Juniper Networks announced on Friday that it will be removing a piece of security code which many believe was created by the National Security Agency for eavesdropping.
The official statement was posted by Juniper the day after a team of cryptographers revealed that the company’s Dual_EC_DRBG code generator contained a weakness enabling eavesdropping on virtual private network sessions by customers.
The researchers also found that Juniper’s NetScreen firewalls used predictable outputs from Dual_EC_DRBG to bypass ANSI X.9.31.
Dual_EC_DRGB is an algorithm for generating random numbers included in an official standard documented by the National Institute of Standards and Technology (NIST) and potentially includes a backdoor planted by the NSA. It uses a seemingly arbitrary series of specific fixed numbers.
In response the company said that it will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across its portfolio of Junos OS products.
The company said:
“Further, after a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem.
“We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.”
Ars Technica, “Juniper drops NSA-developed code following new backdoor revelations”, by Dan Goodin
Juniper Networks, “Advancing the Security of Juniper Products”, by Juniper Employee Derrick Scholl (dscholl)