On Fri, Dec 24, 2010 at 07:53:52PM +0000, martin tarb wrote: > Otto Moerbeek <otto <at> drijf.net> writes: > > Please also check what djm@ wrote in one of the first replies to Theo > > original mail: > > > > http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 > > > > -Otto > > > Yep, I did see that one, though that one does focus on (intentional) bugs in > the > the main crypto stuff, and my suggestion is that's not the location where to > look for backdoors.
Huh, I quote: "So a subverted developer would probably need to work on the network stack. I can think of a few obvious ways that they could leak plaintext or key material:" and then Damien gives a few examples of how that could be accomplished. > > To obvious, to complicated, to much coding required to realize something > usefull, etc. > > There is no need to "break" the crypto stuff, if you can convince the IPSec > stack to send you the keys. When you do have the keys, the only thing you have > to do is decode the recorded crypted stream. When you are the FBI, you > definately have access to intermediate nodes, there's no need to let one of > the > end-nodes generate the traffic to you. You only need the keys, just take care > the IPSec stack will tell you when you ask for it and only when you ask for it > with a crafted IPSec init packet. What you describe above is one of the ways Damien mentions (as I read it): "If I was doing it, I'd try to make the reuse happen on something like ICMP errors, so I could send error-inducing probe packets at times I thought were interesting " Note the reuse of mbus will have the effect of sending key material to the outside. Please elaborate in what respect you suggestion is different. -Otto