[Cryptography] Juniper & Dual_EC_DRBG

Emilien Gaspar y at dud-t.org
Tue Dec 22 11:49:51 EST 2015

On Tue, Dec 22, 2015 at 04:15:23PM +0000, Alfonso De Gregorio wrote :
> On Mon, Dec 21, 2015 at 10:49 PM, Emilien Gaspar <y at dud-t.org> wrote:
> ...
> > One thing that I still don't understand is their custom paramters for
> > the curve used by Dual_EC and what was exactly modified by the attacker.
> The attacker replaced Q, a point on the elliptic curve used by
> Dual_EC. The attacker did so because, given the point P, it is easy to
> compute Q=P*e, where e is known only to the attacker. Whoever has
> access to both e and just 30 bytes generated by Dual_EC can predict
> future output of the PRNG. And, guess what? ScreenOS was leaking out
> the raw output of Dual_EC PRNG, even if it was pretending to use those
> bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
> the required 30 bytes.
> Write ups at [1, 2].
> -- Alfonso
> [1] https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/
> [2] http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html?spref=tw

I was looking exactly for what was posted on rpw.sh today :).

But how Juniper did not discovered the modification of their own Q if
they were using it as backdoor ? (meaning that they were in the dark
during three years).

BTW, I understand how Dual_EC works, I've written a basic implementation
of it in golang (generation & attack) few days ago[0].


[0]: http://dud-t.org/code/dual_ec_poc.go

More information about the cryptography mailing list