Where Did I Leave My Keys? Lessons from the Juniper Dual EC Incident

By Stephen Checkoway, Jake Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham.

In Communications of the ACM, 61(11):148–155, October 2016.

Abstract

In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen Virtual Private Network (VPN) routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the parameters used by the Dual Elliptic Curve (EC) pseudorandom number generator.

In this paper, we described the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper’s public statements, the ScreenOS VPN implementation has been vulnerable to passive exploitation by an attacker who selects the Dual EC curve point since 2008. This vulnerability arises due to flaws in Juniper’s countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice. Additionally, it casts further doubt on the practicality of designing a safe “exceptional access” or “key escrow” scheme of the type contemplated by law enforcement agencies in the United States and elsewhere.

Material

Reference

@Article{checkoway-et-al:juniper-dual-ec:cacm,
  author =   {Stephen Checkoway and Jacob Maskiewicz and Christina
              Garman and Joshua Fried and Shaanan Cohney and
              Matthew Green and Nadia Heninger and Ralf-Philipp
              Weinmann and Eric Rescorla and Hovav Shacham},
  title =    {Where Did {I} Leave My Keys? {Lessons} from the
              {Juniper} {Dual~EC} Incident},
  journal =  {Communications of the ACM},
  volume =    61,
  number =    11,
  month =     oct,
  year =      2018,
  issn =      {0001-0782},
  pages =     {148-155},
  publisher = {ACM},
  url =       {https://checkoway.net/papers/junipercacm},
}