[Cryptography] Juniper & Dual_EC_DRBG
Thor Lancelot Simon
tls at rek.tjls.com
Tue Dec 22 19:09:38 EST 2015
On Tue, Dec 22, 2015 at 04:15:23PM +0000, Alfonso De Gregorio wrote:
> future output of the PRNG. And, guess what? ScreenOS was leaking out
> the raw output of Dual_EC PRNG, even if it was pretending to use those
> bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
> the required 30 bytes.
I'm quite curious where they chose to leak the output -- the obvious place,
for this general kind of attack, is in the explicit IVs carried in every
IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
generation in this application.
One of the nonces in an early IKE message?
More information about the cryptography