By the way...

It is unfortunate that it required an allegation of this sort for
people to get to the point where they stop blindly trusting and
instead go audit the code....

But looked at from the half-glass-full side, it is refreshing to see
people trying!

[ message continues ]

without a 'hint' (true or fake), where would you start auditing the
code? It's just too much.

Now, as I have started with it, I will continue to do so, at least
with the crypto code and PRNG code. However, don't get me wrong. I'm
neither a cryptographer nor have I ever touched the openbsd code
before. I did some patching for BSDI BSD/OS (ages ago), but that's it

BTW: iTWire mentions, that two bugs have been found in the crypto
code. Where can I find details on those bugs?

http://www.itwire.com/opinion-and-analysis/open-sauce/43995-openbsd-backdoor-claims-co...

Regards
Kurt Knochner

http://knochner.com/

[ message continues ]

Actually, when I would design such a backdoor, I wouldn't go for the item
getting highest attention and most difficult to crack. And because the crypto
stuff is getting most attention, it's highly likely it'll be replaced every now
and then with something "better": Backdoor gone.

I would do a "social engineering". Challenge the IPSec stack to tell me what I
want to know.

How:
- Try to setup a connection with the server you want to have the keys from.
- Make a "failure" with this connection.
- This failure would use an additional parameter in the setup payload and answer
with the info I want to have.

So where to look:
In the state machine to initiate/setup the IPSec connection, especially the
error/declines it sends out. Things like: "setup failure, invalid key:
&(Yourkey+"additional parameter")".

That'll be something very difficult to find in reviews (who does look at the
error notices, reviews are in general looking after the main functionality)

Stack state machines tend to be related to the protocol basics and these don't
change, so it's very unlikely a backdoor like this is overruled by a "better"
implementation, especially if the original implementation is decent and robust.

This mechanism would need a handfull of connection setup attempts to get
everything you need to decompose a recorded stream. No intrusions will be
detected ever, unless logging is at debug level and who does wade through that
amount of logging .......

In some situations, you might need to be able to spoof the originating IP,
though having access to the network infrastructure itself, will be enough.

Easy, hardly any code required, very difficult to detect and very likely to
survive for a long period.

[ message continues ]

Please also check what djm@ wrote in one of the first replies to Theo
original mail:

http://marc.info/?l=openbsd-tech&m=129237675106730&w=2

	-Otto

[ message continues ]

Yep, I did see that one, though that one does focus on (intentional) bugs in the
the main crypto stuff, and my suggestion is that's not the location where to
look for backdoors.

To obvious, to complicated, to much coding required to realize something
usefull, etc.

There is no need to "break" the crypto stuff, if you can convince the IPSec
stack to send you the keys. When you do have the keys, the only thing you have
to do is decode the recorded crypted stream. When you are the FBI, you
definately have access to intermediate nodes, there's no need to let one of the
end-nodes generate the traffic to you. You only need the keys, just take care
the IPSec stack will tell you when you ask for it and only when you ask for it
with a crafted IPSec init packet.

[ message continues ]

Huh, I quote:

"So a subverted developer would probably need to work on the network stack.
I can think of a few obvious ways that they could leak plaintext or key
material:"


What you describe above is one of the ways Damien mentions (as I read
it): "If I was doing it, I'd try to make the reuse happen on something
like ICMP errors, so I could send error-inducing probe packets at
times I thought were interesting "

Note the reuse of mbus will have the effect of sending key material to
the outside.

Please elaborate in what respect you suggestion is different.

	-Otto

[ message continues ]

Yeah, the words network stack and crafted packet are there, though the rest is
significantly different. It's all network stack and the ICMP thing does focus on
randomly probing for a potentially not-cleared buffer, ie intentional failures
in the encryption.

What I try to make clear: Don't focus on the encryption stuff, no need to
break that, nor focus on the used buffers, etc. Just look what the STATE 
MACHINE in the IPSEC network stack (or if you want: What the state machine in 
the encryption setup) does, especially the handling of the error conditions. 
pretty easy to send a crafted packet and let the stack release the keys to the 
one asking. So: Don't look for "technical" bugs like failing memory clearing or
potentially insufficient entropy. But look for a function feature in the error
handling, technically perfect, though with an unwanted functionality. Such a
construction would look pretty legit and would work very well with normal
not-specifically crafted packets.

This thread (and the message you refer to) is moving into the direction of
encryption short-comings and I don't think that's where a backdoor has to be
expected.

[ message continues ]

Ted Unangst already solved that for all the potential lookers:

Quote from http://marc.info/?l=openbsd-misc&m=124413533913404&w=2
---------------------------------
It's not about where you start. It's about starting anywhere. Here, watch,
it's this easy:
find /usr/src -name "*.c" | random 10000
---------------------------------

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

[ message continues ]

Note that this assumes that there is no backdoor in random(6) (or
arc4random_uniform, which it calls) designed to prevent the source file
with the backdoor from being selected with the above command.

[ message continues ]

That's true. I would submit a patch, but it would require every developer to
carry around a deck of cards, 12 dice, and a large pot full of numbered
balls...

-kj

[ message continues ]

I thought numbered balls only work (without a backdoor) if they are
drawn from an *urn*. 

	-Otto

[ message continues ]

Only if the vicar's wife doesn't peek.

[ message continues ]