[Cryptography] Juniper & Dual_EC_DRBG

[Watson Ladd]

On Thu, Dec 24, 2015 at 8:39 PM, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> On Thu, Dec 24, 2015 at 04:21:45AM +0000, Jacob Appelbaum wrote:
>> On 12/23/15, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
>>
>> > So I am just not sure what would have been generated by the system RNG
>> > nor how to leak it: the accellerator should be generating all the random
>> > fields of all the messages and stamping them in for you, and certainly
>> > it should be generating the actual session keys.
>> >
>> > So what's being generated by the system RNG and how is it being leaked?
>>
>> I think you're on the right path here. It makes sense from what we've
>> published about their VPN decrypt capabilities. I think that anywhere
>> there is Cavium, we'll find a "SIGINT enabled" VPN.
>
> I think you're on the wrong path here: why would anyone bother to
> subvert the system RNG if the crypto accellerator were already subverted?

Breaking an accelerator chip (still unnamed: would be great to know
what we had to reverse) gives you access to all products using that
chip. Break an OS gives you everything running that OS, including
pure-software lower end entries, and devices that change vendor.
There's plenty of reason to do both.

>
> What I'm asking is *how subverting the system RNG* led to loss of
> confidentiality for VPN sessions, *given that the system appears to
> use an accelerator which has its own RNG and stamps that RNG's output
> into packets*.

I'm working on this, but the IKE negotiations and packet forming are
not done by the accelerator but the CPU. That's enough to recover the
keys. Furthermore, there are many systems involved, some very low end.

>
> Thor
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.