OpenBSD Founder Blames Contractor, Not FBI, For Backdoor Plant

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

The founder of OpenBSD now believes that a firm was probably contracted to put backdoors in the project code

OpenBSD founder Theo de Raadt has pointed the finger of suspicion at a contractor, and not the FBI, for planting a number of back doors into the encryption software used by the OpenBSD

The founder of the OpenBSD project said that he believes a firm was “probably contracted” by the government to write backdoors in the OpenBSD Cryptographic Framework (OCF).

The statement was made 21 December by de Raadt on the project’s mailing list in response to the ongoing discussion about allegations aired in an email to de Raadt from former NetSec CTO Gregory Perry. In the email, Perry claimed that roughly a decade ago, the FBI had developers plant backdoors and side-channel key leaks in OCF.

Claims Denied

“I believe that NETSEC [sic] was probably contracted to write backdoors as alleged,” de Raadt wrote. “If those were written, I don’t believe they made it into our tree. They might have been deployed as their own product.”

During the past week, some have criticised Perry’s claims, and two people named in his initial email have denied any involvement in the alleged plot. One of them, Jason Wright, noted in a message to the OpenBSD mailing list that the code he touched related “mostly to device drivers to support the framework.”

“I don’t believe I ever touched isakmpd or photurisd (userland key management programs), and I rarely touched the ipsec internals (cryptodev and cryptosoft, yes),” Wright wrote 15 December.

Perry, now CEO of GoVirtual Education, told eWEEK in an email that he stood by his allegations.

“The FBI has been doing this for quite some time now, they have intentionally weakened the United States’ critical infrastructure for purposes of domestic and international surveillance,” Perry wrote. “God only knows what they are up to these days with their newfound legislative powers.”

In his email to de Raadt, Perry alleged the FBI “implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA [Executive Office for United States Attorneys], the parent organization to the FBI.”

Guilty Party?

According to de Raadt, both Wright and developer Angelos Keromytis worked at NetSec, which has since been acquired by Verizon, and wrote code in “many areas we all rely on.”

“After Jason left, Angelos (who had been working on the ipsec stack already for 4 years or so, for he was the ARCHITECT and primary developer of the IPSEC stack) accepted a contract at NETSEC and while travelling around the world) wrote the crypto layer that permits our ipsec stack to hand-off requests to the drivers that Jason worked on,” he wrote. “That crypto layer contained the…insecure idea of half-IV that the US govt was pushing at that time.”

“Soon after his contract was over this was ripped out,” de Raadt continued. “Soon after this the CBC oracle problem became known as well in published papers, and ipsec/crypto moved towards random IV generation (probably not viable before this, since we had lacked a high-quality speedy PRNG… arc4random).  I do not believe that either of these two problems, or other problems not yet spotted, are a result of clear malice. So far the issues we are digging up are a function of the time in history.”