Following last week’s accusation by a former government contractor that the FBI has implemented backdoors into the encryption software used by OpenBSD, Theo de Raadt, OpenBSD’s founder and leader, has once again decided to share with the public his thoughts on the alleged compromise.
“I believe that NETSEC was probably contracted to write backdoors as alleged,” he says. “But, if those were were written, I don’t believe they made it into our tree. They might have been deployed as their own product.”
He says that it’s true that NETSEC’s developers were working on the project, but that Jason Wright – the only developer mentioned by name in the Gregory Perry’s accusing e-mail – did not work on cryptography but on device drivers. De Raadt adds that Wright did touch the IPSec layer, but only the data-flow sides of this code, not the algorithms.
“After Jason left, Angelos (who had been working on the IPSec stack already for 4 years or so, for he was the ARCHITECT and primary developer of the IPSec stack) accepted a contract at NETSEC and (while traveling around the world) wrote the crypto layer that permits our IPSec stack to hand-off requests to the drivers that Jason worked on,” de Raadt claims. “That crypto layer contained the half-assed insecure idea of half-IV that the US government was pushing at that time. Soon after his contract was over this was ripped out.”
He is happy, though, that “people are taking the opportunity to audit an important part of the tree which many had assumed — for far too long — to be safe as it is.” The search has already revealed a couple of bugs, but none of them seems to be a backdoor.