On Fri, Dec 24, 2010 at 07:53:52PM +0000, martin tarb wrote:
> Otto Moerbeek <otto <at> drijf.net> writes:
> > Please also check what djm@ wrote in one of the first replies to Theo
> > original mail:
> >
> > http://marc.info/?l=openbsd-tech&m=129237675106730&w=2
> >
> > -Otto
>
>
> Yep, I did see that one, though that one does focus on (intentional) bugs in
> the
> the main crypto stuff, and my suggestion is that's not the location where to
> look for backdoors.
Huh, I quote:
"So a subverted developer would probably need to work on the network stack.
I can think of a few obvious ways that they could leak plaintext or key
material:"
and then Damien gives a few examples of how that could be accomplished.
>
> To obvious, to complicated, to much coding required to realize something
> usefull, etc.
>
> There is no need to "break" the crypto stuff, if you can convince the IPSec
> stack to send you the keys. When you do have the keys, the only thing you have
> to do is decode the recorded crypted stream. When you are the FBI, you
> definately have access to intermediate nodes, there's no need to let one of
> the
> end-nodes generate the traffic to you. You only need the keys, just take care
> the IPSec stack will tell you when you ask for it and only when you ask for it
> with a crafted IPSec init packet.
What you describe above is one of the ways Damien mentions (as I read
it): "If I was doing it, I'd try to make the reuse happen on something
like ICMP errors, so I could send error-inducing probe packets at
times I thought were interesting "
Note the reuse of mbus will have the effect of sending key material to
the outside.
Please elaborate in what respect you suggestion is different.
-Otto
