The Channel logo


By | Richard Chirgwin 10th January 2016 21:58

Juniper resets 'days since last rogue code incident' clock

Proclaims Junos OS clean, takes out the trash by killing off Dual_EC in ScreenOS anyway

Juniper Networks has announced its own investigations have found none of the "oops ... how did that code get there" trouble in Junos OS and that it will kill off Dual Elliptic Curve (Dual_EC) encryption in ScreenOS.

The company says it hired a "respected security organization" that "undertook a detailed investigation of ScreenOS and Junos OS® source code."

"After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS."

Which doesn't mean the company has a clean bill of health, because Juniper has decided to remove Dual_EC from Screen OS sometime in the first half of 2016.

Both news nuggets landed in an after-hours, take-out-the-trash-and-hope-the-press-don't-notice blog post issued on Friday evening US time.

Senior veep and CIO Bob Worrall writes that the Dual_EC and ANSI X9.31 crypto will both be replaced by “the same random number generation technology currently employed across our broad portfolio of Junos OS products”.

After the “unauthorised code” was discovered in December, Juniper released an update.

Stephen Checkoway of the University of Chicago and a bunch of high-profile collaborators (including Johns Hopkins cryptographer Matt Green and Metasploit's HD More) wrote in December that the ScreenOS Dual_EC implementation inexplicably used a 32-byte nonce (a use-once number generated while initialising an encrypted channel). The longer nonce makes it much easier to recover encrypted communications, and most crypto authors settle on a 20-byte nonce. ®

comment icon Read 16 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe