FBI back door in IPSec implementation of OpenBSD?

eazydor · Dec 15, 2010, 2:40 PM

http://www.h-online.com/security/news/item/FBI-back-door-in-IPSec-implementation-of-OpenBSD-1153297.html

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

what about the pfsense-implementation?

jimp · Dec 15, 2010, 5:17 PM

The pfSense ipsec code comes from ipsec-tools, which these days is from NetBSD, not OpenBSD.

I'm not sure if they share anything inside, but given the history of BSDs sharing things, it may be possible. Though nobody knows for certain if there is any real flaw, and if so, it may have been fixed or it may not have carried over to other projects that (if any did) borrowed code.

If in doubt, use OpenVPN. Unless they backdoored that too. :-)

cmb · Dec 16, 2010, 2:50 AM

The chance of that having any truth is extremely minimal. FreeBSD's IPsec is partially based on OpenBSD's, ipsec-tools only handles keying and related things. Even if it were true 10 years ago, it's likely changed enough in the mean time that it's no longer effective, if even enough bits were brought over from OpenBSD to FreeBSD for it to carry over anyway. Comments from a FreeBSD developer:
http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html

The crypto code wasn't written by anyone from the US anyway per OpenBSD policy, so it's expected the side channel would be in the network stack or elsewhere, where the probability of carry-over to FreeBSD is much smaller.
http://marc.info/?l=openbsd-tech&m=129237675106730&w=2

There is extensive re-auditing of the code happening, and I expect it won't turn up anything, but we'll definitely keep an eye on the situation. The chance of that being true of OpenBSD is exceptionally remote, and even less likely there would be carry-over to FreeBSD.

XIII · Dec 16, 2010, 3:37 AM

the fact that the NDA expired wouldnt happen, or thats what they want you to think…

the NSA/FBI is due to audit their OS code and hence this story, they are getting the community to do it for them, and for free.

singerie · Dec 16, 2010, 9:33 AM

I hope they will find something … i will be able to sleep again. ;D

jimp · Dec 16, 2010, 12:41 PM

They'll probably find a few bugs, and no matter how minor or accidental I'm sure they'll all be labeled malicious. :)

Cry Havok · Dec 16, 2010, 4:40 PM

Nothing has been found because, according to at least one of those named as having done the deed, nothing was done.

eazydor · Dec 17, 2010, 2:56 AM

no doubts at all, just interest and like jim said, who knows for certain and anyway, to me this doesnt seem like a major thread..

i do use openvpn whereever i can, just for iphone´s it´s nicer than pptp.

completely besides of that, i feel that the creators of pfsense (so i believe you too, jim?!?) really do have many many years of networking expirience and that pfsense is a project with special focus on quality. i first read about you guys in an german issue of "the H", called originally heise security, and they too stated pfsense highest reputation "in the scene".
i´m not and possibly will never be in the position to judge story´s like these, but i feel really well advised with the "pfsense way".
so thank you (all), not just for answering my question(s).

singerie · Dec 23, 2010, 12:47 PM

Apparently they found 2 bug in the cryptographic code. They don't know yet if those bug could be dangerous, but they will hopfully fix those bug :)