Juniper Removes Dual_EC, ANSI X9.31 Algorithms | Threatpost Newsletter Subscribe to our Threatpost Today newsletter Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * * I agree to my personal data being stored and used to receive the newsletter * I agree to accept information and occasional commercial offers from Threatpost partners Email This field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost Cloud Security Malware Vulnerabilities InfoSec Insiders Podcasts Search Authorities Arrest Eight in Tyupkin ATM Malware TakedownPrevious article Inexpensive Webcam Turned into BackdoorNext article Questions Linger as Juniper Removes Backdoored Dual_EC RNG Author: Michael Mimoso January 11, 2016 4:48 pm minute read Share this article: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored. Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system. And while that’s heralded as a positive move considering Dual_EC’s dubious origins, there remain important and unanswered questions about Juniper’s decision to include what is considered to be a backdoored random number generator in its NetScreen VPNs, and why a number of strange coding and engineering decisions were made that could have facilitated the decryption of secure traffic. The networking giant said it was not only removing Dual_EC, but also the ANSI X9.31 algorithm from ScreenOS starting with an upcoming release sometime in the first half of this year. The announcement comes just shy of a month after Juniper said it had found unauthorized code in ScreenOS that allowed for the decryption of NetScreen firewall traffic and a second issue that allowed for remote unauthorized access to NetScreen appliances via SSH or telnet. Juniper said it brought in third-party help to investigate its code and determined that no other “unauthorized code” lives in either ScreenOS or Junos OS. “The process examined Junos OS source code in ‘hot spots’ where one may expect to find code similar to the code found in ScreenOS,” Juniper said in its advisory on Friday. “The hot spots include VPN code, encryption code, and authentication code. We also inspected our build environments for any evidence of tampering or unauthorized access.” In the meantime, at last week’s Real World Crypto conference at Stanford University, a team of crypto experts presented a number of revelations, including the news that Juniper’s use of Dual_EC dates to 2009, perhaps 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference that first cast suspicion on Dual_EC being backdoored by the NSA. Shumow’s and Ferguson’s work showed that not only was Dual_EC slow compared to other pseudo random number generators, but it also contained a bias. The bias means that the random numbers generated by the algorithm aren’t so random and likely have a relationship with a second set of numbers that enable whomever knows that second set of numbers to predict the output of the PRNG after collecting a minimal amount of output (32 bytes). Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, told Threatpost that he and his colleagues on this investigation looked at dozens of versions of NetScreen and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output. “And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.” Checkoway said that Juniper’s introduction of the bug, which was discovered by researcher Willem Pinckaers, broke the way that the code had worked in ScreenOS 6.1 and earlier. “It’s very bizarre. I’ve never seen anything like that before where gone from something that was working and written in a standard manner to something as strange as this,” he said. It’s that bug that enabled another attacker to replace the Dual_EC constant—thought to belong to the NSA—with their own constant. “The very presence of Dual_EC enabled a third party to simply change a constant and make it so they were able to decrypt VPN traffic,” Checkoway said, adding that Juniper’s patch reverted the constant back from the attacker-supplied one, to a Juniper-supplied constant. “I take it that Juniper thought the previous code there was intended functionality.” While Juniper’s decision to use Dual_EC enabled this second attack, Checkoway said there’s no justifiable security or engineering reason to have done so in the first place. “Basically, whoever changed the code needed to change just a small portion of Juniper code, a tiny fraction of their code. Whereas had Juniper not used Dual_EC, they would have had to do something much bigger,” Checkoway said. “Juniper’s use of this bad random number generator really enabled the subsequent attack.” Juniper, in the meantime, quickly patched the two vulnerabilities by removing the so-called “unauthorized code;” Juniper representative Danielle Hamel refused to comment further and pointed Threatpost to the company’s various blog posts explaining the situation. The scenario harkens back to the documents leaked by NSA whistleblower Edward Snowden, in particular the NSA’s Project BULLRUN, which explains the NSA’s subversion of Dual_EC and eventually the revelation that RSA Security was allegedly paid $10 million by the NSA to use the algorithm in its products. “One of the interesting things about using Dual_EC as a backdoor mechanism versus the unauthorized access SSH backdoor, is that with Dual_EC, it’s just a series of what looks like mistakes or bad engineering choices that coincidentally leads to their software being vulnerable,” Checkoway said. “There are so many coincidences: the introduction of Dual_EC, the bug, the change in the nonce from 20 bytes to 32, which is really the ideal size for running this attack.” Share this article: Cryptography Government Hacks Privacy Vulnerabilities Web Security Suggested articles FBI Warns of Egregor Attacks on Businesses Worldwide The agency said the malware has already compromised more than 150 organizations and provided insight into its ransomware-as-a-service behavior. January 8, 2021 Biden to Appoint Cybersecurity Advisor to NSC – Report Anne Neuberger will join the National Security Council, according to sources. January 7, 2021 NSA Urges SysAdmins to Replace Obsolete TLS Protocols The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols. January 6, 2021 2 Discussion InfoSec Insider 5 Steps to Improving Ransomware Resiliency July 23, 2021 2 Why Your Business Needs a Long-Term Remote Security Strategy July 20, 2021 1 The Evolving Role of the CISO July 16, 2021 1 Apps Built Better: Why DevSecOps is Your Security Team’s Silver Bullet July 14, 2021 Is Remote Desktop Protocol Secure? It Can Be July 13, 2021 5 Newsletter Subscribe to Threatpost Today Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter The illicit marketplace #AlphaBay appears to have resurfaced, four years after a high-profile takedown by internati… https://t.co/ngTvQ1406s 15 hours ago Follow @threatpost Subscribe to our newsletter, Threatpost Today! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News Home About Us Contact Us Advertise With Us RSS Feeds Copyright © 2021 Threatpost Privacy Policy Terms and Conditions Advertise Topics Black Hat Breaking News Cloud Security Critical Infrastructure Cryptography Facebook Government Hacks IoT Malware Mobile Security Podcasts Privacy RSAC Security Analyst Summit Videos Vulnerabilities Web Security Threatpost Topics Cloud Security Malware Vulnerabilities Privacy Show all Black Hat Critical Infrastructure Cryptography Facebook Featured Government Hacks IoT Mobile Security Podcasts RSAC Security Analyst Summit Slideshow Videos Web Security Authors Tara Seals Tom Spring Lisa Vaas Threatpost Home About Us Contact Us Advertise With Us RSS Feeds Search InfoSec Insider Infosec Insider Post Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored Sponsored Content Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.