[Cryptography] Juniper & Dual_EC_DRBG
Paul Wouters
paul at cypherpunks.ca
Wed Dec 23 22:16:03 EST 2015
On Tue, 22 Dec 2015, Thor Lancelot Simon wrote:
> I'm quite curious where they chose to leak the output -- the obvious place,
> for this general kind of attack, is in the explicit IVs carried in every
> IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
> generation in this application.
Also the firmware changes do not seem to indicate such a large change?
The disabling of the 3DES round seems to suggest it leaks whenever
random is used for anything. But most items are protected within IKE.
> One of the nonces in an early IKE message?
So yes, that seems the biggest and most likely candidate.
Paul
More information about the cryptography
mailing list