Paper 2016/376

A Systematic Analysis of the Juniper Dual EC Incident

Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Maskiewicz, Eric Rescorla, Hovav Shacham, and Ralf-Philipp Weinmann

Abstract

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker. The second is far more intriguing: a change to the Q parameter used by the Dual EC pseudorandom number generator. It is widely known that Dual EC has the unfortunate property that an attacker with the ability to choose Q can, from a small sample of the generator's output, predict all future outputs. In a 2013 public statement, Juniper noted the use of Dual EC but claimed that ScreenOS included countermeasures that neutralized this form of attack. In this work, we report the results of a thorough independent analysis of the ScreenOS randomness subsystem, as well as its interaction with the IKE VPN key establishment protocol. Due to apparent flaws in the code, Juniper's countermeasures against a Dual EC attack are never executed. Moreover, by comparing sequential versions of ScreenOS, we identify a cluster of additional changes that were introduced concurrently with the inclusion of Dual EC in a single 2008 release. Taken as a whole, these changes render the ScreenOS system vulnerable to passive exploitation by an attacker who selects Q. We demonstrate this by installing our own parameters, and showing that it is possible to passively decrypt a single IKE handshake and its associated VPN traffic in isolation without observing any other network traffic.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
pseudo-randomnessapplications
Contact author(s)
matthewdgreen @ gmail com
History
2016-04-14: received
Short URL
https://ia.cr/2016/376
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/376,
      author = {Stephen Checkoway and Shaanan Cohney and Christina Garman and Matthew Green and Nadia Heninger and Jacob Maskiewicz and Eric Rescorla and Hovav Shacham and Ralf-Philipp Weinmann},
      title = {A Systematic Analysis of the Juniper Dual EC Incident},
      howpublished = {Cryptology ePrint Archive, Paper 2016/376},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/376}},
      url = {https://eprint.iacr.org/2016/376}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.