
Analysis of the Backdoored Backdoor - tptacek
https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/
======
tptacek
The plot thickens: Willem Pinckaers suggested on Twitter that the code as
presented doesn't in fact pass Dual_EC's output through the 3DES DRBG at all,
but rather (in _both_ versions) directly exposes the output of Dual_EC.

[https://twitter.com/_dvorak_/status/679109591708205056](https://twitter.com/_dvorak_/status/679109591708205056)

~~~
XMPPwocky
So is there any plausible reason for using Dual_EC besides "the NSA is paying
us off" and "we heard its security is based on the ECDLP so it maybe is harder
to break"? From what I understand, it's slower and gives poorer randomness
than most other well-established CSPRNGs.

Because, from here, it looks an awful lot like Juniper put their own backdoor
in, and the hacker just changed it to let them use it instead. The use of
Dual_EC alone, maybe, could be overlooked... but with an implementation bug
that just so happens to reveal Dual_EC output directly... something's fishy.

~~~
tptacek
Depends on what you mean by "any plausible reason".

There were cryptographers who could have given you a _plausible_ reason to use
Dual_EC --- all of them would have recommended against doing so, though.

But there's no practical reason.

------
ghshephard
I think the most informative part of this writeup is this:

 _Niels Ferguson and Dan Shumow demonstrated that if the points are not
randomly generated, but carefully chosen in advance, the security of Dual_EC
DRBG can be subverted by the party doing the choosing; effectively backdooring
the PRNG. Namely if one chooses P, Q such that Q=P_ e holds for a value e that
is kept secret, it will allow the party that generated said P, Q to recover
the internal state of the PRNG from observed output in a computationally
“cheap fashion” – hence instances of Dual_EC PRNG for which the provenance of
the points P and Q is unknown are susceptible to having been backdoored.*

What assurance is there that the Q chosen by Juniper isn't subject to that
type of backdoor vulernability? Why is Juniper using Dual_EC DRBG anyways?
Aren't there other PRNG that are considered more robust?

~~~
adrtessier
> Why is Juniper using Dual_EC DRBG anyways?

As a follow-on question: was NetScreen using Dual_EC_DRBG before Juniper
bought them (and with it ScreenOS?) If so, it might be good to scrutinize the
original NetScreen owners and where they are now (hint: They now run Fortinet
and Palo Alto Networks. Are they at risk of interesting, compromised security
choices, now, too?)

And you're right. Juniper could still have their own e, which renders the
security pointless.

