Juniper announced it will close a NIST encryption standard also believed to contain a NSA backdoor, as was first discovered by cryptography researcher Bruce Schneier in November 2007.
In a blog post, Juniper noted that an outside security vendor was brought in to assist in searching for other instances. There was “no evidence of any other unauthorized code” in ScreenOS software and Junos OS source code, according to the company. “We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products,” wrote Juniper chief information officer Bob Worrall.
Following Juniper Networks’ disclosure of two unauthorized backdoors in its NetScreen products last month, the firewall company has struggled to regain credibility as a stream of information about the backdoor continue to surface.
The announcement comes as a coalition of encryption experts and organizations led by Access Now signed an open letter supporting strong encryption and opposing government backdoors. The letter was signed by former CIA official John Kiriakou, United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye, cryptographer professor and researcher Matthew Green, Tor project core member Jacob Appelbaum, Human Rights Watch, and secure-messaging device maker Silent Circle.
“Recently, a backdoor was found in Juniper – a product used by the U.S. government and others to provide remote access to employees’ work computers, wrote security researcher Bruce Schneier, according to an email sent to SCMagazine.com by Access Now. “Once the exploit was announced, it was discovered by hackers within seven hours. Forcing companies to build backdoors into their products puts targets on the backs of the companies and their users.”