[Cryptography] Juniper & Dual_EC_DRBG

Alfonso De Gregorio alfonso.degregorio at gmail.com
Tue Dec 22 11:15:23 EST 2015

On Mon, Dec 21, 2015 at 10:49 PM, Emilien Gaspar <y at dud-t.org> wrote:
> One thing that I still don't understand is their custom paramters for
> the curve used by Dual_EC and what was exactly modified by the attacker.

The attacker replaced Q, a point on the elliptic curve used by
Dual_EC. The attacker did so because, given the point P, it is easy to
compute Q=P*e, where e is known only to the attacker. Whoever has
access to both e and just 30 bytes generated by Dual_EC can predict
future output of the PRNG. And, guess what? ScreenOS was leaking out
the raw output of Dual_EC PRNG, even if it was pretending to use those
bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
the required 30 bytes.

Write ups at [1, 2].

-- Alfonso

[1] https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/
[2] http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html?spref=tw

More information about the cryptography mailing list