[Cryptography] Juniper & Dual_EC_DRBG

Phillip Hallam-Baker phill at hallambaker.com
Tue Dec 22 12:45:01 EST 2015

On Mon, Dec 21, 2015 at 5:49 PM, Emilien Gaspar <y at dud-t.org> wrote:
> oy,
> it seems that Juniper used Dual_EC_DRBG with their own backdoored
> constants[0]. Worse, they discovered that some constants was changed to
> insert a backdoor in ScreenOS that allow passive VPN decryption. It's
> not exactly clear how, but agl report on his blog[1] after a twitter
> conversion that it might be a simple replacement of the backdoored
> constants of Dual_EC_DRBG used in ScreenOS.
> One thing that I still don't understand is their custom paramters for
> the curve used by Dual_EC and what was exactly modified by the attacker.
> Do we have more explanations now ? :-)

We have an interesting new possibility, that this isn't an NSA
backdoor, it is the work of someone who re-engineered the NSA backdoor
for their own purposes.

If true, that gives us a new proof point in the argument against
mandatory backdoors.

Another possibility is that someone changed the constants to close the
presumed NSA backdoor but did not intend to create a new one. We only
know that there was a compromise at this point. We don't know if it
was exploited or by whom.

Backdoors are like landmines, they get buried in old code and blow up
long after the people who originally placed them have forgotten about

More information about the cryptography mailing list