Questions Linger As Juniper Removes Suspicious Dual_EC Algorithm

msm1267 writes: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored. Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, said that he and a number of crypto experts looked at dozens of versions of Juniper's NetScreen firewalls and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. 'And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.'

A 1950s idea, repurposed for today

[93+Escort+Wagon]

We really need to resurrect the House Un-American Activities panel. It sure seems to me that the NSA is hellbent on destroying American networking and computing companies - and that's about as Un-American as it gets.

Re:A 1950s idea, repurposed for today

[Pseudonym]

I'm not American, and even I know that's not what you want. What you want is a new round of Church and Pike committee hearings.

Re: A 1950s idea, repurposed for today

The NSA was involved in its development. It's known to be backdoored.

Re:A 1950s idea, repurposed for today

Hyperbole helps no one. We should stick to the facts--they're sufficiently damning.
The discovered weaknesses in Dual_EC mean no one should trust it, but It is not true that it is "known to be backdoored".

Maybe let's put that differently. There is a known backdoor in Dual_EC. If the curve used in encryption isn't generated in a very special and safe way then it's possible to generate a curve which can be reversed by the person who generates it. Nobody knows who controls the backdoor, it's even theoretically possible that nobody does since the person generating the curve was so incompetent didn't save the key. Given that the NSA was involved in creating it and they aren't widely known to be deeply incompetent it would only be fair to assume that the NSA controls the back door.

In other words, the design of Dual_EC is backdoored. Whether the specific implementation with a specific curve is backdoored is almost (but not quite) irrelevant.

The Juniper case is particularly interesting because it shows a situation where a different curve was used, likely giving a different person control of the backdoor.

Re:A 1950s idea, repurposed for today

[sociocapitalist]

We really need to resurrect the House Un-American Activities panel. It sure seems to me that the NSA is hellbent on destroying American networking and computing companies - and that's about as Un-American as it gets.

Maybe we could get Trump to run it...

(joking)

No private company should stick their neck out

[Foxhoundz]

I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.

Re:No private company should stick their neck out

[A10Mechanic]

To accept any level of liability is tantamount to an admission of guilt. Don't hold your breath.

Re:No private company should stick their neck out

[sociocapitalist]

I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.

And what about the trickle down damage to end customers or anyone in the compromised chain? Maybe said victims have gone out of business or committed suicide as a result of the compromise of private information that wouldn't have otherwise been compromised - how do you give that back to them with money?

No. The government should not require companies to put back doors in security products as all it does is increase insecurity for the sake of security theater.

Re: NSA has ruined the American tech sector

[bill_mcgonigle]

Why assume it came from the NSA?

One should not assume that, if Juniper fully discloses the who, what, and when of the compromises, including naming names.

Now if we only get silence, stonewalling, and "temporary contractors"s then we can assume either external control or a suicidal lack of business acumen.

Re:NSA has ruined the American tech sector

[AHuxley]

Re 'Was it worth it?"
It seems a hold over from the cold war. US friendly theocracies, monarchies, juntas ie freedom loving emerging democratic leaders got cheap US deals.
Cheap to import, US friendly interconnects, cheap international peering with domestic prices, keeps the Soviet Union out.
The hardware exported was police tap ready, NSA ready, GCHQ ready. No person in the importing country was really expected to understand or inspect the inner workings, just upgrade or keep networks working. Request help to fly in as needed.
The next step was the NDA and contracts to keep next generation well educated staff from looking at the digital inner workings and never to mention in public any expert findings.

Re:NSA has ruined the American tech sector

[complete+loony]

Cracking Dual_EC requires knowledge of a secret that was used to generate the elliptic curve parameters it uses. The NSA published a set of parameters as part of the proposed standard. If these are the parameters that Juniper used, then only the NSA can deduce the internal state of the random number generator.

There's no point to anyone else adding this backdoor, unless they are friends with the NSA.

Are you insane?

[Okian+Warrior]

I think the NSA is doing what NSA needs to do. That being said, if they forcefully compel a company to allow backdoor into products, the government should be prepared accept all subsequent financial liability (that is, bail out the company) that would likely arise as a result of the would-be PR disaster. No private company should stick their neck out for the government.

Are you nuts?

An entrepreneur with an idea starts a business, builds it over the course of many years, has a sizeable value and clientelle and personal integrity and a duty to stockholders.

The NSA compels him to put a backdoor in his product, so that if it's found out he loses credibility, his business loses value, clients (especially international ones) flee to other products, stockholders lose value, and in all probability workers lose jobs...

And you think this is OK because the government will bail him out?

Bail out what?

The company might very well be irrecoverable, and in any event the owner might want the company more than its monetary book value (because he likes running the business, or because he wants to leave something to his kids), and the government isn't known for paying book value on eminent domain seisures.

In addition, knowing that the NSA does this to one company, customers abroad assume that they have done this to many others, and avoid American products in general. Our economy takes a big hit, people are unemployed and miserable, the government has less tax money to do things, and we're less safe because of it.

Your position has no rational logic. Are you insane?

Why Dual EC?

[TechyImmigrant]

I'm an implementor of non backdoored RNGs that are very widely deployed. However to be able to do that well you need to understand the many ways how to backdoor RNGs, so you can take preventative measures to prevent other people backdooring your design.

So I know many ways to backdoor an RNG. If I was trying to do that, why would I choose an RNG that was already widely known to be backdoored?

So either they are back at backdooring, or not good at not backdooring.

Re:Why Dual EC?

[ioErr]

ScreenOS uses Dual EC in a strange, non-standard way. Rather than generating all of their random numbers with Dual EC (which would be slow), they only use Dual EC to generate a seed for a fast 3DES-based generator called ANSI X9.17. Since that generator is actually FIPS-140 approved and generally believed to be sufficient to the purpose, it's not clear what value Dual EC is really adding to the system in the first place -- except, of course, its usefulness as a potential backdoor.

The good news here is that the post-processing by ANSI X9.17 should kill the Dual EC backdoor, since the attack relies on the attacker seeing raw output from Dual EC. The ANSI generator appears to completely obfuscate this output, thus rendering Dual EC "safe". This is indeed the argument Juniper made in 2013 when it decided to leave the Dual EC code in ScreenOS.

http://blog.cryptographyengine...

A few of the many articles:

[Futurepower(R)]

NSA Helped British Spies Find Security Holes In Juniper Firewalls Quote: "... British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks..."

Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors Quote: "This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire."

New Discovery Around Juniper Backdoor Raises More Questions About the Company Quote: "Juniper added the insecure algorithm to its software long after the more secure one was already in it, raising questions about why the company would have knowingly undermined an already secure system."

Juniper 'fesses up to TWO attacks from 'unauthorised code'

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS Quote: "And it may have been there since 2008, making this a late contender for FAIL of the year."

How to log into any backdoored Juniper firewall -- hard-coded password published

Juniper promises to fix ScreenOS cryptography ... eventually

Listen up, FBI: Juniper code shows the problem with backdoors Quote: "FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors."

Another quote from that article:

"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said.

Re:Voting Machines?

[Bert64]

That was basically a shell on a port, extremely obvious and useless as a malicious backdoor because anyone with a portscanner can find and use it.
More likely that was used by the developers to debug the device and never removed before production builds were made. I have seen many embedded devices like this where a backdoor is present in the firmware image but comes commented out by default on released versions.

Re: NSA has ruined the American tech sector

[Tokolosh]

Contrast with VW, where the culprits behind the emissions fiasco will be named and shamed. Congressional committees will investigate, class-action suits will be filed, company finances will take an enormous hit and heads will roll.

For Juniper it will all blow over, leaving a faint stench.

Who's On Our Side?

[mentil]

Step 1: Privately encourage companies to utilize 'govt. compliant' encryption routines 'for security purposes', implied to be tied to govt. contracts.
Step 2: Hire everyone you can who has the education needed to understand said cryptographic schemes. No amount of money is too high.
Step 3: Enjoy the brain drain. Every person who works for you is a person who doesn't work for those you want to surveil (i.e. everyone else).
Step 4: Watch public and private sector security researchers be overwhelmed by the sheer number of ways and places to be compromised, and realize you don't have to backdoor everything your targets use, merely ONE of the things they use. Of course, very few researchers who can understand the cryptography involved, aren't on your payroll.

TL;DR: the attackers outnumber the defenders so overwhelmingly that the latter can't keep up with the former.

Weird: No articles about NSA management

[Futurepower(R)]

NSA = No Sales for America

I find it shocking that articles about the NSA seem to start from the assumption that, except for the theft of a huge amount of data by an employee of a sub-contractor, Edward Snowden, the NSA is well managed. To me, it is utterly obvious that the NSA is not well managed.

If NSA employees can listen to all telephone calls, do you think that none of them notice an increase of traffic at a company and listen to the recordings to find stock tips?

My perception is that governments don't manage technology companies well. (NASA and the U.S. Department of Energy, for example.) Part of the reason is that the best technology people want to work for organizations that are known for their good work. A government, especially a secret government agency, cannot hire the kind of people who are creative with technology. What technology genius wants to go to prison if he talks about his work?

I posted links to 8 more articles about Juniper Networks below. A quote from one of them:

"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said."

It is definitely not reasonable to think that the NSA can hire people who are smarter than all those who want to break into computer systems. Cryptographic backdoors are a bad idea, and not only because they kill the sales of any nation that sponsors them.

When a government agency can break into any company's affairs, do you think the managers never take advantage of that information to make money?

Who chooses the sub-contractors, and decides how much they are paid? Suppose a relative of an NSA manager owns a contracting company?

Secrecy causes huge problems. It is difficult or impossible to review the quality of management. Bad managers can hide their mistakes. That effectively assures that the management will be poor.

Also, democracy works only if citizens can know what the government is doing.

The NSA is based on an idea that just does not function correctly, and cannot be made to function correctly.

Re:Weird: No articles about NSA management

[swb]

But technology people go to work for all kinds of companies who do boring work nobody wants to hear about. Or they go to work for a company which maybe a lot of people DO want to hear about, like Apple, but they sign all kinds of secret contracts the swear them to secrecy and ruinous poverty if they reveal them.

And I think many people in technology work because the technology itself is interesting to work with, the purpose for which it is being used for, whether selling rutabagas or insurance, they really don't care about.

And the NSA's specific appeal is "so you're interested in X? How would you like to work with a football field's worth of the newest X. We have a nearly unlimited amount of money to spend on it and some problems more interesting than cutting a cube dweller's transaction time on some database screens."

This gets compared to the pitch from private industry who says "we're looking to upgrade from Windows 2008r2 to 2016 because it fits our 7 year budget cycle for server replacement, and we only do TPS reports on days ending in Y".

Re:No questions linger

[scsirob]

Intel has just acknowledged a bug in their Skylake CPU's that surfaces when calculating prime numbers. Prime numbers happen to be heavily used in crypto. Is this a genuine bug, or a microcode backdoor-gone-rogue that can be exploited by some agencies?
https://communities.intel.com/...

So are you never going to buy an Intel product again?

Re:NSA has ruined the American tech sector

[Aighearach]

The part I find really funny is the claim that they don't even know where the updates came from.

Yeah, haha, we don't use version control either! Oh, wait, yes we do. It is free and saves time and money.

You push out firmware updates without version control?! I guess George just makes a zip file, and emails it to Frank who burns a CD and mails it to the company flashing the EEPROMs... oh wait.

And if you read about how deeply the Russians infiltrated the US nuclear program, then you'll realize that there is no need for outsourcing to enable foreign governments to be responsible for some fraction of the discovered exploits, back doors, side doors, trap doors, and dishonest press releases.

If they don't even have their software under version control, how can we trust them to know what press releases they actually made? Maybe it was planted in their files after they didn't give it, and they never gave it! They can't even trust themselves, if they're paying attention. But I suspect they're paying enough attention to not to be paying attention.

Re:NSA has ruined the American tech sector

[Aighearach]

Not knowable. The NSA doesn't want the world to know the details of successful foreign operations, for obvious operational reasons. They're not going to create risks to the nation in the area of their work, just to keep themselves from looking bad. That should be obvious by now by how bad they look, and that it doesn't seem to influence their work.

Re:No questions linger

[Lab+Rat+Jason]

Have you ever considered that they did all of these things in the same release because they WANTED to tell the world but couldn't? Think about it.

Re:NSA has ruined the American tech sector

[hawguy]

The part I find really funny is the claim that they don't even know where the updates came from.

Yeah, haha, we don't use version control either! Oh, wait, yes we do. It is free and saves time and money.

You push out firmware updates without version control?! I guess George just makes a zip file, and emails it to Frank who burns a CD and mails it to the company flashing the EEPROMs... oh wait.

And if you read about how deeply the Russians infiltrated the US nuclear program, then you'll realize that there is no need for outsourcing to enable foreign governments to be responsible for some fraction of the discovered exploits, back doors, side doors, trap doors, and dishonest press releases.

If they don't even have their software under version control, how can we trust them to know what press releases they actually made? Maybe it was planted in their files after they didn't give it, and they never gave it! They can't even trust themselves, if they're paying attention. But I suspect they're paying enough attention to not to be paying attention.

Without code signing (and few companies do it), Version control only tells you who the VCS system thinks made the update, which may have a very loose correlation to who actually made the update. If a hacker gained access to their VCS server, he could have inserted the changes into the VCS database with no identifying information at all.