Further information has emerged on the Juniper Networks backdoor discovered last week, which suggests the NSA had a hand in the installation of a backdoor in the company’s source code.
Last week, a Juniper Networks backdoor was discovered after the company identified unauthorized code which could potentially allow hackers to gain access to secure communications and data that its customers had protected with its firewalls.
The malicious code would allow a hacker to decipher encrypted communications protected by the company’s Netscreen firewalls. It is not known at this stage how the code was installed, and whether this was an inside job or if it was inserted remotely. But what is known, is the person or group responsible installed the Juniper Networks backdoor as a result of an inherent weakness in the system. They were also helped by a coding configuration error believed to have been made by a company employee.
Juniper Networks Backdoor Installed Using NSA-Introduced Weakness
One security researcher, Ralf-Philipp Weinmann of German firm Comsecuris, has claimed that the weakness in the Dual_EC had been put there by the NSA, who championed the use of Dual_EC. It is not known whether the NSA or one of its spying partners was responsible for changing the source code, but it would appear that the NSA had, perhaps inadvertently, introduced a weakness that ultimately led to the system being compromised.
The weakness in the code that was first uncovered in 2007. The flaw was uncovered in the Dual_EC algorithm by two Microsoft researchers: Dan Shumow and Niels Ferguson. The Dual_EC algorithm had just been approved by NIST, and was used with three random number generators. Together, the encryption was believed to be secure enough to use to protect government data.
However, Shumow and Ferguson were able to demonstrate that the elliptic curve-based Dual_EC system could allow hackers to predict a random number used by the algorithm, which would make the encryption susceptible to being hacked.
Specific elliptic curve points were used as part of the random number generator. If one of those points was not a randomly generated number, and the person responsible for determining that point also generated a secret key, any holder of that key could potentially crack the encryption as it would be possible to determine the random number used by the algorithm. If that number could be predicted, the encryption could be cracked. Dan Shumow and Niels Ferguson believed this would be possible with just 32 bytes of output, if the key was known.
The flaw in Dual_EC is believed to be an intentional backdoor in the encryption that was introduced by the NSA, according to documents published by Edward Snowden. However, this was deemed not to be a problem as a second random number generator was used by Juniper. The second random number generator was supposed to have been used for the encryption, meaning even someone with a secret key would not be able to predict the random number used.
However, a coding error resulted in the original random number generator being used, rather than the second one. Someone had managed to break into the system and use their own constant, consequently, the encryption could be cracked.
The Juniper Networks backdoor has now apparently been plugged with the company recently issuing a patch to fix the problem. However, it would appear that the Juniper Networks backdoor had existed for at least three years.