The Channel logo

News

By | Richard Chirgwin 10th January 2016 21:58

Juniper resets 'days since last rogue code incident' clock

Proclaims Junos OS clean, takes out the trash by killing off Dual_EC in ScreenOS anyway

Juniper Networks has announced its own investigations have found none of the "oops ... how did that code get there" trouble in Junos OS and that it will kill off Dual Elliptic Curve (Dual_EC) encryption in ScreenOS.

The company says it hired a "respected security organization" that "undertook a detailed investigation of ScreenOS and Junos OS® source code."

"After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS."

Which doesn't mean the company has a clean bill of health, because Juniper has decided to remove Dual_EC from Screen OS sometime in the first half of 2016.

Both news nuggets landed in an after-hours, take-out-the-trash-and-hope-the-press-don't-notice blog post issued on Friday evening US time.

Senior veep and CIO Bob Worrall writes that the Dual_EC and ANSI X9.31 crypto will both be replaced by “the same random number generation technology currently employed across our broad portfolio of Junos OS products”.

After the “unauthorised code” was discovered in December, Juniper released an update.

Stephen Checkoway of the University of Chicago and a bunch of high-profile collaborators (including Johns Hopkins cryptographer Matt Green and Metasploit's HD More) wrote in December that the ScreenOS Dual_EC implementation inexplicably used a 32-byte nonce (a use-once number generated while initialising an encrypted channel). The longer nonce makes it much easier to recover encrypted communications, and most crypto authors settle on a 20-byte nonce. ®

comment icon Read 16 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

Locker room jocks photo via Shutterstock
Best locker-room strategy: Avoid emulating AWS directly
STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock