On Fri, Dec 24, 2010 at 07:53:52PM +0000, martin tarb wrote:

quoted text
> Otto Moerbeek <otto <at> drijf.net> writes:
> > Please also check what djm@ wrote in one of the first replies to Theo
> > original mail:
> > 
> > http://marc.info/?l=openbsd-tech&m=129237675106730&w=2
> > 
> > 	-Otto
> 
> 
> Yep, I did see that one, though that one does focus on (intentional) bugs in the
> the main crypto stuff, and my suggestion is that's not the location where to
> look for backdoors.

Huh, I quote:

"So a subverted developer would probably need to work on the network stack.
I can think of a few obvious ways that they could leak plaintext or key
material:"

and then Damien gives a few examples of how that could be accomplished.

quoted text
> 
> To obvious, to complicated, to much coding required to realize something
> usefull, etc.
> 
> There is no need to "break" the crypto stuff, if you can convince the IPSec
> stack to send you the keys. When you do have the keys, the only thing you have
> to do is decode the recorded crypted stream. When you are the FBI, you
> definately have access to intermediate nodes, there's no need to let one of the
> end-nodes generate the traffic to you. You only need the keys, just take care
> the IPSec stack will tell you when you ask for it and only when you ask for it
> with a crafted IPSec init packet.

What you describe above is one of the ways Damien mentions (as I read
it): "If I was doing it, I'd try to make the reuse happen on something
like ICMP errors, so I could send error-inducing probe packets at
times I thought were interesting "

Note the reuse of mbus will have the effect of sending key material to
the outside.

Please elaborate in what respect you suggestion is different.

	-Otto