Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questions Linger As Juniper Removes Suspicious Dual_EC Algorithm (threatpost.com)

Posted by samzenpus on from the raise-shields dept.

msm1267 writes: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored. Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, said that he and a number of crypto experts looked at dozens of versions of Juniper's NetScreen firewalls and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. 'And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.'

4 of 78 comments (clear)

  1. Re:NSA has ruined the American tech sector by complete+loony · · Score: 3, Informative

    Cracking Dual_EC requires knowledge of a secret that was used to generate the elliptic curve parameters it uses. The NSA published a set of parameters as part of the proposed standard. If these are the parameters that Juniper used, then only the NSA can deduce the internal state of the random number generator.

    There's no point to anyone else adding this backdoor, unless they are friends with the NSA.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  2. A few of the many articles: by Futurepower(R) · · Score: 5, Informative

    NSA Helped British Spies Find Security Holes In Juniper Firewalls Quote: "... British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks..."

    Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors Quote: "This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire."

    New Discovery Around Juniper Backdoor Raises More Questions About the Company Quote: "Juniper added the insecure algorithm to its software long after the more secure one was already in it, raising questions about why the company would have knowingly undermined an already secure system."

    Juniper 'fesses up to TWO attacks from 'unauthorised code'

    'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS Quote: "And it may have been there since 2008, making this a late contender for FAIL of the year."

    How to log into any backdoored Juniper firewall -- hard-coded password published

    Juniper promises to fix ScreenOS cryptography ... eventually

    Listen up, FBI: Juniper code shows the problem with backdoors Quote: "FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors."

    Another quote from that article:

    "Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said.

  3. Re: A 1950s idea, repurposed for today by Anonymous Coward · · Score: 4, Informative

    The NSA was involved in its development. It's known to be backdoored.

  4. Re:Why Dual EC? by ioErr · · Score: 3, Informative

    ScreenOS uses Dual EC in a strange, non-standard way. Rather than generating all of their random numbers with Dual EC (which would be slow), they only use Dual EC to generate a seed for a fast 3DES-based generator called ANSI X9.17. Since that generator is actually FIPS-140 approved and generally believed to be sufficient to the purpose, it's not clear what value Dual EC is really adding to the system in the first place -- except, of course, its usefulness as a potential backdoor.

    The good news here is that the post-processing by ANSI X9.17 should kill the Dual EC backdoor, since the attack relies on the attacker seeing raw output from Dual EC. The ANSI generator appears to completely obfuscate this output, thus rendering Dual EC "safe". This is indeed the argument Juniper made in 2013 when it decided to leave the Dual EC code in ScreenOS.

    http://blog.cryptographyengine...