This is the 3rd post of a series of blogpost on RWC2016. Find the notes from day 1 here.
I'm a bit washed out after three long days of talk. But I'm also sad that this comes to an end :( It was amazing seeing and meeting so many of these huge stars in cryptography. I definitely felt like I was part of something big. Dan Boneh seems like a genuine good guy and the organization was top notch (and the sandwiches amazing).
practical attacks found as well in TLS on JSSE, Bouncy Castle, ...
exception occurs if padding is wrong, it's caught and the program generates a random. But exception consumes about 20 microseconds! -> timing attacks (case JSSE CVE-2014-411)
invalid curve attack
send invalid point to the server (of small order)
server doesn't check if the point is on the EC
attacker gets information on the discrete log modulo the small order
repeat until you have enough to do a large CRT
they analyzed 8 libraries, found 2 vulnerable
pretty serious attack -> allows you to extract server private keys really easily
works on ECDH, not on ECDHE (but in practice, it depends how long they keep the ephemeral key)
HSM scenarios: keys never leave the HSM
they are good candidates for these kind of "oracle" attacks
they tested and broke Ultimaco HSMs (CVE-2015-6924)
<100 queries to get a key
11:10am - On Deploying Property-Preserving Encryption
tl;dw: how it is to deploy SSE or PPE, and why it's not dead
lots of "proxy" companies that translates your queries to do EDB without re-teaching stuff to people (there was a good slide on that that I missed, if someone has it)
searchable symmetric encryption (SSE): you just replace words by token
threat model is different, clients don't care if they hold both the indexes and the keys
two kinds of order preserving encryption (OPE):
stateless OPE (deterministic -> unclear security)
interactive OPE (stateful)
talks about how hard it is to deploy a stateful scheme
many leakage-abused attacks on PPE
crypto researcher on PPE: "it's over!", but the cost and legacy are so that PPE will still be used in the future
I think the point is that there is nothing practical that is better than PPE, so rather than using non-encrypted DB... PPE will still hold.
11:30am - Inference Attacks on Property-Preserving Encrypted Databases
tl;dw: PPE is dead, read the paper
analysis have been done and it is known what leaks and cryptanalysis have been done from these information
real data tends to be "non-uniform" and "low entropy", not like assumptions of security proofs
frequency analysis: come on we all know what that is
Lp-optimization: better way of mapping the frequency of auxilliary data and the ciphertexts
sorting attacks: just sort ciphertextxs and your auxiliary data, map them
this fails if there is missing items in the ciphertexts set
cumulative attack improve on this
check page 6 of the paper for explanations on these attacks. All I was expecting from this talk was explanation of the improvements (Lp and cumulative) but they just flied through them (fortunately they seem to be pretty easy to understand in the paper). Other than that, nothing new that you can't read from their paper.
2:00pm - Cache Attacks on the Cloud
tl;dw: cache attacks can work, maybe
hypervisor (VMM) ensures isolation through virtualization
VMs might feel each other's load on some low-level resources -> potential side channels
covert channel in the cloud?
LLC is cross core (L3 cache)
priming: find eviction set: memory line that when loaded to cache L3 will occupy a line we want to monitor
probing: when trying to access the memory line again, if it's fast that means no one has used the L3 cache line
to get crypto keys from that you need to detect key-dependent cache accesses
for RSA check timing and number of times the cache is accessed -> multiplications
for AES detect the lookup table access in the last round (??)
cross-VM cache attacks are realistic?
attack 1 (can't remember) (hu)
co-location: detect if they are on the same machine (dropbox) [RTS09]
they tried the same on AWS EC2, too hard now (hu)
new technique: LLC Cache accesses (hu)
new technique: memory bus contention [xww15, vzrs15]
once they knew they were on the same machine through colocation what to target?
libgcrypt's RSA use CRT, sliding window exponentiation and message blinding (see end of my paper to see explanation of message blinding)
cache attacks in public cloud work
but still noise and colocation problem
open problem: countermeasures?
what about non-crypto code?
Why didn't they talk of flush+reload and others?
2:30am - Practicing Oblivious Access on Cloud Storage: the Gap, the Fallacy, and the New Way Forward
Oblivious RAM, he doesn't want to explain how it works
how close is ORAM to practice?
implemented 4 different ORAM system from the litterature and got some results from it
CURIOUS, what they made from these research, is open-source. It's made in Java... such sadness.
Didn't get much from this talk. I know this is "real world" crypto but a better intro on ORAM would have been nicer, also where does ORAM stands in all the solutions we already have (fortunately the previous talk had a slide on that already). Also, I only read about it in FHE papers/presentations, but there was no mention of FHE in this talk :( well... no mention of FHE at all in this convention. Such sadness.
From their paper:
An Oblivious RAM scheme is a trusted mechanism on a client, which helps an application or the user access the untrusted cloud storage. For each read or write operation the user wants to perform on her cloud-side data, the mechanism converts it into a sequence of operations executed by the storage server. The design of the ORAM ensures that for any two sequences of requests (of the same length), the distributions of the resulting sequences of operations are indis-tinguishable to the cloud storage. Existing ORAM schemes typically fall into one of the following categories: (1) layered (also called hierarchical), (2) partition-based, (3) tree-based; and (4) large-message ORAMs.
2:50pm Replacing Weary Crypto: Upgrading the I2P network with stronger primitives
This is the 2nd post of a series of blogpost on RWC2016. Find the notes from day 1 here.
disclaimer: I realize that I am writing notes about talks from people who are currently surrounding me. I don't want to alienate anyone but I also want to write what I thought about the talks, so please don't feel offended and feel free to buy me a beer if you don't like what I'm writing.
And here's another day of RWC! This one was a particularly long one, with a morning full of blockchain talks that I avoided and an afternoon of extremely good talks, followed by a suicidal TLS marathon.
09:30 - TLS 1.3: Real-World Design Constraints
tl;dw: hello tls 1.3
DJB recently said at the last CCC:
"With all the current crypto talks out there you get the idea that crypto has problems. crypto has massive usability problems, has performance problems, has pitfalls for implementers, has crazy complexity in implementation, stupid standards, millions of lines of unauditable code, and then all of these problems are combined into a grand unified clusterfuck called Transport Layer Security.
For such a complex protocol I was expecting the RWC speakers to make some effort. But that first talk was not clear (as were the other tls talks), slides were tiny, the speaker spoke too fast for my non-native ears, etc... Also, nothing you can't learn if you already read this blogpost.
10:00 - Hawk: Privacy-Preserving Blockchain and Smart Contracts
tl;dw: how to build smart contracts using the blockchain
first slide is a picture of the market cap of bitcoin...
lots of companies are doing this block chain stuff:
DAPS. No idea what this is, but he's talking about it.
Dapps are based on a token-economy utilizing a block chain to incentivize development and adoption.
bitcoin privacy guarantees are abysmal because of the consensus on the block chain.
contracts done through bitcoin are completely public
their solution: Hawk (between zerocash and ethereum)
uses zero knowledge proofs to prove that functions are computed correctly
blablabla, lots of cool tech, cool crypto keywords, etc.
As for me, this tweet sums up my interest in the subject.
So instead of playing games on my mac (see bellow (who plays games on a mac anyway?)). I took off to visit the Stanford campus and sit in one of their beautiful library
12:00 - Lightning talks.
I'm back after successfuly avoiding the blockchain morning. Lightning talks are mini talks of 1 to 3 minutes where slides are forbidden. Most were just people hiring or saying random stuff. Not much to see here but a good way to get into the talking thing it seems.
(Sorry Tanja :D). Overall the idea of the paper is how to generate a safe curve that the public can trust. They use the Blum Blum Shub PRNG to generate the parameters of the curve, iterating the process until it completes a list of checks (taken from SafeCurves), and seeding with several drawings from lotteries around the world in a particular timeframe (I think they use a commitment for the time frame) so that people can see that these numbers were not chosen in a certain ways (and would thus be NUMS).
14:00 - An Update on the Backdoor in Juniper's ScreenOS
Slides are here. The talk was entertaining and really well communicated. But there was nothing majorly new that you can't already read in my blogpost here.
it happened around Christmas, lots of security people have nothing to do around this period of the year and so the Juniper code was reversed really quickly (haha).
the password that looks like a format string was already an idea taken straight from a phrack 2009 issue (0x42)
Developing a Trojaned Firmware for Juniper ScreenOS Platforms
unfiltered Dual EC outputs (the 30 bytes of output and 2 other bytes of a following Dual EC output) from a IKE nonce
but the Key Exchange is done before generating the nonce? They're still working on verifying this on real hardware (they will publish a paper later)
in earlier versions of ScreenOS the nonces used to be 20 bytes, the RNG would output 20 bytes only
When they introduced Dual EC in their code (Juniper), they also changed the nonce length from 20 bytes to 32 bytes (which is perfect for easy use of the Dual EC backdoor). Juniper did that! Not the hackers.
they are aware, through their disclosure, that it is "exploitable"
the new patch (17 dec 2015) removed the SSH backdoor and restored the Dual EC point.
A really good question from Tom Ritter: "how many bytes do you need to do the attack".
Answer: truncated output of Dual EC is 30 bytes (instead of 32), so you need to bruteforce the 2 bytes. To narrow the search space, 2 bytes from the next output is practical and enough. So ideally 30 bytes and 2 bytes from a following output allows for easy use of the Dual EC backdoor.
A smash and grab raid or smash and grab attack (or simply a smash and grab) is a particular form of burglary. The distinctive characteristics of a smash and grab are the elements of speed and surprise. A smash and grab involves smashing a barrier, usually a display window in a shop or a showcase, grabbing valuables, and then making a quick getaway, without concern for setting off alarms or creating noise.
The Ashley Madison breach is interesting because they used bcrypt and salting with high cost parameter, which is better than industry norms to protect passwords.
he cracked 4000 passwords from the leaks anyway
millions of password were cracked a few weeks after
He has done some research and has come up with a response: PASS, password hardening and typo correctors
the hmac with the private key transforms the offline attack in an online attack because the attacker now needs to query the PRF service repeatidly.
"the facebook approach" is to use a queriable "PRF service" for the hmac, it makes it easier to detect attacks.
but several drawbacks:
1) online attackers can instead record the hashes (mostly because of this legacy code)
2) the PRF is not called with a per-user granularity (same for all users) -> hard to implement fined-grained rate limiting (throtteling/rate limiting attempts, you are only able to detect global attacks)
3) no support for periodic key rotations -> if they detect an attack, they now need to add new lines in their key hashing rotting onion
PASS uses a PRF Service, same as facebook but also:
1) blinding (PRF can't see the password)
2) graceful key rotation
3) per-user monitoring
the blinding is a hash raised to a power, unblinding is done by taking the square root of that power (but maybe he simplified an inverse modulo something?)
a tweek t is sent as well, basically the user id, it doesn't have to be blinded and so they invented a new concept of "partially oblivious PRF" (PO-PRF)
the tweak and the blinded password are sent to the PRF which uses a bilinear pairing construction to do the PO-PRF thingy (this is a new use case fo bilinear pairing apparently).
it's easy to implement, completely transparent to users, highly scalable.
typos corrector: idea of a password correctors for famous typos (ex: a capitalized first letter)
facebook does this, vanguard does this...
intuition tells you it's bad: an attacker tries a password, and you help him find it if it's almost correct.
they instrumented dropbox for a period of 24 hours (for all users) to implement this thing
they took problems[:3] = [accidental caps lock key, not hitting the shift key to capitalize the first letter, extra unwanted character]
they corrected 9% of failed password submissions
minimal security impact, according to their research "virtually no security loss"
Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate
lots of session resumption by ticket -> this is good
low number of handshakes -> that means they store a lot of session tickets!
very low resumption by session ID (why is this a good thing?)
they haven't turned off RC4 yet!
something in the audience tells him about downgrade attacks, outch!
the referrer field in the http header is empty when you go on another website from a https page! Is that important... no?
it's easy for a simple website to go https (let's encrypt, ...), but for a big company, fiou it's hard!
still new feature phones that can't access tls (do they care? mff)
16:30 - No More Downgrades: Protecting TLS from Legacy Crypto
not enough post quantum (and people are scared of that)
need to remove rsa1024
AES-CTR is malleable, MAC allows tagging attacks if first and third relays are evil -> woot?
Here's a blogpost from Tom Ritter about tagging attacks. The idea: the first node XOR some data to the ciphertext, the third node sees the modified data in clear (if the data is not going through https). So with two evil nodes, being the first and last, you can know who is visiting what website (traffic correlation).
There was also something about doing it with the sha1, and something about adding a MAC between each relay. But I missed that part, if someone can fill in the blanks for me?
they want to use AEZ in the future (rogaway)? or HHFHFH? (djb)
This is scary as many have stated. Djb said "crypto should be boring" (at least I heard he said that), and he's totally right. Or at least double encrypt (AES(AEZ(m)))
AEZ is an authenticated cipher (think AES-GCM or chacha20-poly1305) that is part of the CAESAR competition
HHFHFH is ...? No idea, if someone knows what Nick is talking about?
tl;dw: how to do an anonymous survey product with a nice UX (paper is here)
problems of a surveys:
you want authenticity (only authorized users, only one vote per person)
anonymity (untracable response)
surveymonkey (6% of the survey online):
they don't care about double votes
special URLs to trace responses to single users/groups
anyone who infiltrate the system can get that info
they do everything wrong
1) you create a public key
2) create survey, unique URL for everyone
3) you fill out something, you get a QR code
what you submit is a [response, token] with the token a ZK proof for... something.
they will publish API, and it's artistic
The talk was mostly spent on showing how beautiful the UX was. I would have prefered something clearer on how the protocol was really working (but maybe other understood better than me...)
11:10 - Cryptography in AllJoyn, an Open Source Framework for IoT
tl;dw: the key exchange protocol behind their AllJoyn, the security of devices that uses this AllJoyn api/interface...
What's AllJoyn? Something that you should use in your IoT stuff apparently:
AllJoyn is an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
they want security to be the same whatever they use (tcp, udp, ip, bluetooth, etc.) so they created their own TLS-like protocol with way less options
Verification engineers can use SAW to prove that a program implements its specification.
Security analysts can have SAW generate models identifying constraints on program control flow to identify inputs that can reach potentially dangerous parts of a program.
Cryptographers can have SAW generate models from production cryptographic code for import and use within Cryptol.
takes to 10-100 minutes to verify a crypto primitive
if you have a high formulation of your algorithm, why not make it write code?
12:00 - The first Levchin prize for contributions to real-word cryptography
tl;dw: dude with a lot of money decides to give some to influencal cryptographers every year, also gives them his name as a reward.
The Levchin prize honors significant contributions to real-world cryptography. The award celebrates recent advances that have had a major impact on the practice of cryptography and its use in real-world systems. Up to two awards will be given every year and each carries a prize of $10,000.
$10,000, twice a year. It's the first edition. Max Levchin is the co-founder of paypal, he likes puzzles.
first prize is awarded to Phillip Rogaway (unanimously) -> concrete security analysis, authenticated encryption, OCD, synack, format-preserving encryption, surveillance resistance crypto, etc. Well the guy is famous.
second award goes to several people from INRIA for the miTLS project (Karthikeyan Bhargavan, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti). Well deserved.
14:00 - PrivaTegrity: online communication with strong privacy
Well. David Chaum, Privategrity: "A wide range of consumer transcations multiparty/multijurisdiction -- efficientyl!"
I won't comment on that. Everything is in these slides:
I mean seriously, if you use slides like that, and talk really loud, people will think you are a genius? Or maybe the inverse. I'm really confused as to why that guy was authorized to give a talk.
A direct-recording electronic (DRE) voting machine records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter (typically buttons or a touchscreen); that processes data by means of a computer program; and that records voting data and ballot images in memory components. After the election it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location. The device started to be massively used in 1996, in Brazil, where 100% of the elections voting system is carried out using machines.
In 2004, 28.9% of the registered voters in the United States used some type of direct recording electronic voting system, up from 7.7% in 1996.
13 millions LOC. WTF
1) print zero tape first to prove no one has voted (meaningless)
2012, gov organized an open contest to find vulns in the system (what he did), extremly restricted, just a few hours, no pen/paper
he found hardcoded keys in plain sight
gov says it's a "voting software that checks itself" (what does it mean? canary in the assembly code? Complety nonsense and non-crypto)
he tried a grep -r rand * and...
got a match in a file: srand(time(NULL))
this is predictible if you know the time, and they know the machines are launched between 7 and 8am. Bruteforce?
the time is actually public, no need for brute force...
gov asked if hashing the time would work, no? Well hashing the time twice then?
finally fixed by using /dev/urandom although the voting machines have two hardware RNGs
YouInspect: initiative, take pictures of the vote ticket, upload it (didn't get what was the point of that, didn't seem to yield any useful results)
14:50 - The State of the Law: 2016
15:50 - QUIC Crypto
the only talk with very few slides. Adam Langley only used them when he needed pedagogical support. This is brilliant.
forward secure part of QUIC is better than forward secure in TLS (how? Didn't get that)
QUIC crypto will be replaced by TLS 1.3
QUIC will go on, but TLS works over TCP so they will have to make some changes?
There was this diagram where a client would send something to the server, if he didn't have the right ticket it wouldn't work, otherwise it would work... If you understood that part please tell me :)
16:20 - On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
most used tls version is 1.0 (invented in 1999, when windows 98 was the most used OS)
pkcs#1 v1.5 is removed from tls 1.3
the bleichenbacher attack on pkcs#1 v1.5 is still possible.... attack explained here (the thing works if you have a server which supports both 1.3 and older versions)
idea of a solution?: use different certificates for 1.3 and 1.0
Someone from the audience: "no cool name and logo?"
16:40 - The State of Transport Security in the E-Mail Ecosystem
10 minutes of (painful) talk (but good job nonetheless Aaron: you went through to the end).
16:50 - Where the Wild Warnings Are: The TLS Story
tl;dw: users get certificate errors browsing the net because their clock is not correct.
users are getting used to errors, and tend to dismiss them
making stats of errors warning to users:
51% of warnings are non-overridable
41% of warnings are for facebook, youtube, google (because they are "portals to the web")
errors come from the client:
client clock misconfiguration (61%)
they have an error for that that allows you to fix your clock on android
can't send messages on whatsapp because of this problem as well
errors come from the server:
government has tons of errors with weird certificates
Someone in the public is suggesting that this is because the governments are trying to teach people to ignore these errors (obviously joking). Another one is saying that they might want users to add their "special certificate". Because it can overrides HSTS on rogue certificates. Don't know if this is true. But I'm thinking, why not add certificates for only the website that requests it. Like a certificate jail. Or maybe save the certificate in a different "user-added" folder, websites being signed by certificates from this folder would make chrome display "this website is signed by a certificate you added. If you think this is not normal blablabla".
APF is talking about how they are scared that users will get desensitized by errors, but why display errors? Why not just display a warning. That would annoy real servers and oblige them to get their certs in order, that would make the users suspicious but not unable to access their website (and to google for solutions like "just add the certificates in your root store").
Watson Ladd (that the host recognized) asked her how far from the real time the clock were setup. He thought maybe it could be the battery killing the laptop, NTP not working right away (I missed why) and so the time difference would be negative. In my understanding the clock difference was causing a problem because of certificates notBefore or notAfter fields, so that wouldn't be a problem.
Also people are wondering why these clocks are different, if they should fix it for the user? But maybe not since it might be that the user want his clock to be incorrect... I just remember a time when I would purposely modify the time so that I could keep using my time limited trials (photoshop?).
As I'm packing my bags to leave the temporary comfort of my parent's place, I'm taking the time to write a bit about my life (this is a blog after all).
I started this blog more than 2 years ago right before moving to Bordeaux to start a master in Cryptography. I had just finished a long bachelor of Mathematics between the universities of Lyon (France) and McMaster (Canada) and had decided to merge my major with an old passion of mine (Computer Science).
Hey guys, I'm David Wong, a 24 years old french dude who's going to start a Master of Cryptology in the university of Bordeaux 1.
I still have no clue what my future job will be, that's why I had the idea of making this small blog where I could post about my ventures into this new world and, hopefully, being able to take a step back and see what I did, what I liked, what happened in two years of Master (and maybe more).
I'll also post some thoughts about the new city I'll be moving to : Bordeaux. This is for at least 2 years, or less if I change my mind. Anyway, this is going to be exciting!
That was 2 years ago, and indeed those years are now filled with memories and achievements that I will forever cherish. If you're passing by France and you didn't plan a visit in Bordeaux, you're missing out.
But anyway, as you probably know since you don't miss any of my blogpost, I've been since hired by the same people and will be back in the office in two weeks. In two weeks because before then I will be at the Real World Crypto convention in Stanford university, and after that at NCC Con in Austin. A lot is going to happen in just a few weeks, plus I'll have to find a new place to live and re-calibrate with the desk I left behind...
With all the current crypto talks out there you get the idea that crypto has problems. crypto has massive usability problems, has performance problems, has pitfalls for implementers, has crazy complexity in implementation, stupid standards, millions of lines of unauditable code, and then all of these problems are combined into a grand unified clusterfuck called Transport Layer Security.
I wanted to check for weak private exponents in RSA public keys of big website's certificates. I went on scans.io and downloaded the Alex Top 1 Million domains handshake of the day. The file is called zgrab-results and weighs 6.38GB uncompressed (you need google's lz4 to uncompress it, get it with brew install lz4).
Then the code to parse it in python:
with open('rro2asqbnwy45jrm-443-https-tls-alexa_top1mil-20151223T095854-zgrab-results.json') as ff:
for line in ff:
lined = json.loads(line)
if 'tls' not in lined["data"] or 'server_certificates' not in lined["data"]["tls"].keys() or 'parsed' not in lined["data"]["tls"]["server_certificates"]["certificate"]:
server_certificate = lined["data"]["tls"]["server_certificates"]["certificate"]["parsed"]
public_key = server_certificate["subject_key_info"]
signature_algorithm = public_key["key_algorithm"]["name"]
if signature_algorithm == "RSA":
modulus = base64.b64decode(public_key["rsa_public_key"]["modulus"])
e = public_key["rsa_public_key"]["exponent"]
N = int(modulus.encode('hex'), 16)
print "modulus:", N
print "exponent:", e
I figured if the public exponent was too small (e.g. smaller than 1000000, an arbitrary lower bound), it would not work. Unfortunately it seemed like every single one of these RSA public keys were using the public exponent 65537.
PS: to parse other .csv files, just open sqlite and write .import the_file.csv tab, then .schema tab or any SQL query on tab will work ;)
But no details were to be found in this advisory. Researchers from the twitter-sphere started digging, and finally the two flaws were found. The first vulnerability is rather crypto-y and this is what I will explain here.
First, some people realized by diffing strings of the patched and vulnerable binaries that some numbers were changed
Then they realized that these numbers were next to the parameters of the P-256 NIST ECC curve. Worse, they realized that the modified values were these of the Dual EC PRNG: from a Juniper's product information page you could read that Dual EC had been removed from most of their products except ScreenOS. Why's that? No one knows, but they assured that the implementation was not visible from the outside, and thus the NSA's backdoor would be unusable.
Actually, reading the values in their clean binaries, it looks like they had changed the NSA's values introducing their own \(Q\) point and thus canceling NSA's backdoor. But at the same time, maybe, introducing their own backdoor. Below the NSA's values for the point \(P\) and \(Q\) from the cached NIST publications:
Reading the previous blog post, you can see how they could have easily modified \(Q\) to introduce their own backdoor. This doesn't mean that it is what they did. But at the time of the implementation, it was not really known that Dual EC was a backdoor, and thus there was no real reason to change these values.
According to them, and the code, a second PRNG was used and Dual EC's only purpose was to help seeding it. Thus no real Dual EC output would see the surface of the program. The second PRNG was a FIPS approved one based on 3DES and is -- as far as I know -- deemed secure.
Another development came along and some others noticed that the call for the second PRNG was never made, this was because a global variable pnrg_output_index was always set to 32 through the prng_reseed() function.
This advance was made because of Juniper's initial announcement that there were indeed two vulnerabilities. It seems like they were aware of the fact that Dual EC was the only PRNG being used in their code.
Now, how is the Dual EC backdoor controlled by the hackers? You could stop reading this post right now and just watch the video I made about Dual EC, but here are some more explanations anyway:
This above is the basis of a PRNG. You start it with a seed \(s_0\) and every time you need a random number you first create a new state from the current one (here with the function \(f\)), then you output a transformation of the state (here with the function \(g\)).
If the function \(g\) is one-way, the output doesn't allow you to retrieve the internal state and thus you can't predict future random numbers, neither retrieve past ones.
If the function \(f\) is one-way as well, retrieving the internal state doesn't allow you to retrieve past state and thus past random numbers generated by the PRNG. This makes the PRNG forward-secure.
This is Dual EC. Iterating the state is done by multiplying the current state with the point \(P\) and then taking it's \(x\)-th coordinate. The point \(P\) is a point on a curve, with \(x\) and \(y\) coordinates, multiplying it with an integer gives us a new point on the curve. This is a one-way function because of the elliptic curve discrete logarithm problem and thus our PRNG is forward-secure (the ECDLP states that if you know \(P\) and \(Q\) in \(P = dQ\), it's really hard to find \(d\)).
The interesting thing is that, in the attacker knows the secret integer \(d\) he can recover the next internal state of the PRNG. First, as seen above, the attacker recovers one random output, and then tries to get the full output: the real random output is done by truncating the first 16 bits of the full output. This is done in \(2^16\) iterations. Easy.
With our random number \(r_1\) (in our example), which is the \(x\) coordinate of our point \(s_1 Q\), we can easily recover the \(y\) coordinate and thus the entire point \(s_1 Q\). This is because of how elliptic curves are shaped.
Multiplying this point with our secret value \(d\) we obtain the next internal state as highlighted at the top of this picture:
This attack is pretty destructive and in the order of mere minutes according to Dan Bernstein et al
For completeness, it is important to know that there were two other constructions of the Dual EC PRNG with additional inputs, that allowed to add entropy to the internal state and thus provide backward secrecy: retrieving the internal state doesn't allow you to retrieve future states.
The first construction in 2006 broke the backdoor, the second in 2007 re-introduced it. Go figure...