[Cryptography] Juniper & Dual_EC_DRBG

Emilien Gaspar y at dud-t.org
Tue Dec 22 12:53:05 EST 2015

On Tue, Dec 22, 2015 at 12:34:45PM -0500, Paul Wouters wrote :
> >Do we have more explanations now ? :-)
> There is https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/ but it
> still does not explain how changing that constant would allow passive
> decryption.
> Paul

I almost never used VPN based on Juniper solutions, but I imagine we
can investigate in the initial handshake to establish the VPN connection
to see if there is some output coming from the backdoored generator. If
there is enough bits, then it's almost done (we only need at least 30
bytes from Dual_EC when using NIST-P256, which is the case with the
Juniper's backdoor). There is a really good paper analysing how to
do passive decryption of TLS traffic when using Dual_EC_DRBG[0].


[0]: On the Practical Exploitability of Dual EC in TLS Implementations

More information about the cryptography mailing list