[Cryptography] Juniper & Dual_EC_DRBG

Paul Wouters paul at cypherpunks.ca
Wed Dec 23 22:16:03 EST 2015

On Tue, 22 Dec 2015, Thor Lancelot Simon wrote:

> I'm quite curious where they chose to leak the output -- the obvious place,
> for this general kind of attack, is in the explicit IVs carried in every
> IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
> generation in this application.

Also the firmware changes do not seem to indicate such a large change?
The disabling of the 3DES round seems to suggest it leaks whenever
random is used for anything. But most items are protected within IKE.

> One of the nonces in an early IKE message?

So yes, that seems the biggest and most likely candidate.


More information about the cryptography mailing list