We are not able to answer these questions with access
to firmware alone. Juniper’s source code version-control
system, their bug-tracking system, their internal e-mail
archives, and the recollections of Juniper engineers may
help answer them.
Despite numerous opportunities, including public questions put to their Chief Security Officer and a congressional
hearing on this incident,f Juniper has either failed or explicitly refused to provide any further details.
8. 6. For policymakers
Much of the debate about exceptional access has focused
on whether it is possible to construct secure exceptional
access mechanisms, where “secure” is defined as only
allowing authorized access—presumably by la w enforcement. It is readily apparent that one of the major difficulties in building such a system is the risk of compromise
of whatever keying material is needed to decrypt the
The unauthorized change to ScreenOS’s Dual EC constants made in 2012 illustrates a new threat: the ability
for another party to modify the target software to subvert
an exceptional access mechanism for its own purposes,
with only minimally detectable changes. Importantly,
because the output of the PRNG appears random to any
entity that does not know the discrete log of Q, such a
change is invisible both to users and to any testing which
the vendor might do. By contrast, an attacker who wants
to introduce an exceptional access mechanism into a
program which does not already has one must generally make a series of extremely invasive changes, thus
increasing the risk of detection.
In the case of ScreenOS, an attacker was able to subvert
a major product—one which is used by the federal government—and remain undiscovered for years. This represents
a serious challenge to the proposition that it is possible to
build an exceptional access system that is available only to
the proper authorities; any new proposal for such a system
should bear the burden of proof of showing that it cannot be
subverted in the way that ScreenOS was.
This material is based in part upon work supported by
the U.S. National Science Foundation under awards
EFMA-1441209, CNS-1505799, CNS-1010928, CNS-
1408734, and CNS-1410031; The Mozilla Foundation; a
gift from Cisco; and the Office of Naval Research under
Proceedings of CCS 2015. C. Kruegel
and N. Li, eds. ACM Press, New York,
NY, Oct. 2015, 5–17.
4. Barker, E., Kelsey, J. NIST Special
Publication 800-90: Recommendation
for Random Number Generation Using
Deterministic Random Bit Generators.
Technical report, National Institute
of Standards and Technology, June
5. Checkoway, S., Maskiewicz, J.,
Garman, C., Fried, J., Cohney, S.,
Green, M., Heninger, N.,
Weinmann, R.-P., Rescorla, E.,
Shacham, H. A systematic analysis
of the Juniper Dual EC incident.
In Proceedings of CCS 2016.
S. Halevi, C. Kruegel, and A. Myers,
eds. ACM Press, New York, NY, Oct.
6 Granick, J.S. American Spies: Modern
Surveillance, Why You Should Care,
and What To Do About It. Cambridge
University Press, Cambridge, 2017.
7. Harkins, D., Carrel, D. The Internet
Key Exchange (IKE). RFC 2409
(Proposed Standard), Nov. 1998.
Obsoleted by RFC 4306,
updated by RFC 4109. Online:
8. Juniper Networks. Juniper
Networks product information
about Dual_EC_DRBG. Knowledge
Base Article KB28205, Oct. 2013.
9. Juniper Networks. 2015-12 Out of
Cycle Security Bulletin: ScreenOS:
Multiple Security issues with
ScreenOS (CVE-2015-7755, CVE-
2015-7756), Dec. 2015.
10. Juniper Networks. Important
announcement about ScreenOS®.
11. Kaufman, C. Internet Key Exchange
(IKEv2) Protocol. RFC 4306
(Proposed Standard), Dec. 2005.
Obsoleted by RFC 5996,
updated by RFC 5282. Online:
12. Kelsey, J. Dual EC in X9.82 and SP
800-90A. Presentation to NIST VCAT
committee, May 2014. Slides online
13. Moore, H.D. CVE-2015-7755: Juniper
ScreenOS Authentication Backdoor.
authentication-backdoor, Dec. 2015.
14. National Institute of Standards
and Technology. NIST opens draft
Special Publication 800-90A,
recommendation for random number
generation using deterministic
random bit generators for review
and comment. http://csrc.nist.gov/
supplemental.pdf, Sept. 2013.
15. Perlroth, N., Larson, J., Shane, S.
N.S.A. able to foil basic safeguards of
privacy on Web. The New York Times,
Sep. 5 2013. Online: http://www.
16. Shumow, D., Ferguson, N. On the
possibility of a back door in the
NIST SP800-90 Dual Ec Prng.
Presented at the Crypto 2007 rump
session, Aug. 2007. Slides online:
17. Yilek, S., Rescorla, E., Shacham, H.,
Enright, B., Savage, S. When private
keys are public: Results from the
2008 Debian OpenSSL vulnerability.
In Proceedings of IMC 2009. A.
Feldmann and L. Mathy, eds. ACM
Press, New York, NY, Nov. 2009,
18. Young, A., Yung, M. Kleptography:
Using cryptography against
cryptography. In Proceedings of
Eurocrypt 1997. W. Fumy, ed. volume
1233 of LNCS, Springer-Verlag, May
Copyright held by owners/authors. Publication rights licensed to ACM, $15.00.
Stephen Checkoway, University of
Illinois at Chicago, IL, USA.
Jacob Maskiewicz, Eric Rescorla,
Hovav Shacham, University of California,
San Diego, CA, USA.
Christina Garman, Matthew Green,
Johns Hopkins University, Baltimore,
Joshua Fried, Shaanan Cohney,
Nadia Heninger, University
of Pennsylvania, Philadelphia, PA, USA.
Ralf-Philipp Weinmann, Comsecuris,
1. Abelson, H., Anderson, R., Bellovin, S.M.,
Benaloh, J., Blaze, M., Diffie, W.,
Gilmore, J., Green, M., Landau, S.,
Neumann, P.G., Rivest, R.L., Schiller, J.I.,
Schneier, B., Specter, M., Weitzner, D. J.
Keys under doormats: Mandating
insecurity by requiring
government access to all data and
communications. Commun. ACM 58,
10 (Oct. 2015), 24–26.
2. Accredited Standards Committee
(ASC) X9, Financial Services. ANS
X9.31-1998: Digital signatures using
reversible algorithms for the financial
services industry (rDSA), 1998.
3. Adrian, D., Bhargavan, K., Durumeric, Z.,
Gaudry, P., Green, M., Halderman, J. A.,
Heninger, N., Springall, D., Thomé, E.,
Valenta, L., VanderSloot, B., Wustrow, E.,
Zanella-Béguelin, S., Zimmermann, P.
Imperfect forward secrecy: How
Diffie-Hellman fails in practice. In