The NSA’s subversion of encryption standards may have come home to roost.
As more eyes examine the Juniper backdoor in ScreenOS, the operating system standing up its NetScreen VPNs, it’s becoming clear that someone backdoored the NSA backdoor in Dual_EC_DRBG, opening the door to passive decryption of any VPN traffic moving through a NetScreen gateway.
Juniper’s documentation for NetScreen and ScreenOS shows that it uses Dual_EC-DRBG in a non-conventional way to implement a random number generator used to encrypt VPN traffic. The NSA is alleged to have subverted Dual_EC_DRBG so that it controls one of the values used to generate keys, allowing it to predict outputs, according to documents that surfaced from the Snowden leaks that provided details on the spy agency’s Project BULLRUN.
Expert Ralf-Philipp Weinmann said that at some point in 2012, attackers were able to manipulate the existing backdoor in Dual_EC to spy on NetScreen traffic; NetScreen VPNs are high-end enterprise appliances used worldwide. Weinmann said that the only changes were to the parameters of Dual_EC, indicating that its open wounds were exposed to anyone with enough know-how to exploit them.
Juniper’s blockbuster announcement and emergency patches last Thursday threw back the covers not only on the VPN vulnerability but also on a hardcoded password allowing for SSH and telnet remote administrative access of NetScreen boxes. Since then, experts have not only picked apart the VPN flaw, but also publicized the password, and are starting to report login attempts using the secret code. The SANS Institute’s Internet Storm Center earlier today said its SSH honeypots had logged numerous login attempts using the ScreenOS backdoor password. Johannes Ullrich, ISC director, said the attacks appear manual, and that it’s unclear what the attackers’ intentions could be.
Other vendors are circling the wagons too, trying to reassure customers of their security. Cisco, for example, published a post that said it has no indication its code has been compromised, and that it has initiated a code review.
Matthew Green, a noted crypto expert and Johns Hopkins professor, also went into detail about Juniper’s use of Dual_EC, challenging the networking vendor’s defense of its use of the algorithm. Juniper’s unorthodox use of Dual_EC—generating a seed for ANSI X9.17, a 3DES generator—should kill the backdoor because it obfuscates the output, the company contends. But Green points out that this assumption relies on the fact that no other code could leak bytes of raw Dual_EC output.
“Yet this is exactly the kind of threat you’d worry about in a deliberately backdoored system — the threat that, just maybe, the developers are not your friend. Thus Dual EC is safe only if you assume no tiny bug in the code could accidentally leak out 30 bytes or so of raw Dual EC output,” Green wrote. “If it did, this would make all subsequent seeding calls predictable, and thus render all numbers generated by the system predictable. In general, this would spell doom for the confidentiality of VPN connections.”
Researcher Willem Pinckaers, however, discovered that such a bug does exist, opening the door for the second attacker to abuse the original Dual_EC backdoor.
“Some hacker or group of hackers attacker noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!” Green wrote. “They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.”
In the bigger picture, Green and others point to this situation as an illustration of the potential consequences of government-mandated backdoors. FBI director James Comey and others in law enforcement have decried technology companies relinquishing of control over encryption keys to user devices. This leaves the government unable to compel companies to turn over user data, regardless of the warrants and court orders at their disposal. Dubbed “Going Dark,” the government has urged companies like Apple, Google and others to find a way to satisfy their needs via shared crypto keys, key escrow, or even a backdoor.
Green and attorney James Denaro said this summer at Black Hat feasible solutions are extremely difficult because of the complexity and vulnerabilities proposed solutions would introduce. The Juniper backdoor may be the best case study in their favor; Green for one says he has raised concerns about the possible subversion of mandated crypto backdoors.
“Specifically, that a back door intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that,” Green said. “The problem with cryptographic backdoors is not that they’re the only way that an attacker can break intro our cryptographic systems. It’s merely that they’re one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.”