The Unintended Consequences of Encryption ‘Backdoors’

For those vested in the integrity of web commerce, there is a must read blog post by Matthew Green, a cryptographer and professor at Johns Hopkins University:

If you are too busy, at least read my summary.

Juniper Networks recently posted a security advisory enumerating two separate CVEs (common vulnerabilities and exposures); CVE 2015-7755 and CVE 2015-7756 in the DHS National Vulnerability Database, a repository of known software flaws that compromise FIPS regulations (Federal Information Processing Standard).

These CVEs describe software flaws in firmware of  Juniper Networks Secure Services Gateway (SSG) models SSG 50 & SSG 5xx. These devices provide ‘firewall’ and VPN gateway services. CVEs score the vulnerability attributes and criticality; CVE 2015-7755 is an authentication’ flaw, with a score of 10.0 (CRITICAL).

These two CVEs in combination provide a ‘back-door’ into the firmware implementing a widely used encryption algorithm for Elliptic Curve Cryptography, but more ominously  involve a ‘backdoor-on-the-backdoor’ which when exploited, allows adversaries to read all communications (thought to be encrypted) in plaintext.

 This illustrates of how requests by ‘three-letter’ federal agencies (to provide encryption keys and/or add backdoors), if implemented,  can introduce yet more dangerous vulnerabilities.

About Don

Former VP/GM, Enterprise Application Development in several NASDAQ companies Partner Engagement Manager (Kforce, Inc.); development / deployment of Guest Experience Platform (Carnival Cruise Line) Chief Information Security Officer (CISO) Certification - Carnegie Mellon CIO Institute Certified Information Systems Security Professional (CISSP) Masters, Professional Studies, Georgetown University
This entry was posted in Cyber Risk. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: