[Cryptography] Juniper & Dual_EC_DRBG

Thor Lancelot Simon tls at rek.tjls.com
Thu Dec 24 20:39:54 EST 2015

On Thu, Dec 24, 2015 at 04:21:45AM +0000, Jacob Appelbaum wrote:
> On 12/23/15, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> > So I am just not sure what would have been generated by the system RNG
> > nor how to leak it: the accellerator should be generating all the random
> > fields of all the messages and stamping them in for you, and certainly
> > it should be generating the actual session keys.
> >
> > So what's being generated by the system RNG and how is it being leaked?
> I think you're on the right path here. It makes sense from what we've
> published about their VPN decrypt capabilities. I think that anywhere
> there is Cavium, we'll find a "SIGINT enabled" VPN.

I think you're on the wrong path here: why would anyone bother to
subvert the system RNG if the crypto accellerator were already subverted?

What I'm asking is *how subverting the system RNG* led to loss of
confidentiality for VPN sessions, *given that the system appears to
use an accelerator which has its own RNG and stamps that RNG's output
into packets*.


More information about the cryptography mailing list