomly by the token at initialization and never leaves the token, and can only be used to establish session keys and sign messages, where the critical calculation happens on the token. The key is used to secure banking transactions, so that for example, the French tax administration cannot spy on the communication between French citizens and their Luxembourgish bank.

    That's the theory. The catch is, the tokens are manufactured by the French company Gemalto, and each token's random number generator will only ever "generate" private keys from a limited set (different for each token, of course). So, French tax administration can trivially infer the private key by looking up the public key in a table provided by Gemalto.

    The scheme is virtually undetectable, because:

    • The keyset is different for each token
    • Each token can only be initialized a very limited amount of times (much smaller than number of possible keys for that token)
    • The tokens supplied to BSI for audit didn't have this weakness. And moreover, the German tax authorities would be quite happy to listen in too :-)

    Result: Luxembourg spent millions on an inconvenient crypto scheme, which works neither on modern 64 bit compiters nor on mobiles, and which is useless for its purpose.