nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Juniper's VPN security hole is proof that govt backdoors are bonkers

Silver badge

"It's something politicians and law enforcement officials may want to ponder the next time they call for mandatory government access to encrypted communications."

Sorry? Why would they want to ponder that? It's proof positive that their policies are ridiculous.

And we all know that politicians love eating humble pie, right?

14
0
Anonymous Coward

humble pi

Here in Indiana, USA, pi is no longer 3.14159265359....

Instead it's just 3.2

It's our backdoor to maths, 'cause it's hard.

7
1
Silver badge

Re: humble pi

Here in Indiana, USA, pi is no longer 3.14159265359...."

Apart from the obvious madness, how many people would use pi in mental or long-hand arithmetic and 'need' it to be simplified ?

I think legislating petrol as carbon-neutral might be next !!

5
0
Silver badge

Re: humble pi

22/7 is good enough for most mental arithmetic.

355/113 is better, but harder to work with

3.142857...

3.14159292035...

0
0
Silver badge

It is the bureaucrats who push for domestic spying. The politicians support those bureaucrats are those who are either stupid, or who have already been subverted, or are already a part of the spy agency brotherhood.

Why else would democratically elected politicians want peaceful political groups, including up-and-coming leaders and grassroots members of their own parties, spied upon by their own government?

4
0

Re: humble pi

There is pi and there is whatever approximation of pi you need for a numerical calculation to be accurate to the required degree.

I for one, if I see numbers with too many significant figures, assume that whatever I'm reading is wrong until proved otherwise.

1
2
Silver badge
Devil

Re: humble pi

That's nothing - the Bible says that π is exactly 3:

"[King Solomon] made the Sea of cast metal, circular in shape, measuring ten cubits from rim to rim and five cubits high. It took a line of thirty cubits to measure around it." 1 Kings 7:23

3
1
Joke

Re: humble pi

That's why we have peer reviewed material now days....

I guess they had a publish or perish policy then too, didn't they?

P.

0
0

Re: humble pi

Er, no, the Bible (I can't quite believe I'm writing this) doesn't say that Pi is 3. You have inferred this by calculating back from the fact that the story only reports the diameter, height and circumference to an accuracy of one significant figure.

While ONE significant figure is probably a little on the vague side at least the Biblical reporter is consistent. A modern day one writing for a popular publication for the masses would have probably opted to define it as a circle with an area as a fraction of a football pitch, height in full grown men and a volume to the nearest Elephant. Probably thinking that all football pitches are the same size and ditto full grown men and elephants.

3
2
Silver badge

Around where I come from (the USofA), politicians don't have time to even read the bills they push

Let alone anything with technical content.

That's why they have lobbyists to help them out - writing and interpreting all that stuff. And let's not forget that the spy-industrial complex consumes a huge part of the budget (but you're not allowed to know how much.)

1
0
Silver badge
Coat

@ User McUser -- Re: humble pi

"[King Solomon] made the Sea of cast metal, circular in shape, measuring ten cubits from rim to rim and five cubits high. It took a line of thirty cubits to measure around it." 1 Kings 7:23

So that's where Indiana got the idea....

0
0
Silver badge
Mushroom

Is is this an indication...

that the 3-letter agencies already run their 'Manhattan Project' for accessing worldwide communications?

- Spending billions on computing infrastructure,<check>

- Actively hacking or subverting networking and telecom providers, <check>

- Best possible secrecy, <check, the original Manhattan project also only lasted for a few years>

The Manhattan project was completed when the US had the weapons to reduce the whole world to ash. What will be the success indicator for this Manhattan II project? Something Orwellian?

9
0
Silver badge
Childcatcher

Re: Is is this an indication...

What will be the success indicator for this Manhattan II project? Something Orwellian?

<check>

One of the many sad thing about it is that I doubt Mrs Clinton is aware of how threatening she sounds with this.

6
0
Anonymous Coward

I think it went something like this,

NSA: Well, what about the juniper bushes over there?

State Sponsored Hackers: Hhhh! A miracle! A miracle! Ohh!...

Juniper: Tell them to stop it. I hadn't said a word for eighteen years till the NSA came along.

7
0
Silver badge

In other words maybe they obeyed the law and complied with National Security Letters for years, including the mandatory condition of never speaking about it, and now they may be feigning ignorance for marketing reasons. It is at least plausible.

In which case the fault is that of the people who authorized National Security letters allow such secrecy -- those US citizens with voting rights !

In a democracy it is ultimately those who can vote in elections who are responsible for what their government gets away with.

Or maybe Juniper was just slack in reviewing its code. It may be 5 decades before we know for sure, or maybe we never know.

2
0
Silver badge
Black Helicopters

Well they've set Q back to the old value, but it seems there's still the bug which leaks 32 bytes, still the bug which means they use plain Dual EC instead of Dual EC with ANSI X9.17, and finally they're still using Dual EC when everyone else dropped that idea after Snowden.

Never ascribe to malice what can be ascribed to incompetence and all that, but the back door is still there. But at least it's the way it was supposed to be.

6
0

"Never ascribe to malice what can be ascribed to incompetence and all that, but the back door is still there. But at least it's the way it was supposed to be.'

Only, DES has been depreciated for quite a while, AES is the US DoD approved crypto, as DES was easily broken with modern computers.

1
0
Silver badge

The problem with backdoors

There are many, very clever people working around the world capable of finding them. And the tools to find them are widespread with many legitimate uses. Most of those clever people are not necessarilly on your side since they'll be living in a different country with an allegiance to different people.

12
0

Re: The problem with backdoors

Perhaps it could also be said that:

There are many, very clever people working around the world capable of sneaking them in...

1
0
Silver badge

Re: The problem with backdoors

No, there are not so many very people capable of sneaking new backdoors in. There are very many people capable of finding existing backdoors, though.

2
0

Re: The problem with backdoors

Government 1 vulnerability researcher: Hey, this implementation's a bit weak, but still a nuisance.

Government 1 vulnerability researcher 2: Hey, are they using their own product? If so, let's break in and insert a weaker implementation that we can easily get in and send it to operations after it's implemented in the source code.

Government 1 vulnerability researcher: Great idea! Got it! (calling operations to notify of the weakness)

Government 2 vulnerability researcher:Hey, somebody bollocked the implementation on this model series, others are equally vulnerable and it seems it's a backdoor.

Government 2 vulnerability boss: Quick, we want our own backdoor, add it...

End result, brokety broke.

0
0

So, what has changed?

I'm a little confused. If you know the value of Q, you can decrypt the content of a VPN transmission. Doesn't the fix simply reset Q back to it's previous (presumably) well-known value?

0
0
Silver badge

Re: So, what has changed?

I'm not an encryption expert, but this is my understanding.

The flaw with the NSA's proposed encryption standard is that there is a value Q hidden within it.

Knowing Q greatly reduces the number of possible private keys, making a brute force attack to determine the key feasible.

The NSA has one value of Q hidden in its proposed standard.

And the value of Q found with Juniper was different.

So someone who knew the importance of Q changed it.

BUT (I just realized this), any agency, group or individual could have spied on these Juniper devices without needing to change Q. They could have just used the NSA's Q.

So changing Q makes no sense for anyone other than the NSA. Why not just quietly observe? Why leave tracks?

But like I said, I'm not an encryption expert so maybe I'm missing something.

2
0

Re: So, what has changed?

Maybe they wanted to lock the NSA out?

3
0

Re: So, what has changed?

By using a different screen door on the submarine?

3
0

Re: So, what has changed?

The way I understand it is knowing this Q value isn't the key -- it is apparently in plaintext in the code. It is that certain values of Q make decryption of the resulting output computationally cheap when a corresponding value (P?) is known,, and the speculation is the NSA specified value of Q is one of these such values.

To 'protect' against such NSA spying, Juniper chose a different value for Q than was specified by NIST. This new value of Q was changed (in 2012?) to a different value, presumably with a corresponding value known by an unknown 3rd party, thus enabling the unknown 3rd party a computationally cheap method of defeating the encryption.

3
0

Don't tell anyone about how easy was to bypass TPM client rules then

It is nothing compared to this, but their "trusted" client used to set up the VPN tunnel from an untrusted network was in theory restricting client connections according to endpoint defined rules.

They were relatively easy to fool and bypass as they relied on the client answering questions from the server. Just a bit of lying on the client side and you could connect a Linux or Mac machine to a VPN where supposedly only Windows machines with certain registry values were allowed. At least the credential validation was strong, thought, so it could not be used to get a VPN tunnel set up...

0
0
Silver badge

Playing the Xenophobia Card

Maybe a "foreign government"?

The generalization that "governments are foreign" is always true to most of the people on the planet.

The Chinese government if foreign to the minimum number of people of any government, but it is still foreign to 2/3 of us.

Let us face it, we say "foreign government" to scare people via natural xenophobia.

For most of us the government we should fear the most is out own, that our own government or our own security services will subvert our democracy and turn it into a Chekist regime.

Our countries are more likely to loose their democratic status not due to invasion but due to internal subversion by current and foreign government workers.

We'll become like the USSR, China, Nazi Germany, Fascist Spain, Russia, North Korea, where business and government are run by the same cabals of bureaucratic psychopaths who use privileged information gained by legal spying for professional advantage.

6
0
Silver badge

Re: Playing the Xenophobia Card

Networking kit such as Juniper is used by multi-national companies. For those all governments are foreign/not foreign whichever you perceive to be the worst case.

0
0
Silver badge
Big Brother

Re: Playing the Xenophobia Card

The Chinese government if foreign to the minimum number of people of any government, but it is still foreign to 2/3 of us.

It can be considered foreign to a fair number of nominally Chinese citizens as well.

0
0

Re: Playing the Xenophobia Card

USSR? Ancient history today. Today's buggerboos are Russia, PRC, USSA, The Commonwealth, as key players, up and coming, Iran and on their heels, every other nation .

Welcome to the real world, where every nation is listening to the other, some for commercial gain, some for national security, some just for the hell of it.

Slowing them down enough to catch and block them is a field with excellent job security.

After all, if you can't be part of the solution, there's excellent money to be made in prolonging the problem.

By the by, *all* spying is technically illegal. The trick isn't even not getting caught, as an arrest is impossible in your home nation, it's not getting caught dead to rights. Such as a Russian hacking team using Russian symbol coding and other telltales in their tools.

Add in a layer, "They're criminals and we're trying our best to catch them", hire them on as needed, you're golden.

0
0

Dzjeeez

Why is nobody commenting on the significance of quantum computing as a real threat to encryption. Brute forcing password and other hashes may prove trivial after a while, the buildup of quantum computing power is just starting you know. Five now, a hundred in a few years .... the roof just flew off and most people did not even notice.

0
2
Anonymous Coward

Re: Dzjeeez

Because Quantum Computers are not Quantum (in the Feyman sense), they're really magnetic analogue computers running an overtuned Annealing Optimizer.

So they won't ever perform better than custom hardware designed for decryption.

1
0
Silver badge

Re: Dzjeeez

"Why is nobody commenting on the significance of quantum computing as a real threat to encryption" -- Jerth

It isn't insignificant but it isn't the end-of-life for classical encryption. Firstly, quantum prime factorisation is faster than classical but the speed up is not so vast that it cannot be impeded by using much longer keys. Secondly, there are already quantum-resistant algorithms.

0
0
Anonymous Coward

Re: Dzjeeez

Actually, there are some experimental quantum computers, but they're a handful of qbits only. Workable would need a wee bit more and is actively being investigated.

Or, I can neither confirm nor deny the existence of such a device.

Which do you prefer?

0
0
Silver badge

Why would the foreign government not use the NSA's Q ?

Any agency, group or individual could have spied on these Juniper devices without needing to change Q. They could have just used the NSA's Q.

So changing Q makes no sense for anyone other than the NSA. Why not just quietly observe? Why leave tracks?

I'm not an encryption expert so I'm missing something. Could someone explain this?

0
0

Re: Why would the foreign government not use the NSA's Q ?

I think they're basically saying Q did it, in a shameful attempt to blame the British Government...

More seriously, as I understand it (it's not my area of expertise) - the value of Q specified in the standard allowed a much greater variety of keys than the value to which it was changed, thus meaning that the output becomes predictable/realistically brute forceable whereas the original value meant there were too many possibilities for this to be realistic.

If I'm wrong, please someone who understands the subject matter better correct me!

1
0
Silver badge

Re: Why would the foreign government not use the NSA's Q ?

AIUI the calculations by which Q is obtained throw out other values which allow the pseudorandom number sequence to be predicted from a sample of about 30 numbers. Knowing Q doesn't help work out those values. So the suspicion is that the whoever substituted Q had done so because they'd calculated it and were able to predict the sequence.

1
0
Silver badge

Re: Why would the foreign government not use the NSA's Q ?

Since the Q have power over time, space and reality itself surely they don't need to snoop on your VPN. They already know about all your mucky habits, which explains why they have yet to admit humanity to the continuum.

3
0

"Green points out that this is a classic example ..."

This does indeed show up really well the impossibility of simultaneous security and 'privileged' access in large systems such as the internet and communications. Could El Reg bring this example to the attention of some of the politicians promoting back-doors in encryption products and ask them (a) if they are aware of this fact of life; and (b) how they would propose to overcome it?

3
0
Silver badge
Boffin

Re: "Green points out that this is a classic example ..."

Could El Reg bring this example to the attention of some of the politicians promoting back-doors in encryption products and ask them (a) if they are aware of this fact of life;

They wouldn't be even if this fact would be the size of a dozen doubledecker buses, rammed home with several MegaNorrises. Unless it negatively affected their voter count; their sensitivity* for that is unequalled. Alas, it doesn't.

and (b) how they would propose to overcome it?

Now you're asking the impossible.

* best expressed in mGF.**

** milliGnatsFart

1
0
Black Helicopters

Who's to say

This wasn't a government backdoor from the beginning? No one seems to know how the code got there.

1
0

For the most part the politicians and law enforcement types are not going to care. For the majority of them, as long as they get what they want they're not going to worry about the attendant repercussions. They will probably be in the camp of "the ends justify the means" and if your private data gets hacked by the bad guys then too bad, we got what we wanted.

0
0
Anonymous Coward

Blackberry include Dual EC DRBG algorithm

Blackberry includes Dual EC DRBG on their handsets as non-default. i.e. an attack remarkably similar to the Juniper one you describe.

Snowden confirmed the backdoor key (Google 'Bullrun'). But that means all your data is slurped. There will be no warrant there, no proper judicial process, because that would leak the existence of the backdoor. So the encryption is bypassed, and so is the Judicial checks and balances (and of course the democracy, you can't have voters knowing, or judges blabbing, or MPs questioning, so they keep it secret. You can't question what you don't know).

So VPN data and likely Blackberry (given their 'lawful intercept' claims this is not surprising).

So they'll have slurped it all when possible, stored it in the databases, and claimed its not a search unless they look at the data... well, excluding all the data mining and Parallel Construction and all the other illegal uses for this illegal search. Because you can't have a Judicial process, it would leak the existence of the backdoor, and you can't have MPs questioning it, or voters voting on it... or anything ike that.

From Wikipedia on Bullrun:

"by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them....As part of Bullrun, NSA had also been working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets".

i.e. endpoint devices, presumably includes Blackberry phones, networks, Juniper VPNs etc. etc, Note the targets are nothing to do with "terrorism" this is commercial, industrial and political targets.

On Parallel Construction:

I re-iterate, when the recent leak came out about "Preston Briefings", where prosecutors were briefed in secret about evidence obtained by mass surveillance. This is cover for the UK's version of "Parallel Construction". The defense never sees the evidence, the judge too, and its not about "letting prosecutors know about the innocense of their target".

1
0

Why didn't co-workers notice?

I'm slightly surprised that someone was able to slip in a code change without co-workers noticing.

In my workplace, although we co-operate most of the time, people tend to take an active interest in code-changes to "their" systems, and are often keen to highlight any mistakes or questionable behavior by their colleagues.

Don't Juniper have a version-control system that records who made each code change, or maybe that was hacked as well? What about peer-review of code changes?

0
0

Re: Why didn't co-workers notice?

Shut down revision control system. Insert code, calculate new has, insert new hash into RCS database for that latest version.

Grab a cup of coffee, the day is still early.

The initial change was one single value out of all of the source code. Easily enough missed if there wasn't a security analysis of the entire code base.

0
0

"Juniper's VPN security hole is proof that govt backdoors are bonkers"

What’s wrong with these people?

Is it because mathematics has been dropped from the engineering syllabus at universities, or is it because everyone employs the same incompetent security people to do the architecture of their security system?

Making the whole thing bulletproof is easy, and I’ll explain how it’s done – if only to show how little understanding there is of basic principles.

First, this is a two-part process, so pay attention to the two Important Parts, and how they support each other.

To make it work, you need to store the hash (SHA256, preferably) of the password in your database. So far, so good – this is the way Unix, and even Microsoft does it.

Next, to authenticate the user, you need a public key exchange protocol, the best of which is Diffie-Hellman. Here’s Important Bit Number One: With each connection, you throw away the private keys, and generate new public keys.

Once you have a secure connection, you encrypt the transmission in both directions, using the private key, and AES256, then send the user this kind of matrix:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

1100010010000100000111101110

The user enters the pattern of ones and zeros, which correspond to his password, encrypts the result with his private key. Now here’s Important Bit Number Two: The pattern of ones and zeros is random, and different with each login attempt.

At the server, we take the matrix components, and brute-force the received solution, taking the hash of each solution, and comparing it with all the database entries.

Note the following:

1. There are no encryption keys left on either end of the system

2. The clear password doesn’t exist at either end of the system, and is never transmitted.

3. Theft of the database yields the hacker a lot of meaningless hash values

4. Nobody on the inside – not even root – can compromise the system.

5. If the hacker tries to brute-force the encryption, it’ll take 10^23 years to get the private keys. These will be useless after the current session is terminated and, by that time, dinosaurs will have returned to the earth.

6. If the hacker succeeds in solving the Discrete Logarithm Problem in less than 10^23 years, he then has to hack the password from the random pattern of ones and zeros. If he succeeds, he won’t know he’s succeeded, since he won’t know which of the hashes corresponds to each hack result.

Also, guess what? That solution is only good until the current session terminates. Then, he has to start again

I submit that this is totally bulletproof, and don’t buy the surmise that ‘everyone will get hacked sometime’

This is actually available as a commercial product, but since this is just a technical rant, instead of telling you where to get it, I’ll merely suggest that you drop me an email.

1
1

Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

Amazing! You're the first commenter, other than myself, who said the magic three letters, AES.

DES is broken and should have been depreciated long ago. 3DES? Trivial for a bank of GPU's.

Still, if one is inside or gets inside, one can muck the PKI infrastructure and start serving an attackers keys. That means internal monitoring (should be 24/7/365 anyway), change management and frequent audits.

That's nothing if you are a *security hardware provider*.

I'd also do RCS hashes stored to write once media, to prevent hashes from being altered for a specific version number.

1
0

Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

You're right. Once the Enemy Within has the root password, there is no defence but, then, if that's the case, you have other problems...

0
0

Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

AES-256 is weaker than AES-192, thanks to the weak key schedule in AES. The fact that you recommend it rather casts some doubt on your expertise as a cryptographer.

And as for your protocol - verifier for a pre-shared secret, ephemeral DH, PFS ... all bog-standard cryptographic-protocol techniques, except for your rather overblown verification process. Nothing else you're describing is even vaguely innovative, and there's no obvious advantage to the over-engineered anti-replay mechanism. You can do all of that with any competent TLS implementation and an ADH cipher suite. There are more-interesting authentication protocols, such as ZKP protocols like SRP and PAK-RY.

As for "bulletproof" - that's a ridiculous, snake-oil claim. Even as puffery, it needs to be supported by evidence of substantial, thorough cryptanalysis.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing