A Systematic Analysis of the Juniper Dual EC Incident

By Stephen Checkoway, Jake Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham.

In Proceedings of CCS 2016. ACM Press, October 2016.


In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen VPN routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator.

In this paper, we describe the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper’s public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point. This vulnerability arises due to apparent flaws in Juniper’s countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. We investigate the possibility of passively fingerprinting ScreenOS implementations in the wild. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice.



  author =    {Stephen Checkoway and Jacob Maskiewicz and Christina
               Garman and Joshua Fried and Shaanan Cohney and
               Matthew Green and Nadia Heninger and Ralf-Philipp
               Weinmann and Eric Rescorla and Hovav Shacham},
  title =     {A Systematic Analysis of the Juniper Dual EC Incident},
  booktitle = {Proceedings of CCS 2016},
  editor =    {Christopher Kruegel and Andrew Myers and Shai Halevi},
  year =      2016,
  month =     oct,
  url =       {https://checkoway.net/papers/juniper2016},