[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Jon Callas jon at callas.org
Wed Dec 15 15:36:09 EST 2010

Oh, come on.

The summary of this is: I worked on X_1, X_2, ... X_n. I used to have a clearance but now I don't, so therefore what I'm saying is true. You can trust me because I've been quoted by the New York Times. Here's what I said.

It is certainly possible that there are back doors somewhere. But this is just chaff. It has not yet risen to the level of gossip. It's far more like the Cretan paradox than anything else. It's kinda saying: all government people are evil, you can trust me on that because I used to be a government person. Riiiiiiiight.

I want to see description of the back door. Part of the reason is that we can't even assess whether it is a real back door, as opposed to (e.g.) a suboptimal implementation without a description. For example, I can remember people saying that a fixed shared secret is a back door. I can empathize with frustration over something like that, but even if a fixed shared secret is done with ill-intent, it's not what I'd call a back door.

Facts. I want facts. Failing facts, I want a *testable* accusation. Failing that, I want a specific accusation.


On Dec 15, 2010, at 1:23 AM, Marsh Ray wrote:

> On 12/15/2010 02:31 AM, Jon Callas wrote:
>> But this way,
>> the slur has been made in a way that is impossible to discuss. I
>> think evidence is called for, or failing that, and actual description
>> of the flaw.
> Hot off the presses. Haven't yet decided how much this counts for information. But he does come closer to naming source files.
> - Marsh
> http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd
>> he OCF was a target for side channel key leaking mechanisms, as well
>> as pf (the stateful inspection packet filter), in addition to the
>> gigabit Ethernet driver stack for the OpenBSD operating system; all
>> of those projects NETSEC donated engineers and equipment for,
>> including the first revision of the OCF hardware acceleration
>> framework based on the HiFN line of crypto accelerators.
>> The project involved was the GSA Technical Support Center, a circa
>> 1999 joint research and development project between the FBI and the
>> NSA; the technologies we developed were Multi Level Security controls
>> for case collaboration between the NSA and the FBI due to the Posse
>> Commitatus Act, although in reality those controls were only there
>> for show as the intended facility did in fact host both FBI and NSA
>> in the same building.
>> We were tasked with proposing various methods used to reverse
>> engineer smart card technologies, including Piranha techniques for
>> stripping organic materials from smart cards and other embedded
>> systems used for key material storage, so that the gates could be
>> analyzed with Scanning Electron and Scanning Tunneling Microscopy.
>> We also developed proposals for distributed brute force key cracking
>> systems used for DES/3DES cryptanalysis, in addition to other methods
>> for side channel leaking and covert backdoors in firmware-based
>> systems.  Some of these projects were spun off into other sub
>> projects, JTAG analysis components etc.  I left NETSEC in 2000 to
>> start another venture, I had some fairly significant concerns with
>> many aspects of these projects, and I was the lead architect for the
>> site-to-site VPN project developed for Executive Office for United
>> States Attorneys, which was a statically keyed VPN system used at
>> 235+ US Attorney locations and which later proved to have been
>> backdoored by the FBI so that they could recover (potentially) grand
>> jury information from various US Attorney sites across the United
>> States and abroad.  The person I reported to at EOSUA was Zal Azmi,
>> who was later appointed to Chief Information Officer of the FBI by
>> George W. Bush, and who was chosen to lead portions of the EOUSA VPN
>> project based upon his previous experience with the Marines (prior to
>> that, Zal was a mujadeen for Usama bin Laden in their fight against
>> the Soviets, he speaks fluent Farsi and worked on various incursions
>> with the CIA as a linguist both pre and post 911, prior to his tenure
>> at the FBI as CIO and head of the FBI’s Sentinel case management
>> system with Lockheed).  After I left NETSEC, I ended up becoming the
>> recipient of a FISA-sanctioned investigation, presumably so that I
>> would not talk about those various projects; my NDA recently expired
>> so I am free to talk about whatever I wish.
>> Here is one of the articles I was quoted in from the NY Times that
>> touches on the encryption export issue:
>> In reality, the Clinton administration was very quietly working
>> behind the scenes to embed backdoors in many areas of technology as a
>> counter to their supposed relaxation of the Department of Commerce
>> encryption export regulations – and this was all pre-911 stuff as
>> well, where the walls between the FBI and DoD were very well
>> established, at least in theory.

More information about the cryptography mailing list