Senators ask Juniper for the results of its 2015 NSA backdoor investigation

When the NSA and other three-letter agencies talk about the threat of back doors being inserted in foreign manufactured equipment remember, they have their own experience in this field…:

[…] Details about a backdoor in Juniper products first came to light in December 2015. Members of the cyber-security community discovered what looked like a change of a secret access key inside the source code of ScreenOS, an operating system running on NetScreen, Juniper’s line of firewall and VPN products.

Following public pressure, Juniper later admitted that “unauthorized code” made its way into the ScreenOS source code, and that the unauthorized code could have allowed attackers to take over devices and decrypt VPN traffic.

While Juniper initially shied away from providing any details, members of the public cyber-security community later discovered that the unauthorized code referred to the use of Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm as the random number generator (RNG) component inside ScreenOS.

Dual_EC_DRBG is a lesser-known algorithm that was developed by the US National Security Agency (NSA) in 2006 and which received almost an immediate FIPS (Federal Information Processing Standards) certification despite some security experts warning that initial audits revealed signs of a potential backdoor mechanism.

However, despite criticism, Dual_EC_DRBG remained certified until 2013, until the Edward Snowden revelations, when the US National Institute of Standards and Technology (NIST) intervened to withdraw its FIPS certification.


Original article here