A Systematic Analysis of the Juniper Dual EC Incident

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker. The second is far more intriguing: a change to the Q parameter used by the Dual EC pseudorandom number generator. It is widely known that Dual EC has the unfortunate property that an attacker with the ability to choose Q can, from a small sample of the generator\u27s output, predict all future outputs. In a 2013 public statement, Juniper noted the use of Dual EC but claimed that ScreenOS included countermeasures that neutralized this form of attack. In this work, we report the results of a thorough independent analysis of the ScreenOS randomness subsystem, as well as its interaction with the IKE VPN key establishment protocol. Due to apparent flaws in the code, Juniper\u27s countermeasures against a Dual EC attack are never executed. Moreover, by comparing sequential versions of ScreenOS, we identify a cluster of additional changes that were introduced concurrently with the inclusion of Dual EC in a single 2008 release. Taken as a whole, these changes render the ScreenOS system vulnerable to passive exploitation by an attacker who selects Q. We demonstrate this by installing our own parameters, and showing that it is possible to passively decrypt a single IKE handshake and its associated VPN traffic in isolation without observing any other network traffic

Verified Correctness and Security of mbedTLS HMAC-DRBG

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security--that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.Comment: Appearing in CCS '1

A kilobit hidden SNFS discrete logarithm computation

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\mathbb{F}\_p^*$ , yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes

The Forensic Application of Soil: Clandestine Graves and Human Remains Detection Dogs

The use of soil in forensic applications is widespread from mud left on tires and shoes to the examination of soil for pollens endemic to specific areas. The research presented examined 1) the role of soil texture in clandestine grave detection, 2) residual scent of human remains in cadaver decomposition islands (CDI) through identification by human remains detection (HRD) dogs, 3) the chemistry profile of the CDI and its relationship to the post mortem interval and 4) the chemistry profile of plants near CDI’s and potential identification by HRD dogs. Results indicate that 1) soil texture determines gas release potential and therefore has the potential to affect clandestine grave detection by HRD dogs, 2) residual odor of human remains in the CDI can be viable to HRD dogs up to 915 days PMI or 667 days after the body has been removed 3) chemistry profiles between control reference soils and CDI soils can show significant differences between DOC, DON, NO3-N, NH4-N, and PO4-P. Ammonium-N shows a strong relationship with PMI at R² = 0.45 and DOC with R² = 0.424 values, and 4) plant chemistry retrieved from by CDI’s show strong relationships to HRD dog alert accuracy. The research in this study indicated the importance of further research into each of these elements which may yield better understanding of soil decomposition interactions as well as presumptive tools for law enforcement for criminal investigations

Obstructive sleep apnoea and daytime driver sleepiness

Driver sleepiness is known to be a major contributor to road traffic incidents (RTIs). An initial literature review identified many studies reporting untreated obstructive sleep apnoea (OSA) sufferers as having impaired driving performance and increased RTI risk. It is consistently reported that treatment with continuous positive air pressure (CPAP) improves driving performance and decreases RTI risk, although most of these studies are conducted less than one year after starting treatment. UK law allows treated OSA patients to continue driving if their doctor states that treatment has been successful. Despite the wealth of publications surrounding OSA and driving, 6 key areas were identified from the literature review as not fully investigated, the: (i) prevalence of undiagnosed OSA in heavy goods vehicle (HGV) drivers in the UK; (ii) impact of sleep restriction on long term CPAP treated OSA compared with healthy controls; (iii) ability of treated OSA participants to identify sleepiness when driving; (iv) impact of one night CPAP withdrawal on driving performance; (v) individual difference in driving performance of long term CPAP treated OSA participants; (vi) choice of countermeasures to driver sleepiness by two groups susceptible to driver sleepiness, OSA and HGV drivers. Key areas (i) and (vi) were assessed using questionnaires. 148 HGV drivers were surveyed to assess OSA symptoms and preference of countermeasures to driver sleepiness. All participants completing the driving simulator study were also surveyed. 9.5% of HGV drivers were found to have symptoms of suspected undiagnosed OSA. Additionally the OSA risk factors were more prevalent for HGV drivers than reported in national statistics reports for the general population. The most effective countermeasures to driver sleepiness (caffeine and a nap) were not the most popular. Being part of a susceptible group (OSA or HGV driver) and prior experience of driver sleepiness did not promote effective choice of countermeasure. Key areas (ii) to (v) were assessed using a driving simulator. Driving simulators present a safe environment to test participants in a scenario where they may experience sleepiness without endangering other road users. (Continues...)

Immunizing Backdoored PRGs

A backdoored Pseudorandom Generator (PRG) is a PRG which looks pseudorandom to the outside world, but a saboteur can break PRG security by planting a backdoor into a seemingly honest choice of public parameters, $pk$, for the system. Backdoored PRGs became increasingly important due to revelations about NIST’s backdoored Dual EC PRG, and later results about its practical exploitability. Motivated by this, at Eurocrypt\u2715 Dodis et al. [21] initiated the question of immunizing backdoored PRGs. A $k$-immunization scheme repeatedly applies a post-processing function to the output of $k$ backdoored PRGs, to render any (unknown) backdoors provably useless. For $k=1$, [21] showed that no deterministic immunization is possible, but then constructed seeded $1$-immunizer either in the random oracle model, or under strong non-falsifiable assumptions. As our first result, we show that no seeded $1$-immunization scheme can be black-box reduced to any efficiently falsifiable assumption. This motivates studying $k$-immunizers for $k\ge 2$, which have an additional advantage of being deterministic (i.e., seedless ). Indeed, prior work at CCS\u2717 [37] and CRYPTO\u2718 [7] gave supporting evidence that simple $k$-immunizers might exist, albeit in slightly different settings. Unfortunately, we show that simple standard model proposals of [37, 7] (including the XOR function [7]) provably do not work in our setting. On a positive, we confirm the intuition of [37] that a (seedless) random oracle is a provably secure $2$-immunizer. On a negative, no (seedless) $2$-immunization scheme can be black-box reduced to any efficiently falsifiable assumption, at least for a large class of natural $2$-immunizers which includes all cryptographic hash functions. In summary, our results show that $k$-immunizers occupy a peculiar place in the cryptographic world. While they likely exist, and can be made practical and efficient, it is unlikely one can reduce their security to a clean standard-model assumption

Unifying Kleptographic Attacks

We present two simple backdoors that can be implemented into Maurer\u27s unified zero-knowledge protocol. Thus, we show that a high level abstraction can replace individual backdoors embedded into protocols for proving knowledge of a discrete logarithm (e.g. the Schnorr and Girault protocols), protocols for proving knowledge of an $e^{th}$-root (e.g. the Fiat-Shamir and Guillou-Quisquater protocols), protocols for proving knowledge of a discrete logarithm representation (e.g. the Okamoto protocol) and protocols for proving knowledge of an $e^{th}$-root representation