a systematic analysis of the juniper dual ec incident
play

A Systematic Analysis of the Juniper Dual EC Incident Stephen - PowerPoint PPT Presentation

Nov 13, 2023 •289 likes •1.06k views

A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham Junipers

  1. A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham

  2. Juniper’s surprising announcement PROBLEM: 
 During an internal code review, two security issues were identified. Administrative Access (CVE - 2015 - 7755) allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device. VPN Decryption (CVE - 2015 - 7756) may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic . It is independent of the first issue. https:/ /kb.juniper.net/InfoCenter/index?page=content&id=JSA10713 2

  3. Affected devices and firmware • Juniper’s Secure Services Gateway firewall/VPN appliances • Various revisions of ScreenOS 6.2 and 6.3 3

  4. Administrative access backdoor • Extra check inserted in auth_admin_internal for hardcoded admin password: <<< %s(un=‘%s') = %u • Works with both SSH and Telnet • Analysis by HD Moore 4

  5. VPN decryption • Juniper’s bulletin is a bit vague: knowledgeable attacker ? • The first hint comes from a strings diff between an affected version and its corresponding fix 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC 
 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B 
 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 
 FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 
 -9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107 
 +2C55E5E45EDF713DC43475EFFE8813A60326A64D9BA3D2E39CB639B0F3B0AD10 • Almost the entire difference 5

  6. VPN decryption P - 256 parameters in short Weierstrass form • Juniper’s bulletin is a bit vague: knowledgeable attacker ? y 2 = x 3 + ax + b (mod p ) with generator P = ( P x , P y ): p , a = − 3 (mod p ), b , P x , and P - 256 group order n • The first hint comes from a strings diff between an affected version and its corresponding fix 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC 
 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B 
 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 
 FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 
 -9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107 
 +2C55E5E45EDF713DC43475EFFE8813A60326A64D9BA3D2E39CB639B0F3B0AD10 • Almost the entire difference 6

  7. VPN decryption P - 256 parameters in short Weierstrass form • Juniper’s bulletin is a bit vague: knowledgeable attacker ? y 2 = x 3 + ax + b (mod p ) with generator P = ( P x , P y ): p , a = − 3 (mod p ), b , P x , and P - 256 group order n • The first hint comes from a strings diff between an affected version and its corresponding fix 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF 
 FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC 
 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B 
 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 
 FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 
 -9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107 
 +2C55E5E45EDF713DC43475EFFE8813A60326A64D9BA3D2E39CB639B0F3B0AD10 • Almost the entire difference Via reverse engineering: nonstandard x -coordinate of Dual EC point Q 6

  8. Dual EC DRBG timeline • Early 2000s: Created by the NSA and pushed towards standardization • 2004: Published as part of ANSI x9.82 part 3 draft • 2004: RSA made Dual EC the default CSPRNG in BSAFE (for $10MM) • 2006: Standardized in NIST SP 800 - 90 • 2007: Shumow and Ferguson demonstrate a theoretical backdoor attack • 2013: Snowden documents lead to renewed interest in Dual EC • 2014: Practical attacks on TLS using Dual EC demonstrated • 2014: NIST removes Dual EC from list of approved PRNGs • 2016: Practical attacks on IKE using Dual EC (this work) 7

  9. A backdoored PRNG s k — Internal PRNG states r k — Outputs s 0 f (•) — State update function g (•) — Output function h (•) — Backdoor function ◼ — Attacker computation 8

  10. A backdoored PRNG s k — Internal PRNG states f ( s 0 ) r k — Outputs s 0 s 1 f (•) — State update function g ( s 0 ) g (•) — Output function r 1 h (•) — Backdoor function ◼ — Attacker computation 8

  11. A backdoored PRNG s k — Internal PRNG states f ( s 0 ) f ( s 1 ) r k — Outputs s 0 s 1 s 2 f (•) — State update function g ( s 0 ) g ( s 1 ) g (•) — Output function r 1 r 2 h (•) — Backdoor function ◼ — Attacker computation 8

  12. A backdoored PRNG s k — Internal PRNG states f ( s 0 ) f ( s 1 ) f ( s 2 ) r k — Outputs s 0 s 1 s 2 s 3 f (•) — State update function g ( s 0 ) g ( s 1 ) g ( s 2 ) … g (•) — Output function r 1 r 2 r 3 h (•) — Backdoor function ◼ — Attacker computation 8

  13. A backdoored PRNG s k — Internal PRNG states f ( s 0 ) f ( s 1 ) f ( s 2 ) r k — Outputs s 0 s 1 s 2 s 3 h ( r 2 ) f (•) — State update function g ( s 0 ) g ( s 1 ) g ( s 2 ) … g (•) — Output function r 1 r 2 r 3 h (•) — Backdoor function ◼ — Attacker computation 8

  14. A backdoored PRNG s k — Internal PRNG states f ( s 0 ) f ( s 1 ) f ( s 2 ) r k — Outputs s 0 s 1 s 2 s 3 h ( r 2 ) f (•) — State update function g ( s 0 ) g ( s 1 ) g ( s 2 ) … g (•) — Output function r 1 r 2 r 3 h (•) — Backdoor function ◼ — Attacker computation 9

  15. Elliptic curve primer • Points on an elliptic curve are pairs ( x , y ) • x and y are 32-byte integers (for the curve we care about here) • Points can be added together to get another point on the curve • Scalar multiplication: Given integer n and point P , 
 nP = P + P + … + P is easy to compute • Given points P and nP , n is hard to compute (elliptic curve discrete logarithm problem) 10

  16. Dual EC operation (simplified) s 0 32-byte internal states P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  17. Dual EC operation (simplified) x ( s 0 P ) s 0 s 1 32-byte internal states P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  18. Dual EC operation (simplified) x ( s 0 P ) s 0 s 1 x ( s 1 Q ) 32-byte internal states r 1 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  19. Dual EC operation (simplified) x ( s 0 P ) s 0 s 1 x ( s 1 Q ) 32-byte internal states r 1 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  20. Dual EC operation (simplified) x ( s 0 P ) x ( s 1 P ) s 0 s 1 s 2 x ( s 1 Q ) 32-byte internal states r 1 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  21. Dual EC operation (simplified) x ( s 0 P ) x ( s 1 P ) s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) 32-byte internal states r 1 r 2 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  22. Dual EC operation (simplified) x ( s 0 P ) x ( s 1 P ) s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) 32-byte internal states r 1 r 2 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  23. Dual EC operation (simplified) x ( s 0 P ) x ( s 1 P ) x ( s 2 P ) … s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) 32-byte internal states r 1 r 2 P , Q — fixed EC points x (•) — x -coordinate least significant 30 bytes 
 output of r i form output 11

  24. Shumow–Ferguson attack Assumes attacker knows the integer d such that P = dQ x ( s 0 P ) x ( s 1 P ) x ( s 2 P ) … s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) r 1 r 2 1. Set r 1 to 30 MSB of output 2. Guess 2 MSB of r 1 output 3. Let R s.t. x ( R ) = r 1 4. Compute s 2 = x ( s 1 P ) = x ( s 1 dQ ) = x ( ds 1 Q ) = x ( dR ) 5. Compute r 2 and compare with output ; goto 2 if they differ 12

  25. Shumow–Ferguson attack Assumes attacker knows the integer d such that P = dQ x ( s 0 P ) x ( s 1 P ) x ( s 2 P ) … s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) r 1 r 2 1. Set r 1 to 30 MSB of output 2. Guess 2 MSB of r 1 output 3. Let R s.t. x ( R ) = r 1 4. Compute s 2 = x ( s 1 P ) = x ( s 1 dQ ) = x ( ds 1 Q ) = x ( dR ) 5. Compute r 2 and compare with output ; goto 2 if they differ 12

  26. Shumow–Ferguson attack Assumes attacker knows the integer d such that P = dQ x ( s 0 P ) x ( s 1 P ) x ( s 2 P ) … s 0 s 1 s 2 x ( s 1 Q ) x ( s 2 Q ) r 1 r 2 1. Set r 1 to 30 MSB of output 2. Guess 2 MSB of r 1 output 3. Let R s.t. x ( R ) = r 1 4. Compute s 2 = x ( s 1 P ) = x ( s 1 dQ ) = x ( ds 1 Q ) = x ( dR ) 5. Compute r 2 and compare with output ; goto 2 if they differ 12

  27. Shumow–Ferguson attack Assumes attacker knows the integer d such that P = dQ x ( s 0 P ) x ( s 1 P ) x ( s 2 P ) … s 0 s 1 s 2 x ( dR ) x ( s 1 Q ) x ( s 2 Q ) r 1 r 2 1. Set r 1 to 30 MSB of output 2. Guess 2 MSB of r 1 output 3. Let R s.t. x ( R ) = r 1 4. Compute s 2 = x ( s 1 P ) = x ( s 1 dQ ) = x ( ds 1 Q ) = x ( dR ) 5. Compute r 2 and compare with output ; goto 2 if they differ 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

diabetes mellitus: a systematic review and meta-analysis with over 96,000 patients-years Luiz

diabetes mellitus: a systematic review and meta-analysis with over 96,000 patients-years Luiz

PCSK9 inhibitors and incident type 2 diabetes mellitus: a systematic review and meta-analysis with over 96,000 patients-years Luiz Srgio F. de Carvalho MD PhD Alessandra M. Campos PhD Andrei C. Sposito MD PhD State University of Campinas

445 views • 17 slides
Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION

Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION

Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION Incident information Incident description Incident Scene Sequence of events Failure analysis Root cause process flow Key

452 views • 12 slides
INCIDENT INVESTIGATION ANALYSIS Nalicia Stevenson Addo Safety Manager, Cutrale What Is An

INCIDENT INVESTIGATION ANALYSIS Nalicia Stevenson Addo Safety Manager, Cutrale What Is An

INCIDENT INVESTIGATION ANALYSIS Nalicia Stevenson Addo Safety Manager, Cutrale What Is An Incident Major Reasons For Conducting Incident Investigations Incident Investigation AGENDA Procedures 5 W 1 H Problem Statement

418 views • 13 slides
WisDOTs Traffic Incident Management Enhancement (TIME) Program How does this Happen? What is

WisDOTs Traffic Incident Management Enhancement (TIME) Program How does this Happen? What is

WisDOTs Traffic Incident Management Enhancement (TIME) Program How does this Happen? What is Traffic Incident Management? Incident Management is defined as: The systematic, planned, and coordinated use of human, institutional,

698 views • 57 slides
Systematic Analysis of testing-related Systematic Analysis of testing-related publications

Systematic Analysis of testing-related Systematic Analysis of testing-related publications

Systematic Analysis of testing-related Systematic Analysis of testing-related publications concerning reprocucibility publications concerning reprocucibility and comparability and comparability Bachelor's Thesis Defense by Artur Solomonik

920 views • 59 slides
IP Multicast with PIM-SM over a MPLS TE Core draft-raggarwa-pim-sm-mpls-te-00.txt Rahul Aggarwal

IP Multicast with PIM-SM over a MPLS TE Core draft-raggarwa-pim-sm-mpls-te-00.txt Rahul Aggarwal

IP Multicast with PIM-SM over a MPLS TE Core draft-raggarwa-pim-sm-mpls-te-00.txt Rahul Aggarwal Juniper Networks rahul@juniper.net www.juniper.net Authors Rahul Aggarwal (Juniper) Tom Pusateri (Juniper) Dino Farinacci (Procket)

346 views • 16 slides
Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work

Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work

Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work activity data Identification, sorting, organization, interpretation, consolidation, and communication For purpose of understanding work context for

449 views • 26 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Dual-route theory of word reading Systematic spelling-sound knowledge takes the form of

Dual-route theory of word reading Systematic spelling-sound knowledge takes the form of

Dual-route theory of word reading Systematic spelling-sound knowledge takes the form of grapheme-phoneme correspondence (GPC) rules (e.g., G /g/, A E /A/) Applying GPC rules produces correct

657 views • 10 slides
Data Fusion of Dual Foot-Mounted INS to Reduce the Systematic Heading Drift G.V. Prateek ,

Data Fusion of Dual Foot-Mounted INS to Reduce the Systematic Heading Drift G.V. Prateek ,

Data Fusion of Dual Foot-Mounted INS to Reduce the Systematic Heading Drift G.V. Prateek , Girisha R , K.V.S. Hari and Peter H andel prateekgv@ece.iisc.ernet.in, girishr@ece.iisc.ernet.in, hari@ece.iisc.ernet.in and ph@kth.se

550 views • 22 slides
JUNIPER GREEN THEN and NOW By David Geary / Cliff Beevers Bloomiehall Park The Village Hall

JUNIPER GREEN THEN and NOW By David Geary / Cliff Beevers Bloomiehall Park The Village Hall

JUNIPER GREEN THEN and NOW By David Geary / Cliff Beevers Bloomiehall Park The Village Hall Tennis Courts &amp; Cook House Belmont Road Juniper Avenue to Lanark Road Juniper Avenue to Belmont Road The Store &amp; Dougie Stuarts Kinleith

759 views • 43 slides
ProtoDUNE Dual Phase light data analysis ! e t a d p u Ana Gallego Ros DPPD mee/ng,

ProtoDUNE Dual Phase light data analysis ! e t a d p u Ana Gallego Ros DPPD mee/ng,

ProtoDUNE Dual Phase light data analysis ! e t a d p u Ana Gallego Ros DPPD mee/ng, 26-11-2019 Contents 2 S1 signal analysis Background analysis Update on the PMT calibration status next meeting! S1 signal analysis 1)

539 views • 15 slides
Which companies are exploring well; A systematic analysis of exploration strategy in the Fraser

Which companies are exploring well; A systematic analysis of exploration strategy in the Fraser

Which companies are exploring well; A systematic analysis of exploration strategy in the Fraser Range Region, Western Australia Presenter: Zenoushka Bynevelt (Image Source: Sirius Resources CET 2014 Presentation) Objective To help improve

1.06k views • 14 slides
Dual Geometry of Laplacian Eigenfunctions and Graph Spatial-Spectral Analysis Alex Cloninger

Dual Geometry of Laplacian Eigenfunctions and Graph Spatial-Spectral Analysis Alex Cloninger

Dual Geometry of Laplacian Eigenfunctions and Graph Spatial-Spectral Analysis Alex Cloninger Department of Mathematics and Halicio glu Data Science Institute University of California, San Diego Collaborators Dual Geometry: Stefan

405 views • 40 slides
The design of an integrated XPS/Raman spectroscopy instrument for co-incident analysis Tim Nunney

The design of an integrated XPS/Raman spectroscopy instrument for co-incident analysis Tim Nunney

The design of an integrated XPS/Raman spectroscopy instrument for co-incident analysis Tim Nunney The world leader in serving science XPS Surface Analysis 2 XPS + ... UV Photoelectron Spectroscopy UPS He(I) (21.2 eV) UPS He(II) (40.8

256 views • 24 slides
SDSN for IoT Stopping threats to the new IoT network Ben Baker benbaker@juniper.net Legal

SDSN for IoT Stopping threats to the new IoT network Ben Baker benbaker@juniper.net Legal

SDSN for IoT Stopping threats to the new IoT network Ben Baker benbaker@juniper.net Legal Statement Regarding Current Products and Intentions This statement of product direction sets forth Juniper Networks current intention and is

305 views • 27 slides
Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P

Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P

November 1st, 2017 Through the Wormhole: Yves V ANAUBEL Tracking Invisible MPLS Pascal M RINDOL Jean-Jacques P ANSIOT Tunnels Benoit D ONNET Agenda MPLS background Invisible MPLS tunnels Measurement Campaign and Results Agenda

679 views • 22 slides
Garden Gods OF THE Shuttle Routes Transportation Alternatives A. Circulator between Rock

Garden Gods OF THE Shuttle Routes Transportation Alternatives A. Circulator between Rock

Garden Gods OF THE Parking Options Transportation Alternatives Off-Site Parking On-Site at Rock Ledge Map - - + + Pros Cons Pros Cons No need to Need for additional Easy access to Need and cost to develop new shuttle,

63 views • 3 slides
Backdoors in PRGs and PRNGs Kenny Paterson Information Security Group @kennyog;

Backdoors in PRGs and PRNGs Kenny Paterson Information Security Group @kennyog;

Backdoors in PRGs and PRNGs Kenny Paterson Information Security Group @kennyog; www.isg.rhul.ac.uk/~kp Overview of this lecture Motivation for considering backdoors Backdoors in PRGs Backdoors in PRNGs (PRGs with entropy inputs) 2

672 views • 31 slides
Segment Routing (SR) Introduction and Tutorial Adrian Farrel (afarrel@juniper.net) Take-Aways

Segment Routing (SR) Introduction and Tutorial Adrian Farrel (afarrel@juniper.net) Take-Aways

Segment Routing (SR) Introduction and Tutorial Adrian Farrel (afarrel@juniper.net) Take-Aways Some historical context What Segment Routing is trying to achieve Basic building blocks How it works in different SR environments

605 views • 49 slides
SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET)

SWIFT Predictive Fast Reroute upon Remote BGP Disruptions Laurent Vanbever ETH Zrich (D-ITET) Munich Internet Research Retreat November 25 2016 Human factors are responsible for 50% to 80% of network outages Juniper Networks, Whats

2.04k views • 141 slides
Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN ,

Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN ,

Towards Validated Network Configurations with NCGuard Laurent V ANBEVER , Grgory P ARDOEN , Olivier B ONAVENTURE INL: IP Networking Lab (http://inl.info.ucl.ac.be,laurent.vanbever@uclouvain.be) Universit catholique de Louvain (UCL), Belgium

364 views • 25 slides
OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer,

OpenStack Powered by Tungsten Fabric Sukhdev Kapur Krzysztof Kajkowski Distinguished Engineer, Juniper Networks Director of Engineering, CodiLime Open Infrastructure Summit, Shanghai, November 2019 1 Tungsten Fabric Architecture Overview

346 views • 16 slides
NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker

NV: A Framework for Modeling and Verifying Network Configurations LangSec 2020 David Walker Princeton University Collaborators Nick Giannarakis Devon Loehr Tim Thijm Ratul Mahajan Ryan Beckett Aarti Gupta (UW) (Microsoft) Language-Based

1.27k views • 57 slides

More recommend