[Cryptography] Juniper & Dual_EC_DRBG

Jacob Appelbaum jacob at appelbaum.net
Wed Dec 23 23:21:45 EST 2015 

On 12/23/15, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> On Tue, Dec 22, 2015 at 07:09:38PM -0500, Thor Lancelot Simon wrote:
>> On Tue, Dec 22, 2015 at 04:15:23PM +0000, Alfonso De Gregorio wrote:
>> >
>> > future output of the PRNG. And, guess what? ScreenOS was leaking out
>> > the raw output of Dual_EC PRNG, even if it was pretending to use those
>> > bytes to (re)seed a ANSI X9.31 generator -- which would have blinded
>> > the required 30 bytes.
>>
>> I'm quite curious where they chose to leak the output -- the obvious
>> place,
>> for this general kind of attack, is in the explicit IVs carried in every
>> IPsec ESP packet, for instance, but Dual_EC is too slow to use for IV
>> generation in this application.
>>
>> One of the nonces in an early IKE message?
>
> Adding to my puzzlement: I just checked my recollection, and indeed
> the Juniper ScreenOS devices (e.g. SSG) use Cavium Nitrox crypto ASICs.
>
> I am more familiar with SSL than IPsec microcode loads for Nitrox, but
> I am 90% sure that just as is the case for SSL, Nitrox provides "macro"
> operations that do entire messages of the IKE handshake, and it definitey
> does ESP record processing one-shot.  Given the latencies involved in
> accessing an accelerator of this kind, you'd be nuts to use the raw
> crypto ops instead.
>
> Nitrox has an onboard noise source and X9.31 RNG and uses it in its
> record and macro ops to fill in the random fields of messages.
>
> So I am just not sure what would have been generated by the system RNG
> nor how to leak it: the accellerator should be generating all the random
> fields of all the messages and stamping them in for you, and certainly
> it should be generating the actual session keys.
>
> So what's being generated by the system RNG and how is it being leaked?

I think you're on the right path here. It makes sense from what we've
published about their VPN decrypt capabilities. I think that anywhere
there is Cavium, we'll find a "SIGINT enabled" VPN.

Cavium is repeatedly mentioned in the archive and in documents.

All the best,
Jacob

More information about the cryptography mailing list