Spartak - Fotolia

Juniper to drop code linked to NSA

Juniper ditches algorithm tied to NSA backdoors following sustained pressure from the security community

Juniper announced late on Friday that it plans to remove the code that analysts believe was developed by the National Security Agency.

The announcement was made via a blog post and comes a month after the networking giant admitted that it had found unauthorised code embedded in its ScreenOS operating system.

The malicious code was found to be included in multiple versions of the OS, dating back to 2012, and could potentially allow well-resourced hackers or nation states to decrypt  traffic running through a Virtual Private Network on Juniper's NetScreen firewalls. 

Juniper has come under fire from security experts for continuing to use an algorithm, known as Dual_EC, despite its proven weaknesses.

Dual_EC is a pseudo-random number generator, an algorithm from the branch of cryptography known as elliptic curve cryptography. 

In 2013, The New York Times published an article claiming that internal memos leaked by Edward Snowden suggested that the NSA may have developed Dual_EC in order to gain access to secure communications. The elliptic curve algorithm was a requirement for certain federal certifications.

At the time, Juniper published a knowledgbase article stating that NetScreen remained secure as it also relied on a separate random number generator known as ANSI X.9.31.

However, new research presented at the Real World Cryptography Conference 2016 last week, suggested that further code changes made all the way back in 2008 rendered Juniper’s claims redundant. The researchers, made up of Stephen Checkoway of the University of Illinois and other leading authorities, found that Juniper altered the encryption scheme, actually making it easier for someone to exploit the weaknesses of the algorithm. Juniper’s dogged use of the flawed code has caused many to suspect the NSA’s involvement.

The announcement on Friday is the first clear sign that the Sunnyvale, California-based company is serious about putting NSA mutterings to bed.

“After a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem,” Bob Worrall, Chief Information Officer, said in the blog post.

“We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.”

Juniper added that the investigation of the origin of the unauthorised code continues.


Read more on Firewall Solutions and Services