25

Part of the Snowden revelations was that the NSA had targeted IPSec.

But I'm having trouble separating FUD from legitimate issues.

How credible is this? Are there ways to use IPSec to be confident against it being broken?

I like IPSec because it's fast and standard, so I'd like to continue using it instead of say, OpenVPN if possible.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
Paul Draper
  • 988
  • 9
  • 18
  • 3
    I was under the impression that the NSA was attacking IPSec using things like PRNG backdoors, precomputation attacks on popular DH parameters, or MITM attacks using stolen certificates. – user Dec 29 '20 at 19:20
  • 3
    The answers to Is [HTTPS still NSA-safe?](https://security.stackexchange.com/q/60717/3365) probably all apply here, as well. No fundamental breaks, just leaning hard on the weak parts of opsec. – gowenfawr Dec 29 '20 at 19:37
  • 2
    An old accusation was that NSA encouraged IPsec complexity (presumably to increase the chance of people shooting themselves in the foot, or to give more room for implementation backdoors a la the Juniper issue) but I don't know if there's concrete evidence for it. – Matt Nordhoff Dec 30 '20 at 14:40
  • (or perhaps just to discourage interoperable adoption) – Matt Nordhoff Dec 30 '20 at 14:52
  • I thought I had seen something about an IKEv1 flaw in a Snowden document but when I went looking for it again I could not find it. – Michael Hampton Dec 30 '20 at 18:56

1 Answers1

43

There was definitely a backdoor into the IPSec implementation of Juniper appliances. This backdoor was caused by a weak random generator designed for such backdoors. It is known that this random generator was designed by the NSA. But it is not publicly known who deliberately put this backdoored random generator into the IPSec implementation of Juniper. For more information see for example Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA.

That does not mean that IPSec itself is compromised though, but only this specific implementation. IPSec itself is an open protocol with many implementations. While a cryptographically secure random generator is required for IPSec it is not part of the protocol itself, which also means that the specific backdoored random generator was not part of the IPSec specification. Nothing shows inherent security issues of the IPSec protocol itself.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    If some want to read how do the DUA_EC_DRBG works see [Does the backdoor in Dual_EC_DRBG work like that?](https://crypto.stackexchange.com/q/51532/18298) from Cryptography – kelalaka Dec 31 '20 at 15:40