Juniper Networks, which last month made the startling announcement its NetScreen line of firewalls contained unauthorized code that can surreptitiously decrypt traffic sent through virtual private networks, said it will remove a National Security Agency-developed function widely suspected of also containing a backdoor for eavesdropping.
The networking company said in a blog post published Friday that it will ship product releases in the next six months that remove the Dual_EC_DRBG random number generator from NetScreen firewalls. Security researchers have known since 2007 that it contains a weakness that gives knowledgeable adversaries the ability to decrypt encrypted communications that rely on the function. Documents provided by former NSA subcontractor Edward Snowden showed the weakness could be exploited by the US spy agency, The New York Times reported in 2013.
A month after the NYT report was published, Juniper officials wrote in a knowledge base article that NetScreen encryption couldn't be subverted by the weakness because Dual_EC_DRBG wasn't the sole source for generating the random numbers needed to ensure strong cryptography. The Juniper post said NetScreen also relied on a separate random number generator known as ANSI X.9.31 that made it infeasible to exploit the Dual_EC_DRBG weaknesses. Random number generators are a crucial ingredient in strong cryptography. Their role is similar to the shaking of dice at a craps table and ensure that keys contain enough entropy to make them infeasible to guess or predict.