[Cryptography] Juniper & Dual_EC_DRBG

Emilien Gaspar gapz at dud-t.org
Fri Dec 25 08:31:05 EST 2015

On Thu, Dec 24, 2015 at 08:39:54PM -0500, Thor Lancelot Simon wrote :
> On Thu, Dec 24, 2015 at 04:21:45AM +0000, Jacob Appelbaum wrote:
> > On 12/23/15, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> >
> > > So I am just not sure what would have been generated by the system RNG
> > > nor how to leak it: the accellerator should be generating all the random
> > > fields of all the messages and stamping them in for you, and certainly
> > > it should be generating the actual session keys.
> > >
> > > So what's being generated by the system RNG and how is it being leaked?
> > 
> > I think you're on the right path here. It makes sense from what we've
> > published about their VPN decrypt capabilities. I think that anywhere
> > there is Cavium, we'll find a "SIGINT enabled" VPN.
> I think you're on the wrong path here: why would anyone bother to
> subvert the system RNG if the crypto accellerator were already subverted?
> What I'm asking is *how subverting the system RNG* led to loss of
> confidentiality for VPN sessions, *given that the system appears to

The first thing to check is if it actually use it. If nonces & keys are
generated by the system PRNG (Dual_EC) then we only have to understand
the cost of the attack (and we still need IKE packets, as Watson Ladd
requested). Want to do some reverse on that ? :-)


> use an accelerator which has its own RNG and stamps that RNG's output
> into packets*.

More information about the cryptography mailing list