FBI back door in IPSec implementation of OpenBSD?
In an email, OpenBSD founder Theo de Raadt has pointed out a potential back door in the implementation of the IPSec stack for establishing VPN connections. Other open source projects which adopted this code could also contain the back door. The back door reportedly found its way into the code in 2000 and 2001, when OpenBSD developers were allegedly commissioned by the US government to manipulate the code.
In an email attached by de Raadt, software developer Gregory Perry, who says he is a former OpenBSD contributor, mentions the name of Jason Wright as one of the developers who were involved. Wright is, or was, one of the leading figures of OpenBSD.
These are serious allegations and de Raadt said that, not having talked to Perry for over ten years, he decided to make Perry's email public – and that he refuses to become part of such a conspiracy. De Raadt also pointed out that the code in question has repeatedly been patched, modified and rewritten over the past ten years, and that it will therefore be hard to tell whether the potential back door still exists.
Perry said that he only informed the OpenBSD founder now because his 10-year non-disclosure agreement (NDA) with the FBI has recently expired. While employed at the company NetSec, Perry said he was also working as a consultant for an FBI project that aimed at setting up back doors and implementing key recovery (key escrow) mechanisms for smartcards. His consultancy work reportedly made him aware that at that time the FBI successfully injected various back doors and side channel key leaking mechanisms into the OpenBSD Crypto Framework (OCF).
According to Perry, this was also the reason why the US Defense Department suddenly stopped funding the OpenBSD project in early 2003. Apparently, DARPA caught wind of the back doors and consequently withdrew its funding. However, Perry's allegations go even further, as he also claims that virtualisation specialist Scott Lowe is on the FBI payroll. Perry said that Lowe has been advocating the use of OpenBSD for VPN and firewall implementations in virtualised environments.
Whether IPSec in OpenBSD really still contains a back door will need to be established via code reviews. Other projects that use the OpenBSD code will also need to audit their code. IPSec implementations such as KAME, which originated in Japan, are probably not affected – unless there was a significant exchange of code between the projects. KAME is a part of Mac OS X, NetBSD and FreeBSD – but can also be found in OpenBSD from version 2.7. Another solution is strongSwan; the Linux kernel includes its own netkey implementation, but it also supports other solutions.
- OpenBSD 4.8 released, a report from The H.