Stephen Checkoway [no really.ed] , an Assistant Professor at the Department of Computer Science at the University of Illinois at Chicago, has analyzed some of the exploit code included in the recent Equation Group leak and is completely underwhelmed.
Checkoway looked at the source code of the BANANAGLEE exploit, which targets Juniper firewalls which he knows a bit about.
The security boffin looked at the key generation system and the process of redirecting IP packets and thought the whole thing was “ridiculous.”
“There’s no reason to read 32 bytes from /dev/urandom. There’s no benefit to calling rand(3) so many times. It’s a little ridiculous to be seeding with srandom(3) and calling rand(3), but in this particular implementation, rand(3) does nothing but call random(3).”
That is all you need to know apparently. But the NSA’s finest made matters worse. Rather than having 2128 possible 128-bit keys, this procedure can only produce 264 distinct keys. Chekoway thought this stuff up was worthy of an exclamation mark.
This means the key generation system was yielding a much smaller number of options to choose a random key, and all of it was the result of bad coding.
“It’s a 1/18446744073709551616 fraction of the total 340282366920938463463374607431768211456 possible 128-bit keys,” he added via email. So while there might be some good parts to the code, the cryptography is pants.
The professor adds the code has some “boring memory leaks,” but the part that really ticked him off resided in the mechanism that encrypts IP packets sent via this redirection process.
Checkoway found that 128-bit keys are actually generated with 64 bits of entropy instead of the intended 128, the “supposed” NSA coders repeated cipher IVs for the encryption, there was no authentication of the encrypted communications channel, and there was “sloppy and buggy code.”