[Cryptography] Juniper & Dual_EC_DRBG
james hughes
hughejp at me.com
Tue Dec 22 17:36:49 EST 2015
> On Dec 22, 2015, at 8:05 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>
> 'The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door'
>
> '... because of the sophistication involved' ;-)
>
> http://edition.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html <http://edition.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html>
The full quote is
>> The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn't reached conclusions.
Considering that there are many universities that teach information security similar to the level to accomplish these feats, I think that raising this to the level of state sponsored seems premature.
Compare this to Stuxnet,
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
which is broadly assumed to be state sponsored, Juniper’s transgressions are child’s play. If this is state sponsored, it is not a particularly capable state. I would leave China and Russia out unless their goal was to embarrass Juniper and get their domestic customers to stop buying foreign products.
In addition to the default password, we seem to be also missing the discussion about their RSA keys.
https://eprint.iacr.org/2012/064.pdf
https://factorable.net/weakkeys12.extended.pdf
Not a good weak for Juniper’s security products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151222/a7e32e55/attachment.html>
More information about the cryptography
mailing list