mersenneforum.org  

Go Back   mersenneforum.org > Math Stuff > Tales From the Crypt(o)

Reply
 
Thread Tools
Old 2015-12-22, 19:42   #1
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

31×107 Posts
Default Juniper ScreenOS "hack"

Okay, so I *finally* had a chance to read the news on the Juniper backdoor, details of which came out last week (while I was out of town... coincidence?)

If you have no idea what I'm talking about:Wired article on the Juniper flaw

For whatever random reason, we do use SSG firewalls and I confirmed that the backdoor password was present on our version, although I'm happy to say that at least I properly set them up to only allow SSH from certain management IP addresses, for whatever that's worth.

Insertion of a backdoor password is bad enough, and bad enough that apparently Juniper knew nothing about it.

But beyond that is the other and much larger puzzle, the VPN decryption backdoor.

The mystery there is that according to people who've looked at Juniper's implementation of RNG, they're unwisely using Dual_EC_DRBG. In the past Juniper has said that they further randomize things, but the recent analysis showed that they retain a (conveniently) 32-byte block of output from the nasty/buggy Dual_EC algorithm, just enough to decrypt things if you were using the NSA approved constants.

So... conclusion is that Juniper firewalls had the NSA backdoor all along. The problem is that sometime in 2013, the master key was changed to something different... some other government hacked in and changed the lock on the backdoor? The "fix" was to reset the NSA's backdoor (ahem, I mean the "default" P,Q values) to their original values.

Read all about it here:
https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/

I'm posting here out of:

(A) general frustration, because anyone with any sense has been saying that putting backdoor into encryption presents a HUGE flaw, because who can say that the holder of the key (NSA) won't be compromised, or, in this case, the backdoor getting hacked to create a new key that someone else has?

(B) my curiosity was piqued when reading the details... I'm vaguely aware of public key cryptography and these elliptical curve methods... reading the analysis of the Juniper implementation tells me that if you use constants for P and Q points of the curve, if you happen to know the "e" value such that P=Q*e you can trivially decrypt things with only a small amount (32 bytes) of data to start from.

Which leads me to ask the question, how hard is it to derive that "e" value given the P,Q points? I saw something that described it as akin to factoring a 128-bit key (using the P-256 constants in the stupid standard). Presumably many orders of magnitude more difficult with the P-384 and P-521 values.

The concern being that if the NSA is daft enough to mandate these backdoors, foreign entities with sufficient means could derive the backdoor key on their own (or as I mentioned, stuff in their own master key and hack Juniper/Cisco/whatever and wait 2 years while the NSA to figure out someone changed the locks on them).

Anyway, it's a fascinating and scary tale of just how devious the government is, how the NSA has forced their deliberately buggy RNG on various vendors, and a perfect example of why this was such a bad idea in the first place.

Other interesting reading on the Juniper thing:
http://blog.cryptographyengineering....-backdoor.html
http://www.computerworld.com/article...-software.html

Curious what y'all think since there are some very smart people on here.
Madpoo is offline   Reply With Quote
Old 2015-12-22, 20:13   #2
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

31×107 Posts
Default More "mathy-ness" detail

This link has a pretty good and detailed explanation of what the algorithm is like and demonstrates how to use known P,Q values to decrypt things if you have the magic value "e".

https://blog.0xbadc0de.be/archives/155
Madpoo is offline   Reply With Quote
Old 2015-12-23, 08:15   #3
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2·23·137 Posts
Default

Quote:
Originally Posted by Madpoo View Post
Which leads me to ask the question, how hard is it to derive that "e" value given the P,Q points?
Very. Hard enough that it is unlikely anyone has the capability and desire to do it. This is not as "simple" as a factoring problem.
retina is offline   Reply With Quote
Old 2015-12-23, 08:22   #4
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

189E16 Posts
Default

Quote:
Originally Posted by Madpoo View Post
Anyway, it's a fascinating and scary tale of just how devious the government is, how the NSA has forced their deliberately buggy RNG on various vendors, and a perfect example of why this was such a bad idea in the first place.
And not just the NSA, but anyone that gives you software using that RNG. They can generate their own Q (and secret e) and compromise you.

But it goes further, can you (the collective you) trust every single one of your software products? That includes your OS and drivers etc. There are literally thousands of people involved so there is no way you can verify the integrity of everyone. Are you sure that MS/Linux updates are not secretly modifying things to compromise you? Or your browser updates? Or that router you just bought? Or the latest phone update?
retina is offline   Reply With Quote
Old 2015-12-23, 10:47   #5
blip
 
blip's Avatar
 
Jan 2014

2·73 Posts
Default

Quote:
Originally Posted by retina View Post
And not just the NSA, but anyone that gives you software using that RNG. They can generate their own Q (and secret e) and compromise you.

But it goes further, can you (the collective you) trust every single one of your software products? That includes your OS and drivers etc. There are literally thousands of people involved so there is no way you can verify the integrity of everyone. Are you sure that MS/Linux updates are not secretly modifying things to compromise you? Or your browser updates? Or that router you just bought? Or the latest phone update?
Trust is the stuff that keeps our world together.

You can always compile a system yourself. There are distros based on that idea, and usually they also provide some means of checking integrity.

But, as one of our sysadmins sais: Just because you are paranoid does not mean they are not after you.
blip is offline   Reply With Quote
Old 2015-12-23, 10:59   #6
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2·23·137 Posts
Default

Quote:
Originally Posted by blip View Post
Trust is the stuff that keeps our world together.
Agreed. Which was my point, perhaps poorly made, about not being able to verify everyone.
Quote:
Originally Posted by blip View Post
You can always compile a system yourself. There are distros based on that idea, and usually they also provide some means of checking integrity.
Being able to compile doesn't prove integrity of the code. No one, yes, not anyone, can verify and review the entire code base of Linux. The Debian crypto bug should be enough of a reason to see why that is true.
Quote:
Originally Posted by blip View Post
But, as one of our sysadmins sais: Just because you are paranoid does not mean they are not after you.
Oh, but they are. "They" are after everyone and their data. One glimmer of hope is to get lost in the sea of too much data and hope they miss it. Or otherwise don't generate the data in the first place. Or use only things you can personally verify.
retina is offline   Reply With Quote
Old 2015-12-23, 11:13   #7
blip
 
blip's Avatar
 
Jan 2014

2×73 Posts
Default

Quote:
Originally Posted by retina View Post
Oh, but they are.
that's what I'm saying
blip is offline   Reply With Quote
Old 2015-12-23, 17:52   #8
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

31·107 Posts
Default

Quote:
Originally Posted by retina View Post
And not just the NSA, but anyone that gives you software using that RNG. They can generate their own Q (and secret e) and compromise you.

But it goes further, can you (the collective you) trust every single one of your software products? That includes your OS and drivers etc. There are literally thousands of people involved so there is no way you can verify the integrity of everyone. Are you sure that MS/Linux updates are not secretly modifying things to compromise you? Or your browser updates? Or that router you just bought? Or the latest phone update?
That, in fact, was one of the points that came up in some discussions about so-called "optional" encryption algorithms.

I think someone had mentioned that the NSA approved method was included as an optional one in Windows somewhere, which essentially means that, even though it's not the default, this buggy, backdoor-enabled system is present on every Windows system. All it takes is some future update from MS to toggle some registry entry that would likely go unnoticed. Far different than if the code was never there to start with and MS came along one day and installed a bunch of new crap... just flip a bit and now all your future encryptions are backdoor friendly.

I have to admit, it's creepy, and although I'd heard about all the NSA backdoor stuff, until this Juniper hack I was never really sure if the NSA did it on purpose, but now it seems like it's been proven, because what other reason would there be for someone to hack into Juniper and go to all that effort to change the constants (and for Juniper to "fix" it by changing back to their original) if not for a backdoor decryption method?

And further, why else would Juniper have a HUGE bug in their algorithm that *should* have closed that backdoor, but just so happens to never get called? Seems like that was on purpose... like someone working there put in some code that, if you scanned it, seems like it further obfuscates the RNG, but thanks to a quirk that code is never executed. That's deliberate if you ask me. NSA mole or maybe someone from another country (drive by the HQ of any network company and you'll see people from every nation on the planet, so it doesn't have to be the NSA specifically).

</tinfoil>
Madpoo is offline   Reply With Quote
Old 2015-12-23, 22:09   #9
ewmayer
2ω=0
 
ewmayer's Avatar
 
Sep 2002
Rep├║blica de California

2·13·449 Posts
Default

Quote:
Originally Posted by Madpoo View Post
I think someone had mentioned that the NSA approved method was included as an optional one in Windows somewhere, which essentially means that, even though it's not the default, this buggy, backdoor-enabled system is present on every Windows system. All it takes is some future update from MS to toggle some registry entry that would likely go unnoticed.
Or from someone not-at-MS to do so, wink, wink.
ewmayer is offline   Reply With Quote
Old 2015-12-23, 23:30   #10
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

2×5,021 Posts
Default

Quote:
Originally Posted by Madpoo View Post
NSA mole or maybe someone from another country (drive by the HQ of any network company and you'll see people from every nation on the planet, so it doesn't have to be the NSA specifically).
Never forget Clinton and the "Clipper Chip".
chalsall is offline   Reply With Quote
Old 2015-12-24, 20:43   #11
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

31×107 Posts
Default

Quote:
Originally Posted by chalsall View Post
Never forget Clinton and the "Clipper Chip".
Yup. Horrible idea then, and still horrible now. But when they couldn't do it through a law, they did it through pressuring companies when they could, and probably hacking companies when they couldn't coerce them normally.

I just look at how they're freaking out over Apple's new default of total encryption. Sigh...

And not just that, but the way they try to force people to turn over their password despite our lovely 5th amendment.

Oh well... the times we live in, right? George Orwell was an optimist. LOL

And besides, could be worse...some countries are even worse when it comes to civil liberties.
Madpoo is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stockfish game: "Move 8 poll", not "move 3.14159 discussion" MooMoo2 Other Chess Games 5 2016-10-22 01:55
"Master" and "helper" threads Madpoo Software 0 2016-09-08 01:27
Aouessare-El Haddouchi-Essaaidi "test": "if Mp has no factor, it is prime!" wildrabbitt Miscellaneous Math 11 2015-03-06 08:17
Would Minimizing "iterations between results file" may reveal "is not prime" earlier? nitai1999 Software 7 2004-08-26 18:12

All times are UTC. The time now is 03:13.


Tue Nov 30 03:13:26 UTC 2021 up 129 days, 21:42, 0 users, load averages: 1.48, 1.45, 1.38

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.