Ok, so it’s kind of hyperbolic since OpenBSD itself is not compromised but what Perry is saying is that some of the encryption algorithms used by OpenBSD products, particularly for vpn, have been compromised for some time but the FBI let it slide so they could exploit it for surveillance. Previously strict export regulation crypto algos was quietly relaxed while RSA never bothered to renew their patent on the RSA crypto. Perry suggests that this is a loud “tell” indicating that vulnerabilities have been found so it’s being allowed to propagate in the wild until enough people use it and effective surveillance can be implemented.

If any of this conjecture is the case, then it could reasonably be said that the FBI intentionally – and very seriously – weakened the United States critical infrastructure and our military capabilities by advocating the use of a fundamentally weak encryption algorithm as a tradeoff between US National Security and their need to observe domestic communications in the United States. This of course has serious implications for any technology predicated upon the RSA encryption algorithm and its progeny, such as military grade GPS which uses RSA for weapons targeting, military smart card technology such as the Common Access Card, commercial smart card technologies used in RFID and contactless payment solutions, etc. Most of these standards are now literally set in stone insofar as embedded systems are concerned, and the vast majority of OpenBSD / OCF installations are embedded-based without an upgrade path due to the small footprint of OpenBSD and the BSD licensing scheme used by the OpenBSD project. Literally millions (and potentially hundreds of millions) of OpenBSD installations are out there in the embedded space such as routers, firewalls, VPN devices etc, and this goes without mentioning the many other operating systems that have incorporated the OpenBSD OCF and PF firewalling stack without any audit of the source code based on the security and reputation inherent to the OpenBSD Project.

I personally think Perry is being a bit sensational and doing a bit of drama in the security theater but those are still some serious allegations. Have to say, not really surprised. I do remember the days when it was edgy to tattoo a perl one-liner that did RSA encryption as it was still considered a munition at that time so if one left the country with said tattoo, one was technically an illegal arms dealer. Checking openbsd misc for any Theo ranting responses…

The original email thread that started this

Advertisements