Share this page!

Matthew Green Profile picture
Twitter logo
28 Oct, 10 tweets, 3 min read
Not to pick on @SwiftOnSecurity here, but since Juniper and Dual EC are in the news, I think it’s worth revisiting the evidence that someone deliberately inserted Dual EC as a backdoor.
For the full argument, see this excellent and readable summary my co-authors wrote: m-cacm.acm.org/magazines/2018…
But short summary: Juniper included two random number generators in their NetScreen devices. One was documented. The other was undocumented. The undocumented one was Dual EC. 1/
The Dual EC generator was included at the behest of a single customer, according to Juniper. So they knew it was present. They even included a switch to turn it on/off. However, they defaulted the switch to “on”. 2/
The inclusion of Dual EC significantly slowed down the RNG, so Juniper had to engineer a system that could pre-generate random values before they were needed. This was a non-trivial engineering effort, not a few lines of code. 3/
Juniper didn’t use the standard NIST parameters for Dual EC. They generated their own. This is even more work, and was never documented. Failing to document this made sure it could never be FIPS certified. 4/
Juniper also made a bunch of changes that are not strictly relevant to this thread, but that happened to make the system even more easily exploitable. See the article above. 5/
There is a fascinating error in the code for the second (non-Dual EC) generator that causes it not to run at all, resulting in raw Dual EC bytes being output on the wire. See if you can spot it. 6/
The last piece is the only part of this engineering effort that I think could legitimately, by itself, have been a mistake. But combined with all the other changes and the deliberate failure to disclose Dual EC was even present, it’s harder to look at it as an isolated error. 7/
Anyway, read the whole article above to see whether you agree or disagree with the idea that Juniper (or at least their engineers) could have been unaware of what they were doing. I’m skeptical as heck, and the lack of curiosity from both the company and FBI doesn’t help. 8/8

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
28 Oct
New Reuters article on the NSA’s “new” policy around inserting backdoors into commercial encryption systems. A lot in here. reuters.com/article/us-usa…
Or rather, a lot *not* in here. After the disaster that was the 2015 Juniper hack (due to an NSA backdoor in Juniper’s VPN products being exploited by foreign hackers), the NSA has developed a set of new policies. But they won’t talk about them of course.
Oh look, here’s Juniper admitting to Congress that an NSA backdoor was exploited in their products. And the NSA writing a report on “lessons learned”. Which they then misplaced.
Read 5 tweets
Matthew Green Profile picture
11 Oct
In most ways except one, the encryption debate is the same as it ever was. So what’s changed?The current administration has demonstrated that app store bans can be used as a hammer to implement policy, and you can bet these folks are paying attention. gov.uk/government/pub…
This is where a lot of these “you can’t ban math” and “anyone can implement encryption in a few lines of code” arguments really fall apart. These people don’t care about any of that, they want to make encryption tools inaccessible to the broader public.
Someone tweeted me a link to Signal’s official instructions for sideloading on an Android phone. Unfortunately, I use an iPhone, which turned it into a direct link to the App Store.
Read 5 tweets
Matthew Green Profile picture
9 Sep
Cool new attack on static (non-EC) Diffie-Hellman in OpenSSL. Takes advantage of a timing vulnerability on the server side to extract the connection pre-master secret. Crypto implementations are hard. raccoon-attack.com
This is such an insane attack. You literally get a tiny timing oracle that tells you whether the DH secret begins with a zero byte. And then you just repeat that experiment until you’ve got the whole key. We’re all doomed.
In practice this isn’t a terribly big deal. Static DH is rare and is going away in recent versions. This is further evidence that maybe it should go away faster.
Read 5 tweets
Matthew Green Profile picture
11 Aug
I know it feels a little like kicking someone while they’re down, but I wish Mozilla had just focused on improving their browser product to compete with Chrome during that critical period when Chrome ate all their marketshare.
I mean if you make one product and the biggest company in the world comes at you with a direct competitor, you have to step up. Not try to make another competitor from scratch that competes with the big company’s other products.
Also, Mozilla had $450m revenue in 2018. I guess I’m just a professor and maybe that’s what a couple of SF apartments cost now, but: that seems like a very respectable budget to invest in making your browser better.
Read 7 tweets
Matthew Green Profile picture
8 Jul
Signal has gone from merely annoying me to create a PIN, to outright refusing to let me use the app if I don’t create one. 😠
Apparently 0000 is no good.
I really liked Signal. And it bums me out that I’m going to have to stop using it. @moxie, this was the wrong decision.
Read 10 tweets
Matthew Green Profile picture
25 Jun
You should really just read Riana’s piece on the new crypto bill. But there are two parts of it I specifically want to call out. 1/
First: to the tech people who thought they could bargain with William Barr and Lindsey Graham and get a reasonable bill that confined itself to encrypted phones without trying to grab messaging, phone calls for desert: you’re all useful idiots. 2/
Seriously. I really, really need to reiterate this. There is no grand bargain to be made with these folks that leads to a reasonable law enforcement access policy in which security is ever going to be more than an afterthought. None. Zero. 3/
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @matthew_d_green