Stephen Checkoway
Abstract
In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen Virtual Private Network (VPN) routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the parameters used by the Dual Elliptic Curve (EC) pseudorandom number generator.
In this paper, we described the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable to passive exploitation by an attacker who selects the Dual EC curve point since 2008. This vulnerability arises due to flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice. Additionally, it casts further doubt on the practicality of designing a safe "exceptional access" or "key escrow" scheme of the type contemplated by law enforcement agencies in the United States and elsewhere.
- Abelson, H., Anderson, R., Bellovin, S.M., Benaloh, J., Blaze, M., Diffie, W., Gilmore, J., Green, M., Landau, S., Neumann, P.G., Rivest, R.L., Schiller, J.I., Schneier, B., Specter, M., Weitzner, D.J. Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Commun. ACM 58, 10 (Oct. 2015), 24--26. Google Scholar
Digital Library
- Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.31-1998: Digital signatures using reversible algorithms for the financial services industry (rDSA), 1998. Withdrawn.Google Scholar
- Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., Zimmermann, P. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of CCS 2015. C. Kruegel and N. Li, eds. ACM Press, New York, NY, Oct. 2015, 5--17. Google ScholarDigital Library
- Barker, E., Kelsey, J. NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report, National Institute of Standards and Technology, June 2006. Google ScholarDigital Library
- Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.-P., Rescorla, E., Shacham, H. A systematic analysis of the Juniper Dual EC incident. In Proceedings of CCS 2016. S. Halevi, C. Kruegel, and A. Myers, eds. ACM Press, New York, NY, Oct. 2016, 468--479. Google ScholarDigital Library
- Granick, J.S. American Spies: Modern Surveillance, Why You Should Care, and What To Do About It. Cambridge University Press, Cambridge, 2017.Google Scholar
- Harkins, D., Carrel, D. The Internet Key Exchange (IKE). RFC 2409 (Proposed Standard), Nov. 1998. Obsoleted by RFC 4306, updated by RFC 4109. Online: https://tools.ietf.org/html/rfc2409. Google ScholarDigital Library
- Juniper Networks. Juniper Networks product information about Dual_EC_DRBG. Knowledge Base Article KB28205, Oct. 2013. Online: https://web.archive.org/web/20151219210530/ https://kb.juniper.net/InfoCenter/index?page=content&id=KB28205&pmv=print&actp=LIST.Google Scholar
- Juniper Networks. 2015--12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756), Dec. 2015.Google Scholar
- Juniper Networks. Important announcement about ScreenOS<sup>®</sup>. Online: https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554, Dec. 2015.Google Scholar
- Kaufman, C. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard), Dec. 2005. Obsoleted by RFC 5996, updated by RFC 5282. Online: https://tools.ietf.org/html/rfc4306.Google Scholar
- Kelsey, J. Dual EC in X9.82 and SP 800-90A. Presentation to NIST VCAT committee, May 2014. Slides online http://csrc.nist.gov/groups/ST/crypto-review/documents/dualec_in_X982_and_sp800-90.pdf.Google Scholar
- Moore, H.D. CVE-2015-7755: Juniper ScreenOS Authentication Backdoor. https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor, Dec. 2015.Google Scholar
- National Institute of Standards and Technology. NIST opens draft Special Publication 800-90A, recommendation for random number generation using deterministic random bit generators for review and comment. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf, Sept. 2013.Google Scholar
- Perlroth, N., Larson, J., Shane, S. N.S.A. able to foil basic safeguards of privacy on Web. The New York Times, Sep. 5 2013. Online: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html.Google Scholar
- Shumow, D., Ferguson, N. On the possibility of a back door in the NIST SP800-90 Dual Ec Prng. Presented at the Crypto 2007 rump session, Aug. 2007. Slides online: http://rump2007.cr.yp.to/15-shumow.pdf.Google Scholar
- Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In Proceedings of IMC 2009. A. Feldmann and L. Mathy, eds. ACM Press, New York, NY, Nov. 2009, 15--27. Google ScholarDigital Library
- Young, A., Yung, M. Kleptography: Using cryptography against cryptography. In Proceedings of Eurocrypt 1997. W. Fumy, ed. volume 1233 of LNCS, Springer-Verlag, May 1997, 62--74. Google ScholarDigital Library
Index Terms
- Where did I leave my keys?: lessons from the Juniper Dual EC incident
Recommendations
Mitigating DoS Using Sensing Keys
ICCS '12: Proceedings of the 2012 International Conference on Computing SciencesDenial of Service (DoS) attacks has become a major problem for users of computer systems connected to the Internet. DoS attackers hijack secondary victim systems and use them to wage a coordinated large-scale attack against primary victim systems. In ...
Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android
SP '15: Proceedings of the 2015 IEEE Symposium on Security and PrivacyStealing of sensitive information from apps is always considered to be one of the most critical threats to Android security. Recent studies show that this can happen even to the apps without explicit implementation flaws, through exploiting some design ...
Templates as master keys
CHES'05: Proceedings of the 7th international conference on Cryptographic hardware and embedded systemsWe introduce two new attacks: the single-bit template attack and the template-enhanced DPA attack. The single-bit template attack can be used very effectively to classify even single bits in a single side channel sample with a high probability of ...
Comments