Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Where did I leave my keys?: Lessons from the Juniper dual EC incident
Checkoway S., Maskiewicz J., Garman C., Fried J., Cohney S., Green M., Heninger N., Weinmann R., Rescorla E., Shacham H. Communications of the ACM61 (11):148-155,2018.Type:Article
Date Reviewed: Dec 27 2018

Safe networks require reliable operating systems free from security vulnerabilities. Trustworthy routers ought to use dependable cryptographic algorithms to protect data transmitted over insecure networks. But how should effective guidelines be defined for producing, implementing, and endorsing pseudorandom number generators, to help avoid failure in cryptographic algorithms? Checkoway et al. review “the Juniper dual EC incident” prior to investigating the security loopholes of individual virtual private network (VPN) sessions.

The paper clearly introduces and details the historical records of how Juniper investigated the security flaws in ScreenOS. Indeed, despite Juniper’s patches to ScreenOS, smart hackers could decrypt VPN connections. Attackers should not be able to alter public keys in encryption and decryption algorithms intended for law enforcement personnel.

The authors present and evaluate the circumstantial evidence of dual elliptic curve (EC) cryptography, its application, and its use in ScreenOS. Undoubtedly, security experts should be implementing difficult-to-compute discrete log algorithms in dual EC cryptography.

This paper provides details about dual EC in ScreenOS and the pseudorandom number generator algorithm for ScreenOS, and includes an overview of reliable Internet key exchange (IKE) implementations in ScreenOS. It discusses algorithms for generating and recovering reliable keys in IKE VPN protocols.

The presented experimental results confirm the weaknesses of IKE for validating VPN sessions. Given the ongoing security challenges in unbounded Internet of Things (IoT) communication devices, and for the design and implementation of future systems, readers should explore the history of Juniper’s security incidents, warning experiences, and recommended solutions.

Reviewer:  Amos Olagunju Review #: CR146361 (1904-0120)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Security and Protection (C.2.0 ... )
 
 
Internet (C.2.1 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
Introduction to data security and controls (2nd ed.)
Edward R. I., QED Information Sciences, Inc., Wellesley, MA, 1991. Type: Book (9780894353864)
Aug 1 1992
Security for computer networks: an introduction to data security in teleprocessing and electronic funds transfer
Davies D., Price W., John Wiley & Sons, Inc., New York, NY, 1984. Type: Book (9780471900634)
Oct 1 1985
The development and proof of a formal specification for a multilevel secure system
Glasgow J., Macewen G. ACM Transactions on Computer Systems 5(2): 151-184, 1987. Type: Article
Oct 1 1987
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy