[anologwintermut]

Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations."

Looks like they feed the output through a standard CPRNG. Assuming it's true, that pretty much breaks the DUAL_EC attack because you can't use the output of the final CPRNG to recover the DUAL_EC state.

[tptacek]

I wonder if that's going to be demonstrated to be a true statement, and further whether the tampering Juniper discovered will have disabled that second step.

[pbsd]

It seems to be a true statement: Dual EC is used to seed a X9.31 generator with 3DES, where 8 bytes are the initial seed V, and the remaining 24 are K (cf. [1]). I don't see any other usage of Dual EC other than to self-test and to seed X9.31.

Oddly, you can disable the Dual EC seeding with the flag 'one-stage-rng'. But not the other way around.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext...

[tptacek]

Unless the backdoor disables the X9.31 stage, what's the point of tampering with the Dual EC RNG, if its outputs are going to be mangled anyways?

[pbsd]

I don't know, it makes little sense to me too. Maybe there's some subtle flaw somewhere, which I haven't spotted. Since subtlety doesn't seem to be a thing with the changes we've seen so far, I'm not sure what to think.