Reply to post: Dual_EC_DRBG strikes again

How to log into any backdoored Juniper firewall – hard-coded password published

Michael Wojcik Silver badge

Dual_EC_DRBG strikes again

If anything, ScreenOS's use of the Dual EC DRBG random number generator in its encryption is more worrying, and points to potential NSA interference.

I'm not sure I'd call it "more worrying" - it's hard to rank this sort of thing - but it's certainly worrying.

There has never been any good reason to use Dual_EC_DRBG, and particularly not with the default parameters. Security researchers raised very public concerns about it when it was first published. It doesn't offer good performance, and the possibility of a backdoor - and impossibility of proving there isn't one - has been well-known for years.

NIST Special Pub 800-90A, which specified Dual_EC_DRBG, also specified three other CPRNGs, so it's not like Dual_EC was the only choice even if you were going to sell to an entity that demanded a NIST-endorsed CPRNG. And even if someone insisted on Dual_EC (which would be mighty odd), 800-90A says you can generate your own parameters and shows you how to do it.

As with RSA BSAFE, the use of Dual_EC_DRBG is highly suspect. It indicates that either someone was persuaded to put in that particular NSA back door, or the crypto was implemented by people who weren't experts and couldn't be bothered to do some basic research. So either malice or incompetence. There's no other alternative.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019