[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 18 00:29:22 EST 2010


Ian G <iang at iang.org> writes:

>Submit the most subtle backdoor into open source crypto thingumyjob.

This is opening waaay too big a can of worms, it's like inviting people to
submit the most devious malware payload, for which we already have enough
answers to fill several volumes.  Just take every devious bug that's taken
days/weeks/months to track down that you've ever encountered and hide it in
your code.  There's no limit to what you can do.  Here's some quick
suggestions:

- Take an OSS crypto library and add a portability fix that only triggers for 
Windows Phone/CE/Mobile/whatever-it-is-this-week.  On the remote chance of 
someone ever bothering to audit the code, and even if they go so far as to run 
test vectors through it, it'll be an OSS developer using Unix, and everything 
will be fine.  The bug only crops up in the Windows Phone voice-encryption app 
that you want to nobble.  If you're targetting a particular app, you can even 
make it only occur in the particular build environment that the app developer 
uses.

- Most optimised crypto uses multiple layers of nested conditional macros to
generate the most efficient code on different platforms.  Go wild with this.

- Through appropriate ordering of #includes and other phase-of-the-moon 
oddities under Windows you can swap cdecl and Pascal calling conventions for 
Windows SDK functions.  Replace one with the other, so that calling an 
innocuous function winds up the stack and replaces your crypto key with an 
all-zero buffer, or your public value with the private one, or whatever.  
No-one'll *ever* spot this.

- Misplace semicolons or { }s to invisibly change the behaviour of code.

- [etc ad nauseum]

(For the avoidance of any doubt, in all of the above the goal is to leak key 
bits or something similar while retaining full interoperability with 
non-nobbled implementations, so "run some test vectors through it" isn't a 
defence).

It's not as if we don't alreay have legions of near impossible-to-locate 
accidental bugs (all of the above are based on real but accidental bugs, 
although not necessarily crypto ones), if you want to make them deliberate 
there's no limit to what you can do.

Peter.



More information about the cryptography mailing list