Weaknesses in the Juniper firewall have been known since 2007 when Microsoft employee Dan Shumow held a cryptography conference in California during which he shared the discoveries that he and a Microsoft colleague named Niels Ferguson had made regarding the firewall’s algorithm.
Although the algorithm had been approved by the National Institute of Standards and Technology for inclusion in a standard that could be sued to encrypt government classified communication, Shumow and Furguson figured out that the random-number-generating software wasn’t necessarily so random after all.
Problems with random number generators involved the Dual_EC, which creates random numbers based on elliptic curves. The NSA has supported elliptic curve encryption technology for a long time and supported the use of Dual_EC in the National Institute of Standards and Technology’s protocol.
Shumow and Furguson shared during their conference that the two parameters on the elliptic curve used to generate random numbers could generate predictable numbers so long as one of those points wasn’t actually random. Under the system, it was actually possible to create a secret key that could break the generator and crack the entire system; this would all occur by using only 32 bytes of output from the key.
When it became clear that Juniper’s backdoor was truly being extorted, most analysts pointed fingers at the NSA, who likely had the NIST include the Dual_EC algorithm into their program precisely for the sake of being able to extort the security key.
What’s surprising is that despite the discovery of these weaknesses, tech companies like Cisco, RSA and Juniper actually did use the Daul_EC algorithm, as nobody thought that the weakness was intentional. However, The New York Times was able to confirm this when it asserted that top secret memos leaked by Edward Snowden displayed that this backdoor had been an intentional strategic accomplishment by the NSA.
Although the veracity of the Times‘ assertion remains a source of debate, NIST decided to revoke its backing of the algorithm after the Snowden leak. Security and encryption companies all scrambled to make sure that their own security software wasn’t vulnerable.
Juniper claimed that it wasn’t made more vulnerable by the backdoor because it used algorithms other than Dual_EC to generate random numbers. However, according to an independent security researcher based out of San Francisco named Willem Pinckaers, Juniper’s system had a bug in addition to its backdoor key. Instead of using its other random number generator, it ignored it and only used output from the Dual_EC generator. He and Ralf-Philipp Weinmann discovered the flaw and published their findings on Monday:
It was this bug that made it possible for the backdoor vulnerability of Juniper to go undetected for at least three years. Cryptographer and professor at Johns Hopkins Matthew Green is suspicious about the role Juniper may have played in this:
“I don’t want to say that Juniper did this on purpose. But if you wanted to create a deliberate backdoor based on Dual_EC and make it look safe, while also having it be vulnerable, this is the way you’d do it. The best backdoor is a backdoor that looks like a bug, where you look at the thing and say, ‘Whoops, someone forgot a line of code or got a symbol wrong.’… It makes it deniable. But this bug happens to be sitting there right next to this incredibly dangerous NSA-designed random number generator, and it makes that generator actually dangerous where it might not have been otherwise.”