back to article Juniper's VPN security hole is proof that govt backdoors are bonkers

Juniper's security nightmare gets worse and worse as experts comb the ScreenOS firmware in its old NetScreen firewalls. Just before the weekend, the networking biz admitted there had been "unauthorized" changes to its software, allowing hackers to commandeer equipment and decrypt VPN traffic. In response, Rapid7 reverse …

  1. dan1980

    "It's something politicians and law enforcement officials may want to ponder the next time they call for mandatory government access to encrypted communications."

    Sorry? Why would they want to ponder that? It's proof positive that their policies are ridiculous.

    And we all know that politicians love eating humble pie, right?

    1. Anonymous Coward
      Anonymous Coward

      humble pi

      Here in Indiana, USA, pi is no longer 3.14159265359....

      Instead it's just 3.2

      It's our backdoor to maths, 'cause it's hard.

      1. Chemist

        Re: humble pi

        Here in Indiana, USA, pi is no longer 3.14159265359...."

        Apart from the obvious madness, how many people would use pi in mental or long-hand arithmetic and 'need' it to be simplified ?

        I think legislating petrol as carbon-neutral might be next !!

        1. John Robson Silver badge

          Re: humble pi

          22/7 is good enough for most mental arithmetic.

          355/113 is better, but harder to work with

          3.142857...

          3.14159292035...

          1. quattroprorocked

            Re: humble pi

            There is pi and there is whatever approximation of pi you need for a numerical calculation to be accurate to the required degree.

            I for one, if I see numbers with too many significant figures, assume that whatever I'm reading is wrong until proved otherwise.

      2. User McUser
        Devil

        Re: humble pi

        That's nothing - the Bible says that π is exactly 3:

        "[King Solomon] made the Sea of cast metal, circular in shape, measuring ten cubits from rim to rim and five cubits high. It took a line of thirty cubits to measure around it." 1 Kings 7:23

        1. phil dude
          Joke

          Re: humble pi

          That's why we have peer reviewed material now days....

          I guess they had a publish or perish policy then too, didn't they?

          P.

        2. quattroprorocked

          Re: humble pi

          Er, no, the Bible (I can't quite believe I'm writing this) doesn't say that Pi is 3. You have inferred this by calculating back from the fact that the story only reports the diameter, height and circumference to an accuracy of one significant figure.

          While ONE significant figure is probably a little on the vague side at least the Biblical reporter is consistent. A modern day one writing for a popular publication for the masses would have probably opted to define it as a circle with an area as a fraction of a football pitch, height in full grown men and a volume to the nearest Elephant. Probably thinking that all football pitches are the same size and ditto full grown men and elephants.

        3. Someone Else Silver badge
          Coat

          @ User McUser -- Re: humble pi

          "[King Solomon] made the Sea of cast metal, circular in shape, measuring ten cubits from rim to rim and five cubits high. It took a line of thirty cubits to measure around it." 1 Kings 7:23

          So that's where Indiana got the idea....

    2. WatAWorld

      It is the bureaucrats who push for domestic spying. The politicians support those bureaucrats are those who are either stupid, or who have already been subverted, or are already a part of the spy agency brotherhood.

      Why else would democratically elected politicians want peaceful political groups, including up-and-coming leaders and grassroots members of their own parties, spied upon by their own government?

    3. elDog

      Around where I come from (the USofA), politicians don't have time to even read the bills they push

      Let alone anything with technical content.

      That's why they have lobbyists to help them out - writing and interpreting all that stuff. And let's not forget that the spy-industrial complex consumes a huge part of the budget (but you're not allowed to know how much.)

  2. Schultz
    Mushroom

    Is is this an indication...

    that the 3-letter agencies already run their 'Manhattan Project' for accessing worldwide communications?

    - Spending billions on computing infrastructure,<check>

    - Actively hacking or subverting networking and telecom providers, <check>

    - Best possible secrecy, <check, the original Manhattan project also only lasted for a few years>

    The Manhattan project was completed when the US had the weapons to reduce the whole world to ash. What will be the success indicator for this Manhattan II project? Something Orwellian?

    1. Robert Helpmann??
      Childcatcher

      Re: Is is this an indication...

      What will be the success indicator for this Manhattan II project? Something Orwellian?

      <check>

      One of the many sad thing about it is that I doubt Mrs Clinton is aware of how threatening she sounds with this.

  3. Anonymous Coward
    Anonymous Coward

    I think it went something like this,

    NSA: Well, what about the juniper bushes over there?

    State Sponsored Hackers: Hhhh! A miracle! A miracle! Ohh!...

    Juniper: Tell them to stop it. I hadn't said a word for eighteen years till the NSA came along.

    1. WatAWorld

      In other words maybe they obeyed the law and complied with National Security Letters for years, including the mandatory condition of never speaking about it, and now they may be feigning ignorance for marketing reasons. It is at least plausible.

      In which case the fault is that of the people who authorized National Security letters allow such secrecy -- those US citizens with voting rights !

      In a democracy it is ultimately those who can vote in elections who are responsible for what their government gets away with.

      Or maybe Juniper was just slack in reviewing its code. It may be 5 decades before we know for sure, or maybe we never know.

      1. Dan 55 Silver badge
        Black Helicopters

        Well they've set Q back to the old value, but it seems there's still the bug which leaks 32 bytes, still the bug which means they use plain Dual EC instead of Dual EC with ANSI X9.17, and finally they're still using Dual EC when everyone else dropped that idea after Snowden.

        Never ascribe to malice what can be ascribed to incompetence and all that, but the back door is still there. But at least it's the way it was supposed to be.

        1. Wzrd1 Silver badge

          "Never ascribe to malice what can be ascribed to incompetence and all that, but the back door is still there. But at least it's the way it was supposed to be.'

          Only, DES has been depreciated for quite a while, AES is the US DoD approved crypto, as DES was easily broken with modern computers.

  4. imanidiot Silver badge

    The problem with backdoors

    There are many, very clever people working around the world capable of finding them. And the tools to find them are widespread with many legitimate uses. Most of those clever people are not necessarilly on your side since they'll be living in a different country with an allegiance to different people.

    1. NotBob

      Re: The problem with backdoors

      Perhaps it could also be said that:

      There are many, very clever people working around the world capable of sneaking them in...

      1. Bronek Kozicki

        Re: The problem with backdoors

        No, there are not so many very people capable of sneaking new backdoors in. There are very many people capable of finding existing backdoors, though.

    2. Wzrd1 Silver badge

      Re: The problem with backdoors

      Government 1 vulnerability researcher: Hey, this implementation's a bit weak, but still a nuisance.

      Government 1 vulnerability researcher 2: Hey, are they using their own product? If so, let's break in and insert a weaker implementation that we can easily get in and send it to operations after it's implemented in the source code.

      Government 1 vulnerability researcher: Great idea! Got it! (calling operations to notify of the weakness)

      Government 2 vulnerability researcher:Hey, somebody bollocked the implementation on this model series, others are equally vulnerable and it seems it's a backdoor.

      Government 2 vulnerability boss: Quick, we want our own backdoor, add it...

      End result, brokety broke.

  5. djack

    So, what has changed?

    I'm a little confused. If you know the value of Q, you can decrypt the content of a VPN transmission. Doesn't the fix simply reset Q back to it's previous (presumably) well-known value?

    1. WatAWorld

      Re: So, what has changed?

      I'm not an encryption expert, but this is my understanding.

      The flaw with the NSA's proposed encryption standard is that there is a value Q hidden within it.

      Knowing Q greatly reduces the number of possible private keys, making a brute force attack to determine the key feasible.

      The NSA has one value of Q hidden in its proposed standard.

      And the value of Q found with Juniper was different.

      So someone who knew the importance of Q changed it.

      BUT (I just realized this), any agency, group or individual could have spied on these Juniper devices without needing to change Q. They could have just used the NSA's Q.

      So changing Q makes no sense for anyone other than the NSA. Why not just quietly observe? Why leave tracks?

      But like I said, I'm not an encryption expert so maybe I'm missing something.

      1. Chewi

        Re: So, what has changed?

        Maybe they wanted to lock the NSA out?

        1. Gnosis_Carmot

          Re: So, what has changed?

          By using a different screen door on the submarine?

      2. sathackr

        Re: So, what has changed?

        The way I understand it is knowing this Q value isn't the key -- it is apparently in plaintext in the code. It is that certain values of Q make decryption of the resulting output computationally cheap when a corresponding value (P?) is known,, and the speculation is the NSA specified value of Q is one of these such values.

        To 'protect' against such NSA spying, Juniper chose a different value for Q than was specified by NIST. This new value of Q was changed (in 2012?) to a different value, presumably with a corresponding value known by an unknown 3rd party, thus enabling the unknown 3rd party a computationally cheap method of defeating the encryption.

  6. SecretSonOfHG

    Don't tell anyone about how easy was to bypass TPM client rules then

    It is nothing compared to this, but their "trusted" client used to set up the VPN tunnel from an untrusted network was in theory restricting client connections according to endpoint defined rules.

    They were relatively easy to fool and bypass as they relied on the client answering questions from the server. Just a bit of lying on the client side and you could connect a Linux or Mac machine to a VPN where supposedly only Windows machines with certain registry values were allowed. At least the credential validation was strong, thought, so it could not be used to get a VPN tunnel set up...

  7. WatAWorld

    Playing the Xenophobia Card

    Maybe a "foreign government"?

    The generalization that "governments are foreign" is always true to most of the people on the planet.

    The Chinese government if foreign to the minimum number of people of any government, but it is still foreign to 2/3 of us.

    Let us face it, we say "foreign government" to scare people via natural xenophobia.

    For most of us the government we should fear the most is out own, that our own government or our own security services will subvert our democracy and turn it into a Chekist regime.

    Our countries are more likely to loose their democratic status not due to invasion but due to internal subversion by current and foreign government workers.

    We'll become like the USSR, China, Nazi Germany, Fascist Spain, Russia, North Korea, where business and government are run by the same cabals of bureaucratic psychopaths who use privileged information gained by legal spying for professional advantage.

    1. Doctor Syntax Silver badge

      Re: Playing the Xenophobia Card

      Networking kit such as Juniper is used by multi-national companies. For those all governments are foreign/not foreign whichever you perceive to be the worst case.

    2. Stoneshop
      Big Brother

      Re: Playing the Xenophobia Card

      The Chinese government if foreign to the minimum number of people of any government, but it is still foreign to 2/3 of us.

      It can be considered foreign to a fair number of nominally Chinese citizens as well.

    3. Wzrd1 Silver badge

      Re: Playing the Xenophobia Card

      USSR? Ancient history today. Today's buggerboos are Russia, PRC, USSA, The Commonwealth, as key players, up and coming, Iran and on their heels, every other nation .

      Welcome to the real world, where every nation is listening to the other, some for commercial gain, some for national security, some just for the hell of it.

      Slowing them down enough to catch and block them is a field with excellent job security.

      After all, if you can't be part of the solution, there's excellent money to be made in prolonging the problem.

      By the by, *all* spying is technically illegal. The trick isn't even not getting caught, as an arrest is impossible in your home nation, it's not getting caught dead to rights. Such as a Russian hacking team using Russian symbol coding and other telltales in their tools.

      Add in a layer, "They're criminals and we're trying our best to catch them", hire them on as needed, you're golden.

  8. Jarth

    Dzjeeez

    Why is nobody commenting on the significance of quantum computing as a real threat to encryption. Brute forcing password and other hashes may prove trivial after a while, the buildup of quantum computing power is just starting you know. Five now, a hundred in a few years .... the roof just flew off and most people did not even notice.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dzjeeez

      Because Quantum Computers are not Quantum (in the Feyman sense), they're really magnetic analogue computers running an overtuned Annealing Optimizer.

      So they won't ever perform better than custom hardware designed for decryption.

    2. John H Woods Silver badge

      Re: Dzjeeez

      "Why is nobody commenting on the significance of quantum computing as a real threat to encryption" -- Jerth

      It isn't insignificant but it isn't the end-of-life for classical encryption. Firstly, quantum prime factorisation is faster than classical but the speed up is not so vast that it cannot be impeded by using much longer keys. Secondly, there are already quantum-resistant algorithms.

    3. Anonymous Coward
      Anonymous Coward

      Re: Dzjeeez

      Actually, there are some experimental quantum computers, but they're a handful of qbits only. Workable would need a wee bit more and is actively being investigated.

      Or, I can neither confirm nor deny the existence of such a device.

      Which do you prefer?

  9. WatAWorld

    Why would the foreign government not use the NSA's Q ?

    Any agency, group or individual could have spied on these Juniper devices without needing to change Q. They could have just used the NSA's Q.

    So changing Q makes no sense for anyone other than the NSA. Why not just quietly observe? Why leave tracks?

    I'm not an encryption expert so I'm missing something. Could someone explain this?

    1. Dan Wilkie

      Re: Why would the foreign government not use the NSA's Q ?

      I think they're basically saying Q did it, in a shameful attempt to blame the British Government...

      More seriously, as I understand it (it's not my area of expertise) - the value of Q specified in the standard allowed a much greater variety of keys than the value to which it was changed, thus meaning that the output becomes predictable/realistically brute forceable whereas the original value meant there were too many possibilities for this to be realistic.

      If I'm wrong, please someone who understands the subject matter better correct me!

      1. Doctor Syntax Silver badge

        Re: Why would the foreign government not use the NSA's Q ?

        AIUI the calculations by which Q is obtained throw out other values which allow the pseudorandom number sequence to be predicted from a sample of about 30 numbers. Knowing Q doesn't help work out those values. So the suspicion is that the whoever substituted Q had done so because they'd calculated it and were able to predict the sequence.

      2. MyffyW Silver badge

        Re: Why would the foreign government not use the NSA's Q ?

        Since the Q have power over time, space and reality itself surely they don't need to snoop on your VPN. They already know about all your mucky habits, which explains why they have yet to admit humanity to the continuum.

  10. David Pollard

    "Green points out that this is a classic example ..."

    This does indeed show up really well the impossibility of simultaneous security and 'privileged' access in large systems such as the internet and communications. Could El Reg bring this example to the attention of some of the politicians promoting back-doors in encryption products and ask them (a) if they are aware of this fact of life; and (b) how they would propose to overcome it?

    1. Stoneshop
      Boffin

      Re: "Green points out that this is a classic example ..."

      Could El Reg bring this example to the attention of some of the politicians promoting back-doors in encryption products and ask them (a) if they are aware of this fact of life;

      They wouldn't be even if this fact would be the size of a dozen doubledecker buses, rammed home with several MegaNorrises. Unless it negatively affected their voter count; their sensitivity* for that is unequalled. Alas, it doesn't.

      and (b) how they would propose to overcome it?

      Now you're asking the impossible.

      * best expressed in mGF.**

      ** milliGnatsFart

  11. NotBob
    Black Helicopters

    Who's to say

    This wasn't a government backdoor from the beginning? No one seems to know how the code got there.

  12. Mark Quesnell

    For the most part the politicians and law enforcement types are not going to care. For the majority of them, as long as they get what they want they're not going to worry about the attendant repercussions. They will probably be in the camp of "the ends justify the means" and if your private data gets hacked by the bad guys then too bad, we got what we wanted.

  13. Anonymous Coward
    Anonymous Coward

    Blackberry include Dual EC DRBG algorithm

    Blackberry includes Dual EC DRBG on their handsets as non-default. i.e. an attack remarkably similar to the Juniper one you describe.

    Snowden confirmed the backdoor key (Google 'Bullrun'). But that means all your data is slurped. There will be no warrant there, no proper judicial process, because that would leak the existence of the backdoor. So the encryption is bypassed, and so is the Judicial checks and balances (and of course the democracy, you can't have voters knowing, or judges blabbing, or MPs questioning, so they keep it secret. You can't question what you don't know).

    So VPN data and likely Blackberry (given their 'lawful intercept' claims this is not surprising).

    So they'll have slurped it all when possible, stored it in the databases, and claimed its not a search unless they look at the data... well, excluding all the data mining and Parallel Construction and all the other illegal uses for this illegal search. Because you can't have a Judicial process, it would leak the existence of the backdoor, and you can't have MPs questioning it, or voters voting on it... or anything ike that.

    From Wikipedia on Bullrun:

    "by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them....As part of Bullrun, NSA had also been working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets".

    i.e. endpoint devices, presumably includes Blackberry phones, networks, Juniper VPNs etc. etc, Note the targets are nothing to do with "terrorism" this is commercial, industrial and political targets.

    On Parallel Construction:

    I re-iterate, when the recent leak came out about "Preston Briefings", where prosecutors were briefed in secret about evidence obtained by mass surveillance. This is cover for the UK's version of "Parallel Construction". The defense never sees the evidence, the judge too, and its not about "letting prosecutors know about the innocense of their target".

  14. BagOfSpanners

    Why didn't co-workers notice?

    I'm slightly surprised that someone was able to slip in a code change without co-workers noticing.

    In my workplace, although we co-operate most of the time, people tend to take an active interest in code-changes to "their" systems, and are often keen to highlight any mistakes or questionable behavior by their colleagues.

    Don't Juniper have a version-control system that records who made each code change, or maybe that was hacked as well? What about peer-review of code changes?

    1. Wzrd1 Silver badge

      Re: Why didn't co-workers notice?

      Shut down revision control system. Insert code, calculate new has, insert new hash into RCS database for that latest version.

      Grab a cup of coffee, the day is still early.

      The initial change was one single value out of all of the source code. Easily enough missed if there wasn't a security analysis of the entire code base.

  15. MarkSitkowski

    "Juniper's VPN security hole is proof that govt backdoors are bonkers"

    What’s wrong with these people?

    Is it because mathematics has been dropped from the engineering syllabus at universities, or is it because everyone employs the same incompetent security people to do the architecture of their security system?

    Making the whole thing bulletproof is easy, and I’ll explain how it’s done – if only to show how little understanding there is of basic principles.

    First, this is a two-part process, so pay attention to the two Important Parts, and how they support each other.

    To make it work, you need to store the hash (SHA256, preferably) of the password in your database. So far, so good – this is the way Unix, and even Microsoft does it.

    Next, to authenticate the user, you need a public key exchange protocol, the best of which is Diffie-Hellman. Here’s Important Bit Number One: With each connection, you throw away the private keys, and generate new public keys.

    Once you have a secure connection, you encrypt the transmission in both directions, using the private key, and AES256, then send the user this kind of matrix:

    ABCDEFGHIJKLMNOPQRSTUVWXYZ

    1100010010000100000111101110

    The user enters the pattern of ones and zeros, which correspond to his password, encrypts the result with his private key. Now here’s Important Bit Number Two: The pattern of ones and zeros is random, and different with each login attempt.

    At the server, we take the matrix components, and brute-force the received solution, taking the hash of each solution, and comparing it with all the database entries.

    Note the following:

    1. There are no encryption keys left on either end of the system

    2. The clear password doesn’t exist at either end of the system, and is never transmitted.

    3. Theft of the database yields the hacker a lot of meaningless hash values

    4. Nobody on the inside – not even root – can compromise the system.

    5. If the hacker tries to brute-force the encryption, it’ll take 10^23 years to get the private keys. These will be useless after the current session is terminated and, by that time, dinosaurs will have returned to the earth.

    6. If the hacker succeeds in solving the Discrete Logarithm Problem in less than 10^23 years, he then has to hack the password from the random pattern of ones and zeros. If he succeeds, he won’t know he’s succeeded, since he won’t know which of the hashes corresponds to each hack result.

    Also, guess what? That solution is only good until the current session terminates. Then, he has to start again

    I submit that this is totally bulletproof, and don’t buy the surmise that ‘everyone will get hacked sometime’

    This is actually available as a commercial product, but since this is just a technical rant, instead of telling you where to get it, I’ll merely suggest that you drop me an email.

    1. Wzrd1 Silver badge

      Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

      Amazing! You're the first commenter, other than myself, who said the magic three letters, AES.

      DES is broken and should have been depreciated long ago. 3DES? Trivial for a bank of GPU's.

      Still, if one is inside or gets inside, one can muck the PKI infrastructure and start serving an attackers keys. That means internal monitoring (should be 24/7/365 anyway), change management and frequent audits.

      That's nothing if you are a *security hardware provider*.

      I'd also do RCS hashes stored to write once media, to prevent hashes from being altered for a specific version number.

      1. MarkSitkowski

        Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

        You're right. Once the Enemy Within has the root password, there is no defence but, then, if that's the case, you have other problems...

    2. Michael Wojcik Silver badge

      Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

      AES-256 is weaker than AES-192, thanks to the weak key schedule in AES. The fact that you recommend it rather casts some doubt on your expertise as a cryptographer.

      And as for your protocol - verifier for a pre-shared secret, ephemeral DH, PFS ... all bog-standard cryptographic-protocol techniques, except for your rather overblown verification process. Nothing else you're describing is even vaguely innovative, and there's no obvious advantage to the over-engineered anti-replay mechanism. You can do all of that with any competent TLS implementation and an ADH cipher suite. There are more-interesting authentication protocols, such as ZKP protocols like SRP and PAK-RY.

      As for "bulletproof" - that's a ridiculous, snake-oil claim. Even as puffery, it needs to be supported by evidence of substantial, thorough cryptanalysis.

      1. MarkSitkowski

        Re: "Juniper's VPN security hole is proof that govt backdoors are bonkers"

        Seems to me that, smart, though you may be, you've totally misunderstood the whole picture, and how it all hangs together.

        I believe that, early on in the post, I made the point that this was easy to do, and not that it was innovative - except for the matrix driven authentication, which holds a patent.

        The point you've missed, is that it doesn't matter a toss, whether AES192 is better than AES256, or whether you can do it with TLS, or any other cryptographic method.

        The actual point is that, however weak the cryptography, a pubic key is only used for one session, never stored anywhere, then thrown away. There simply isn't time for a hacker to hack it and, if he did, it would be useless for any subsequent session.

        The cryptography is only half the story, the other half being the fact that passwords are not stored anywhere on the system, and not known to, or recoverable by anyone - not even root.

        As a complete entity, I stand by my submission, that this kind of system is unhackable in the chain of events between the initial login request and the transmission of data on an encrypted channel.

        One vulnerability I'll grant you: If the hacker interposes a proxy between the user and the authentication server, he can pretend to be the user to the server, and pretend to be the server to the user. That way, he can get a legitimate private key from the server, and use that to encrypt conversation with it, and negotiate a legitimate private key with the user, with which to decrypt the matrix solution. He then re-encrypts this with the key obtained from the server, and logs in as the user.

        I believe this scenario is indefensible, unless anyone knows better?

  16. CAPS LOCK

    Juniper code quality...

    .... got any Juniper stuff? Put it in a skip asap.

  17. Michael Wojcik Silver badge

    Dual_EC_DRBG parameters

    Argh, the pain.

    Also, worryingly, ScreenOS does not use Dual EC with the special constant Q defined by the US government – it uses its own value. Armed with those 30 bytes of seed data, and knowledge of Juniper's weird Dual EC parameters, eavesdroppers can decrypt intercepted VPN traffic.

    Sweet jeebus. Once again: NIST Special Pub 800-90A tells you that you can change the parameters for Dual_EC_DRBG, and shows you how. If you were going to use Dual_EC_DRBG, doing this is a good thing, since from its publication people noted that the NSA could very well have the necessary information to reconstruct the bitstream if you use the defaults.

    There is absolutely nothing "worrying" or "weird" about doing so.

    Of course, if you use Jupiter's Q, you're just assuming they (or whoever calculated that Q) are more trustworthy / less dangerous (under your threat model) than the NSA. It would make a hell of a lot more sense for an organization to pick their own curve.

    Except, also of course, there is never any good reason to use Dual_EC_DRBG, which is a lousy CPRNG by any useful metric (except "we want a back door").

    True, it's arguable that Jupiter's non-default parameters might indicate a back door created by some more-threatening adversary, and that opens various worrying possibilities. But the use of a different Q in itself is not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like