research-article

Public Access

A Systematic Analysis of the Juniper Dual EC Incident

Authors:

Stephen Checkoway,

Jacob Maskiewicz,

Christina Garman,

Shaanan Cohney,

Nadia Heninger,

Ralf-Philipp Weinmann,

Eric Rescorla, and

Hovav ShachamAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

Pages 468 - 479

https://doi.org/10.1145/2976749.2978395

Published: 24 October 2016 Publication History

Abstract

In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen VPN routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator. In this paper, we describe the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point. This vulnerability arises due to apparent flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. We investigate the possibility of passively fingerprinting ScreenOS implementations in the wild. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice.

References

[1]

Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.31--1998: Digital signatures using reversible algorithms for the financial services industry (rDSA), 1998. Withdrawn.

[2]

Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.82--3--2007: Random number generation, part 3: Deterministic random bit generators, 2007.

[3]

D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In C. Kruegel and N. Li, editors, Proceedings of CCS 2015, pages 5--17. ACM Press, Oct. 2015.

Digital Library

[4]

E. Barker and J. Kelsey. NIST Special Publication 800--90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report, National Institute of Standards and Technology, 2006.

Digital Library

[5]

E. Barker and J. Kelsey. NIST Special Publication 800--90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report, National Institute of Standards and Technology, June 2015.

Digital Library

[6]

M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, and S. Yilek. Hedged public-key encryption: How to protect against bad randomness. In M. Matsui, editor, Proceedings of Asiacrypt 2009, volume 5912 of LNCS, pages 232--49. Springer-Verlag, Dec. 2009.

Digital Library

[7]

M. Bellare, K. G. Paterson, and P. Rogaway. Security of symmetric encryption against mass surveillance. In J. Garay and R. Gennaro, editors, Proceedings of Crypto 2014, Part I, volume 8616 of LNCS, pages 1--19. Springer-Verlag, Aug. 2014.

[8]

D. J. Bernstein, Y.-A. Chang, C.-M. Cheng, L.-P. Chou, N. Heninger, T. Lange, and N. Someren. Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. In K. Sako and P. Sarkar, editors, Proceedings of Asiacrypt 2013, volume 8270 of LNCS, pages 341--60. Springer-Verlag, Dec. 2013.

[9]

S. Checkoway, M. Fredrikson, R. Niederhagen, A. Everspaugh, M. Green, T. Lange, T. Ristenpart, D. J. Bernstein, J. Maskiewicz, and H. Shacham. On the practical exploitability of Dual EC in TLS implementations. In K. Fu, editor, Proceedings of USENIX Security 2014, pages 319--35. USENIX, Aug. 2014.

Digital Library

[10]

J. R. Clapper. Worldwide threat assessment of the U.S. intelligence community. Statement for the record, Senate Armed Services Committee. Online: http://www.armed-services.senate.gov/imo/media/doc/Clapper_02-09--16.pdf, Feb. 2016.

[11]

Y. Dodis, D. Pointcheval, S. Ruhault, D. Vergnaud, and D. Wichs. Security analysis of pseudo-random number generators with input: /dev/random is not robust. In V. Gligor and M. Yung, editors, Proceedings of CCS 2013, pages 647--58. ACM Press, Nov. 2013.

Digital Library

[12]

Y. Dodis, A. Shamir, N. Stephens-Davidowitz, and D. Wichs. How to eat your entropy and have it too--optimal recovery strategies for compromised RNGs. In J. Garay and R. Gennaro, editors, Proceedings of Crypto 2014, Part II, volume 8617 of LNCS, pages 37--54. Springer-Verlag, Aug. 2014.

[13]

Y. Dodis, C. Ganesh, A. Golovnev, A. Juels, and T. Ristenpart. A formal treatment of backdoored pseudorandom generators. In M. Fischlin and E. Oswald, editors, Proceedings of EUROCRYPT 2015, pages 101--126. Springer, Apr. 2015.

[14]

L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the random number generator of the Windows operating system. phACM Trans. Info. & System Security, 13 (1): 10, 2009.

Digital Library

[15]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In S. King, editor, Proceedings of USENIX Security 2013, pages 605--619. USENIX, Aug. 2013.

Digital Library

[16]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In C. Kruegel and N. Li, editors, Proceedings of CCS 2015, pages 542--53. ACM Press, Oct. 2015.

Digital Library

[17]

A. Everspaugh, Y. Zhai, R. Jellinek, T. Ristenpart, and M. Swift. Not-so-random numbers in virtualized Linux and the Whirlwind RNG. In M. Backes, A. Perrig, and H. Wang, editors, Proceedings of Security and Privacy ("Oakland") 2014, pages 559--74. IEEE Computer Society, May 2014.

Digital Library

[18]

K. Gjøsteen. Comments on Dual-EC-DRBG/NIST SP 800--90, draft December 2005. Online: https://www.math.ntnu.no/kristiag/drafts/dual-ec-drbg-comments.pdf, Mar. 2006.

[19]

I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr. Dobb's Journal, 21 (1): 66--70, Jan. 1996.

[20]

Z. Gutterman, B. Pinkas, and T. Reinman. Analysis of the Linux random number generator. In V. Paxson and B. Pfitzmann, editors, Proceedings of Security and Privacy ("Oakland") 2006, pages 371--85. IEEE Computer Society, May 2006.

Digital Library

[21]

D. Harkins and D. Carrel. The Internet Key Exchange (IKE). RFC 2409 (Proposed Standard), Nov. 1998. Obsoleted by RFC 4306, updated by RFC 4109. Online: https://tools.ietf.org/html/rfc2409.

Digital Library

[22]

N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In T. Kohno, editor, Proceedings of USENIX Security 2012. USENIX, Aug. 2012.

Digital Library

[23]

Juniper Networks. 2015--12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015--7755, CVE-2015--7756), Dec. 15. URL https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST.

[24]

Juniper Networks. Concepts & Examples ScreenOS Reference Guide: Virtual Private Networks, rev. 02 edition, Dec. 2012. URL http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf.

[25]

Juniper Networks. Juniper Networks product information about Dual_EC_DRBG. Knowledge Base Article KB28205, Oct. 2013. Online: https://web.archive.org/web/20151219210530/https://kb.juniper.net/InfoCenter/index?page=content&id=KB28205&pmv=print&actp=LIST.

[26]

C. Kaufman. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard), Dec. 2005. Obsoleted by RFC 5996, updated by RFC 5282. Online: https://tools.ietf.org/html/rfc4306.

[27]

J. Kelsey. Dual EC in X9.82 and SP 800--90A. Presentation to NIST VCAT committee, May 2014. Slides online http://csrc.nist.gov/groups/ST/crypto-review/documents/dualec_in_X982_and_sp800--90.pdf.

[28]

J. Kelsey, B. Schneier, D. Wagner, and C. Hall. Cryptanalytic attacks on pseudorandom number generators. In S. Vaudenay, editor, Proceedings of FSE 1998, volume 1372 of LNCS, pages 168--88. Springer-Verlag, Mar. 1998.

Digital Library

[29]

S. Kent. IP Encapsulating Security Payload (ESP). RFC 4303 (Proposed Standard), Nov. 2005. Online: https://tools.ietf.org/html/rfc4303.

[30]

S. Kent and K. Seo. Security architecture for the Internet Protocol. RFC 4301 (Proposed Standard), Dec. 2005. Online: https://tools.ietf.org/html/rfc4301.

[31]

S. H. Kim, D. Han, and D. H. Lee. Predictability of Android OpenSSL's pseudo random number generator. In V. Gligor and M. Yung, editors, Proceedings of CCS 2013, pages 659--68. ACM Press, Nov. 2013.

Digital Library

[32]

P. Lacharme, A. Röck, V. Strubel, and M. Videau. The Linux pseudorandom number generator revisited. Cryptology ePrint Archive, Report 2012/251, 2012. https://eprint.iacr.org/.

[33]

H. D. Moore. CVE-2015--7755: Juniper ScreenOS Authentication Backdoor. https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015--7755-juniper-screenos-authentication-backdoor, Dec. 2015.

[34]

National Institute of Standards and Technology. NIST opens draft Special Publication 800--90A, recommendation for random number generation using deterministic random bit generators for review and comment. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf, Sept. 2013.

[35]

National Institute of Standards and Technology. CMVP historical validation list, Feb. 2016. URL http://csrc.nist.gov/groups/STM/cmvp/documents/140--1/140val-historical.htm. Retrieved February 18, 2016.

[36]

Office of Personnel Management. Juniper network firewall maintenance renewal. FedBizOps.gov solicitation number M-13-00031. Online: https://www.fbo.gov/index?id=b3246ffee0a3e9c0ced948b3a8ebca7b, Sept. 2013.

[37]

N. Perlroth, J. Larson, and S. Shane. N.S.A. able to foil basic safeguards of privacy on Web. The New York Times, Sep. 5 2013. Online: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html.

[38]

T. Ristenpart and S. Yilek. When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In W. Lee, editor, Proceedings of NDSS 2010. Internet Society, Feb. 2010.

[39]

B. Schoenmakers and A. Sidorenko. Cryptanalysis of the Dual Elliptic Curve pseudorandom generator. Cryptology ePrint Archive, Report 2006/190, 2006. URL https://eprint.iacr.org/.

[40]

D. Shumow and N. Ferguson. On the possibility of a back door in the NIST SP800--90 Dual Ec Prng. Presented at the Crypto 2007 rump session, Aug. 2007. Slides online: http://rump2007.cr.yp.to/15-shumow.pdf.

[41]

M. Stevens. Counter-cryptanalysis. In C. Ran and J. A. Garay, editors, Proceedings of Crypto 2013, Part I, volume 8042 of LNCS, pages 129--46. Springer-Verlag, Aug. 2013.

[42]

strongSwan. strongSwan: the opensource IPsec-based VPN solution, Nov. 2015. URL https://www.strongswan.org/.

[43]

R.-P. Weinmann. Some analysis of the backdoored backdoor. Online: https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/, Dec. 2015.

[44]

B. Worrall. Advancing the security of Juniper products. Online: http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Security-of-Juniper-Products/ba-p/286383, Jan. 2016.

[45]

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In A. Feldmann and L. Mathy, editors, Proceedings of IMC 2009, pages 15--27. ACM Press, Nov. 2009.

Digital Library

[46]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), Jan. 2006. Online: https://tools.ietf.org/html/rfc4251.

[47]

A. Young and M. Yung. Kleptography: Using cryptography against cryptography. In W. Fumy, editor, Proceedings of Eurocrypt 1997, volume 1233 of LNCS, pages 62--74. Springer-Verlag, May 1997.

Digital Library

Cited By

Davis HGreen MHeninger NRyan KSuhl A(2024)On the Possibility of a Backdoor in the Micali-Schnorr GeneratorPublic-Key Cryptography – PKC 202410.1007/978-3-031-57718-5_12(352-386)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57718-5_12
Foreman CWright SEdgington ABerta MCurchod F(2023)Practical randomness amplification and privatisation with implementations on quantum computersQuantum10.22331/q-2023-03-30-9697(969)Online publication date: 30-Mar-2023
https://doi.org/10.22331/q-2023-03-30-969
Singla TAnandayuvaraj DKalu KSchorlemmer TDavis JTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security FailuresProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625214(5-15)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625214
Show More Cited By

Index Terms

A Systematic Analysis of the Juniper Dual EC Incident
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Surveillance
      1. Governmental surveillance

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
2,052
Total Downloads

Downloads (Last 12 months)297
Downloads (Last 6 weeks)29

Other Metrics

View Author Metrics

Citations

Cited By

Davis HGreen MHeninger NRyan KSuhl A(2024)On the Possibility of a Backdoor in the Micali-Schnorr GeneratorPublic-Key Cryptography – PKC 202410.1007/978-3-031-57718-5_12(352-386)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57718-5_12
Foreman CWright SEdgington ABerta MCurchod F(2023)Practical randomness amplification and privatisation with implementations on quantum computersQuantum10.22331/q-2023-03-30-9697(969)Online publication date: 30-Mar-2023
https://doi.org/10.22331/q-2023-03-30-969
Singla TAnandayuvaraj DKalu KSchorlemmer TDavis JTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security FailuresProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625214(5-15)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625214
Khoury RBolduc JLafrenière-Nickopoulos JOdedele A(2023)Analysis of Cryptographic CVEs: Lessons Learned and PerspectivesFoundations and Practice of Security10.1007/978-3-031-57537-2_13(208-218)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57537-2_13
Ball MDodis YGoldin E(2023)Immunizing Backdoored PRGsTheory of Cryptography10.1007/978-3-031-48621-0_6(153-182)Online publication date: 27-Nov-2023
https://doi.org/10.1007/978-3-031-48621-0_6
Bemmann PBerndt SDiemert DEisenbarth TJager T(2023)Subversion-Resilient Authenticated Encryption Without Random OraclesApplied Cryptography and Network Security10.1007/978-3-031-33491-7_17(460-483)Online publication date: 19-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-33491-7_17
Barr-Smith FBlazytko TBaker RMartinovic ITorres-Arias SMelara MSimon L(2022)ExorcistProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564550(51-61)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564550
Rahaman SCai HChowdhury OYao D(2022)From Theory to Code: Identifying Logical Flaws in Cryptographic Implementations in C/C++IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.310803119:6(3790-3803)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3108031
Sedlacek VSuchanek VDufka ASys MMatyas V(2022)DiSSECT: Distinguisher of Standard and Simulated Elliptic Curves via TraitsProgress in Cryptology - AFRICACRYPT 202210.1007/978-3-031-17433-9_21(493-517)Online publication date: 6-Oct-2022
https://doi.org/10.1007/978-3-031-17433-9_21
Barbosa MBarthe GBhargavan KBlanchet BCremers CLiao KParno B(2021)SoK: Computer-Aided Cryptography2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00008(777-795)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00008
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents