NSA HELPED BRITISH SPIES FIND SECURITY HOLES IN JUNIPER FIREWALLS
A TOP-SECRET document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear.
The six-page document, titled “Assessment of Intelligence Opportunity – Juniper,” raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the “NetScreen” line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ’s capabilities clustered around an operating system called “ScreenOS,” which powers only a subset of products sold by Juniper, including the NetScreen line. Juniper’s other products, which include high-volume Internet routers, run a different operating system called JUNOS.
The author of the 2011 GCHQ document, an NSA employee who was working with GCHQ as part of an “Access Strategy Team,” takes a similarly adversarial view of encryption, referring to Juniper as a “threat” and a “target” because it provides technology to protect data from eavesdropping. Far from suggesting that security agencies should help U.S. and U.K. companies mend their digital defenses, the document says the agencies must “keep up with Juniper technology” in the pursuit of SIGINT, or signals intelligence.
“The threat comes from Juniper’s investment and emphasis on being a security leader,” the document says. “If the SIGINT community falls behind, it might take years to regain a Juniper firewall or router access capability if Juniper continues to rapidly increase their security.”
Tampered with Random Number Seed Generator
Specifically, the attacker seems to have tampered with a 32-byte value used to seed the generation of random numbers, numbers that are in turn used in the process of encrypting data in ScreenOS. ScreenOS uses the value as a parameter to a standard system for random number generation known as Dual Elliptic Curve Deterministic Random Bit Generator. The default 32-byte value in this standard is believed to have been generated by the NSA. Juniper said, in the wake of the Snowden revelations about the standard, that it had replaced this 32-byte value with its own “self-generated basis points.” So the attacker would have replaced Juniper’s replacement of the NSA 32-byte value.
It further states that GCHQ has a “current exploit capability” against 13 Juniper models, all of which run ScreenOS: NS5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. It reveals that the agency was developing an additional surveillance capability to hack into high-capacity Juniper M320 routers, which were designed to be used by Internet service providers.
“The ability to exploit Juniper servers and firewalls,” the document says, “will pay many dividends over the years.”
Safe European Cryptographers
Kristian Gjøsteen, Norwegian University of Science and Technology
Kristian submitted a comment paper to NIST as far back as 2006 pointing out that the EC DRBG was cryptographically unsound and shouldn’t be used.
Gjøsteen’s attack was improved in a May 2006 paper  by Berry Schoenmakers and Andrey Sidorenko from Technische Universiteit Eindhoven. “Our experimental results and also empirical argument show that [Dual EC] is insecure,” Schoenmakers and Sidorenko wrote.
Berry Schoenmakers and Andrey Sidorenko Dept. of Mathematics and Computer Science, TU Eindhoven