[Cryptography] Juniper & Dual_EC_DRBG

Thor Lancelot Simon tls at rek.tjls.com
Tue Dec 22 19:38:22 EST 2015

On Tue, Dec 22, 2015 at 07:09:38PM -0500, Thor Lancelot Simon wrote:
> On Tue, Dec 22, 2015 at 04:15:23PM +0000, Alfonso De Gregorio wrote:
> >
> > future output of the PRNG. And, guess what? ScreenOS was leaking out
> > the raw output of Dual_EC PRNG, even if it was pretending to use those
> > bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
> > the required 30 bytes.
> I'm quite curious where they chose to leak the output -- the obvious place,
> for this general kind of attack, is in the explicit IVs carried in every
> IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
> generation in this application.
> One of the nonces in an early IKE message?

Adding to my puzzlement: I just checked my recollection, and indeed
the Juniper ScreenOS devices (e.g. SSG) use Cavium Nitrox crypto ASICs.

I am more familiar with SSL than IPsec microcode loads for Nitrox, but
I am 90% sure that just as is the case for SSL, Nitrox provides "macro"
operations that do entire messages of the IKE handshake, and it definitey
does ESP record processing one-shot.  Given the latencies involved in
accessing an accelerator of this kind, you'd be nuts to use the raw
crypto ops instead. 

Nitrox has an onboard noise source and X9.31 RNG and uses it in its
record and macro ops to fill in the random fields of messages.

So I am just not sure what would have been generated by the system RNG
nor how to leak it: the accellerator should be generating all the random
fields of all the messages and stamping them in for you, and certainly
it should be generating the actual session keys.

So what's being generated by the system RNG and how is it being leaked?


More information about the cryptography mailing list