{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,20]],"date-time":"2025-09-20T20:22:23Z","timestamp":1758399743644,"version":"3.41.0"},"reference-count":18,"publisher":"Association for Computing Machinery (ACM)","issue":"11","license":[{"start":{"date-parts":[[2018,10,26]],"date-time":"2018-10-26T00:00:00Z","timestamp":1540512000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["EFMA-1441209, CNS-1505799, CNS-1010928, CNS-1408734, CNS-1410031"],"award-info":[{"award-number":["EFMA-1441209, CNS-1505799, CNS-1010928, CNS-1408734, CNS-1410031"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"ONR","award":["N00014-14-1-0333"],"award-info":[{"award-number":["N00014-14-1-0333"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2018,10,26]]},"abstract":"<jats:p>In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen Virtual Private Network (VPN) routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the parameters used by the Dual Elliptic Curve (EC) pseudorandom number generator.<\/jats:p>\n          <jats:p>In this paper, we described the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable to passive exploitation by an attacker who selects the Dual EC curve point since 2008. This vulnerability arises due to flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice. Additionally, it casts further doubt on the practicality of designing a safe \"exceptional access\" or \"key escrow\" scheme of the type contemplated by law enforcement agencies in the United States and elsewhere.<\/jats:p>","DOI":"10.1145\/3266291","type":"journal-article","created":{"date-parts":[[2018,10,26]],"date-time":"2018-10-26T19:18:53Z","timestamp":1540581533000},"page":"148-155","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Where did I leave my keys?"],"prefix":"10.1145","volume":"61","author":[{"given":"Stephen","family":"Checkoway","sequence":"first","affiliation":[{"name":"University of Illinois at Chicago, IL"}]},{"given":"Jacob","family":"Maskiewicz","sequence":"additional","affiliation":[{"name":"University of California, San Diego, CA"}]},{"given":"Christina","family":"Garman","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, Baltimore, MD"}]},{"given":"Joshua","family":"Fried","sequence":"additional","affiliation":[{"name":"University of Pennsylvania, Philadelphia, PA"}]},{"given":"Shaanan","family":"Cohney","sequence":"additional","affiliation":[{"name":"University of Pennsylvania, Philadelphia, PA"}]},{"given":"Matthew","family":"Green","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, Baltimore, MD"}]},{"given":"Nadia","family":"Heninger","sequence":"additional","affiliation":[{"name":"University of Pennsylvania, Philadelphia, PA"}]},{"given":"Ralf-Philipp","family":"Weinmann","sequence":"additional","affiliation":[{"name":"Comsecuris, Duisberg, Germany"}]},{"given":"Eric","family":"Rescorla","sequence":"additional","affiliation":[{"name":"University of California, San Diego, CA"}]},{"given":"Hovav","family":"Shacham","sequence":"additional","affiliation":[{"name":"University of California, San Diego, CA"}]}],"member":"320","published-online":{"date-parts":[[2018,10,26]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2814825"},{"key":"e_1_2_1_2_1","volume-title":"Digital signatures using reversible algorithms for the financial services industry (rDSA)","author":"Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.31-1998","year":"1998","unstructured":"Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.31-1998 : Digital signatures using reversible algorithms for the financial services industry (rDSA) , 1998 . Withdrawn . Accredited Standards Committee (ASC) X9, Financial Services. ANS X9.31-1998: Digital signatures using reversible algorithms for the financial services industry (rDSA), 1998. Withdrawn."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813707"},{"key":"e_1_2_1_4_1","volume-title":"NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report","author":"Barker E.","year":"2006","unstructured":"Barker , E. , Kelsey , J. NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report , National Institute of Standards and Technology , June 2006 . Barker, E., Kelsey, J. NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical report, National Institute of Standards and Technology, June 2006."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978395"},{"key":"e_1_2_1_6_1","volume-title":"Why You Should Care, and What To Do About It","author":"Granick J.S.","year":"2017","unstructured":"Granick , J.S. American Spies: Modern Surveillance , Why You Should Care, and What To Do About It . Cambridge University Press , Cambridge , 2017 . Granick, J.S. American Spies: Modern Surveillance, Why You Should Care, and What To Do About It. Cambridge University Press, Cambridge, 2017."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC2409"},{"key":"e_1_2_1_8_1","volume-title":"Oct.","author":"Juniper Networks","year":"2013","unstructured":"Juniper Networks . Juniper Networks product information about Dual_EC_DRBG. Knowledge Base Article KB28205 , Oct. 2013 . Online : https:\/\/web.archive.org\/web\/20151219210530\/ https:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=KB28205&pmv=print&actp=LIST. Juniper Networks. Juniper Networks product information about Dual_EC_DRBG. Knowledge Base Article KB28205, Oct. 2013. Online: https:\/\/web.archive.org\/web\/20151219210530\/ https:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=KB28205&pmv=print&actp=LIST."},{"key":"e_1_2_1_9_1","volume-title":"CVE-2015-7756)","author":"Juniper Networks","year":"2015","unstructured":"Juniper Networks . 2015--12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755 , CVE-2015-7756) , Dec. 2015 . Juniper Networks. 2015--12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756), Dec. 2015."},{"key":"e_1_2_1_10_1","volume-title":"Dec.","author":"Juniper Networks","year":"2015","unstructured":"Juniper Networks . Important announcement about ScreenOS<sup>\u00ae<\/sup>. Online: https:\/\/forums.juniper.net\/t5\/Security-Incident-Response\/Important-Announcement-about-ScreenOS\/ba-p\/285554 , Dec. 2015 . Juniper Networks. Important announcement about ScreenOS<sup>\u00ae<\/sup>. Online: https:\/\/forums.juniper.net\/t5\/Security-Incident-Response\/Important-Announcement-about-ScreenOS\/ba-p\/285554, Dec. 2015."},{"key":"e_1_2_1_11_1","volume-title":"Dec.","author":"Kaufman C.","year":"2005","unstructured":"Kaufman , C. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard) , Dec. 2005 . Obsoleted by RFC 5996, updated by RFC 5282. Online : https:\/\/tools.ietf.org\/html\/rfc4306. Kaufman, C. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard), Dec. 2005. Obsoleted by RFC 5996, updated by RFC 5282. Online: https:\/\/tools.ietf.org\/html\/rfc4306."},{"key":"e_1_2_1_12_1","volume-title":"May","author":"Kelsey J.","year":"2014","unstructured":"Kelsey , J. Dual EC in X9.82 and SP 800-90A. Presentation to NIST VCAT committee , May 2014 . Slides online http:\/\/csrc.nist.gov\/groups\/ST\/crypto-review\/documents\/dualec_in_X982_and_sp800-90.pdf. Kelsey, J. Dual EC in X9.82 and SP 800-90A. Presentation to NIST VCAT committee, May 2014. Slides online http:\/\/csrc.nist.gov\/groups\/ST\/crypto-review\/documents\/dualec_in_X982_and_sp800-90.pdf."},{"key":"e_1_2_1_13_1","volume-title":"Dec.","author":"Moore H.D.","year":"2015","unstructured":"Moore , H.D. CVE-2015-7755: Juniper ScreenOS Authentication Backdoor. https:\/\/community.rapid7.com\/community\/infosec\/blog\/2015\/12\/20\/cve-2015-7755-juniper-screenos-authentication-backdoor , Dec. 2015 . Moore, H.D. CVE-2015-7755: Juniper ScreenOS Authentication Backdoor. https:\/\/community.rapid7.com\/community\/infosec\/blog\/2015\/12\/20\/cve-2015-7755-juniper-screenos-authentication-backdoor, Dec. 2015."},{"key":"e_1_2_1_14_1","unstructured":"National Institute of Standards and Technology. NIST opens draft Special Publication 800-90A recommendation for random number generation using deterministic random bit generators for review and comment. http:\/\/csrc.nist.gov\/publications\/nistbul\/itlbul2013_09_supplemental.pdf Sept. 2013.  National Institute of Standards and Technology. NIST opens draft Special Publication 800-90A recommendation for random number generation using deterministic random bit generators for review and comment. http:\/\/csrc.nist.gov\/publications\/nistbul\/itlbul2013_09_supplemental.pdf Sept. 2013."},{"key":"e_1_2_1_15_1","volume-title":"The New York Times","author":"Perlroth N.","year":"2013","unstructured":"Perlroth , N. , Larson , J. , Shane , S. N.S.A. able to foil basic safeguards of privacy on Web . The New York Times , Sep. 5 2013 . Online : http:\/\/www.nytimes.com\/2013\/09\/06\/us\/nsa-foils-much-internet-encryption.html. Perlroth, N., Larson, J., Shane, S. N.S.A. able to foil basic safeguards of privacy on Web. The New York Times, Sep. 5 2013. Online: http:\/\/www.nytimes.com\/2013\/09\/06\/us\/nsa-foils-much-internet-encryption.html."},{"key":"e_1_2_1_16_1","volume-title":"Aug.","author":"Shumow D.","year":"2007","unstructured":"Shumow , D. , Ferguson , N. On the possibility of a back door in the NIST SP800-90 Dual Ec Prng. Presented at the Crypto 2007 rump session , Aug. 2007 . Slides online: http:\/\/rump2007.cr.yp.to\/15-shumow.pdf. Shumow, D., Ferguson, N. On the possibility of a back door in the NIST SP800-90 Dual Ec Prng. Presented at the Crypto 2007 rump session, Aug. 2007. Slides online: http:\/\/rump2007.cr.yp.to\/15-shumow.pdf."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644896"},{"key":"e_1_2_1_18_1","series-title":"LNCS","volume-title":"Proceedings of Eurocrypt","author":"Young A.","year":"1997","unstructured":"Young , A. , Yung , M. Kleptography: Using cryptography against cryptography . In Proceedings of Eurocrypt 1997 . W. Fumy, ed. volume 1233 of LNCS , Springer-Verlag , May 1997, 62--74. Young, A., Yung, M. Kleptography: Using cryptography against cryptography. In Proceedings of Eurocrypt 1997. W. Fumy, ed. volume 1233 of LNCS, Springer-Verlag, May 1997, 62--74."}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3266291","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3266291","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3266291","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:26:51Z","timestamp":1750278411000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3266291"}},"subtitle":["lessons from the Juniper Dual EC incident"],"short-title":[],"issued":{"date-parts":[[2018,10,26]]},"references-count":18,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2018,10,26]]}},"alternative-id":["10.1145\/3266291"],"URL":"https:\/\/doi.org\/10.1145\/3266291","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2018,10,26]]},"assertion":[{"value":"2018-10-26","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}