Otto Moerbeek <otto <at> drijf.net> writes: > Huh, I quote: > > "So a subverted developer would probably need to work on the network stack. > I can think of a few obvious ways that they could leak plaintext or key > material:" > > and then Damien gives a few examples of how that could be accomplished. > > What you describe above is one of the ways Damien mentions (as I read > it): "If I was doing it, I'd try to make the reuse happen on something > like ICMP errors, so I could send error-inducing probe packets at > times I thought were interesting " > > Note the reuse of mbus will have the effect of sending key material to > the outside. > > Please elaborate in what respect you suggestion is different. > > -Otto
Yeah, the words network stack and crafted packet are there, though the rest is significantly different. It's all network stack and the ICMP thing does focus on randomly probing for a potentially not-cleared buffer, ie intentional failures in the encryption. What I try to make clear: Don't focus on the encryption stuff, no need to break that, nor focus on the used buffers, etc. Just look what the STATE MACHINE in the IPSEC network stack (or if you want: What the state machine in the encryption setup) does, especially the handling of the error conditions. pretty easy to send a crafted packet and let the stack release the keys to the one asking. So: Don't look for "technical" bugs like failing memory clearing or potentially insufficient entropy. But look for a function feature in the error handling, technically perfect, though with an unwanted functionality. Such a construction would look pretty legit and would work very well with normal not-specifically crafted packets. This thread (and the message you refer to) is moving into the direction of encryption short-comings and I don't think that's where a backdoor has to be expected.
