
New Discovery Around Juniper Backdoor Raises More Questions (2016) - DyslexicAtheist
https://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/
======
dec0dedab0de
Over a decade ago I worked for a CLEC. One day one of our engineers was on a
support call with our client side TDM vendor, who had remoted into his
computer to troubleshoot some issue. During that session the vendor's employee
used a backdoor account to log in, and our engineer was recording his terminal
session, so we had the password from there on out. We could not disable the
account or change it's password, and it didn't show up as a logged in user
when it was being used. So we made it a point to only turn on the SSH daemons
on IP's that weren't available to the public. It did come in handy a few times
to reset a real password when using a console cable was not feasible.

------
eps
The post makes it sound like the nonce size increase was a decision made by
"Juniper" after a careful consideration by a committee of grayhaired security
experts. More likely than not it was done by a random dev because 32 is the
smallest power of 2 that's close to 20 and it increased their Smartbit
throughput metrics by a fraction of percent and because it aligned shit better
in the packet.

As elegant as this conspiracy theory is, it's likely not true. It _is_ an
elegant one though, I'll give it that.

~~~
matthewdgreen
One of the researchers here. We wrote a paper about this that you might be
interested in:
[https://eprint.iacr.org/2016/376.pdf](https://eprint.iacr.org/2016/376.pdf)

The nonce size isn't a particularly significant element of the "conspiracy
theory" here. Those things are worth looking at because they would rule _out_
exploitability. If one requires a conspiracy theory in this case, it would be
based on the following amazing facts:

1\. In addition to the pseudorandom generator (PRNG) described in FIPS
certification docs, all Juniper ScreenOS devices shipped with a second
_unannounced_ public-key pseudorandom number generator (Dual_EC_DRBG) that
works in parallel with the certified PRNG.

2\. This generator is well known to be easy to backdoor if one replaces the
standard NIST parameters with custom parameters, and this has been known since
well before the generator was added in ScreenOS.

3\. Amazingly, the standard NIST parameters have been replaced with new
parameters, and no justification for these new parameters was provided by
Juniper -- after the presence of the generator was revealed (in 2013) or after
they were hacked some years later.

4\. Many years after initially shipping this generator, and due to a very
public de-certification of the Dual_EC_DRBG generator, Juniper quietly
admitted use of that generator and parameters, but declined to remove it --
claiming that post-processing by the (official) PRNG would prevent the
backdoor from being exploited.

5\. Except that due to a _frankly amazing_ coding error, the second (avowed)
RNG never actually runs, ensuring that raw output from the flawed Dual EC
generator is transmitted. This renders the alleged backdoor exploitable.

6\. There are a number of other conditions that must be present for this flaw
to be efficiently exploitable (this is one of the places where nonces come in)
and every single exploitability condition is present.

7\. Many years later, some outside hacker comes along, replaces the (Juniper-
derived) PRNG parameters with their own parameters, and _despite no further
code changes_ the manufacturer admits that this enables a passive decryption
attack on all ScreenOS devices.

I don't think you need much of a conspiracy theory to ask what the heck is
going on with this. Issues like the nonces aren't really proof of a
conspiracy; they are things one would look for to determine whether there were
specific barriers that would prevent exploitation.

You can draw any conclusions you want from all of this, but it's really about
as bad a fact pattern as you're ever going to see.

------
scott-smith_us
Untrustworthy is untrustworthy, whether due to incompetence or malice.

------
blakesterz
This is from over 2 years ago, I thought "OH NO NOT ANOTHER ONE" but it's not
all that new now. Maybe needs a [2016] tag?

