[Cryptography] Juniper & Dual_EC_DRBG

Thor Lancelot Simon tls at rek.tjls.com
Tue Dec 22 19:09:38 EST 2015


On Tue, Dec 22, 2015 at 04:15:23PM +0000, Alfonso De Gregorio wrote:
>
> future output of the PRNG. And, guess what? ScreenOS was leaking out
> the raw output of Dual_EC PRNG, even if it was pretending to use those
> bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
> the required 30 bytes.

I'm quite curious where they chose to leak the output -- the obvious place,
for this general kind of attack, is in the explicit IVs carried in every
IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
generation in this application.

One of the nonces in an early IKE message?

Thor


More information about the cryptography mailing list