[Cryptography] Juniper & Dual_EC_DRBG

Paul Wouters paul at cypherpunks.ca
Tue Dec 22 12:34:45 EST 2015

On Mon, 21 Dec 2015, Emilien Gaspar wrote:

> it seems that Juniper used Dual_EC_DRBG with their own backdoored
> constants[0]. Worse, they discovered that some constants was changed to
> insert a backdoor in ScreenOS that allow passive VPN decryption. It's
> not exactly clear how, but agl report on his blog[1] after a twitter
> conversion that it might be a simple replacement of the backdoored
> constants of Dual_EC_DRBG used in ScreenOS.
> One thing that I still don't understand is their custom paramters for
> the curve used by Dual_EC and what was exactly modified by the attacker.
> Do we have more explanations now ? :-)

There is https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/ but it
still does not explain how changing that constant would allow passive


More information about the cryptography mailing list