[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Dec 16 23:30:23 EST 2010


"James A. Donald" <jamesd at echeque.com> writes:

>Crypto algorithms have standard reference implementations, which are to a 
>greater or lesser extent copied wholesale. Any deviation from the usual is apt 
>to be noticeable.

That would require that you compare the code for algorithm X in project Y to 
the originaly copy held who knows where, taking into account that the version 
used in project Y may be several versions out of date from the reference one 
(and by several versions I mean "ten years or more" in some cases), and that 
it'll have been hacked over by who knows how many others for portability and 
performance reasons.  There'll be no way to tell whether any of the dozens of 
tweaks and changes are a backdoor or not.  How would you tell whether 
something like a cast "( uint32_t ) /* For Solaris 9 with the SunPro 4.2 
compiler */" is be a portability fix or a backdoor?  If I wanted to backdoor 
something, I'd go for private-key leakage in DLP PKCs, which are notoriously 
bad in terms of leaking key bits if you even look at them funny.  It's hard 
enough just to get those right with the best of intentions, let alone if 
you're deliberately trying to hide a key leak.

To put it more succinctly, and to paraphrase Richelieu, give me six lines of 
code written by the hand of the most honest of coders and I'll find something 
in there to backdoor.

Peter.



More information about the cryptography mailing list