DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.
DUHK is the third crypto-related vulnerability reported this month after KRACK Wi-Fi attack and ROCA factorization attack.
The vulnerability affects products from dozens of vendors, including Fortinet
, whose devices rely on ANSI X9.31 RNG — an outdated pseudorandom number generation algorithm — ‘in conjunction with a hard-coded seed key.’
Discovered by cryptography researchers — Shaanan Cohney, Nadia Heninger, and Matthew Green — DUHK, a ‘state recovery attack,’ allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs.
Using both values in hand, attackers can then use them to re-calculate the encryption keys, allowing them to recover encrypted data that could ‘include sensitive business data, login credentials, credit card data and other confidential content.’
Who is vulnerable?
Traffic from any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network adversary who can observe the encrypted handshake traffic. Other key recovery attacks on different protocols may also be possible.
How to Prevent Against DUHK:
- Developers of cryptographic software should stop using the X9.31 generator.
- Regularly apply software updates.
- Update your products to comply with the latest standards.
The DUHK attack is a historical failure of the federal standardization process for cryptography. The general vulnerability has been known for at least two decades, yet none of the descriptions of the algorithm we could find mentioned that the seed key should be unpredictable to the attacker.
This vulnerability should be viewed in the context of a multi-year line of research showing how subverted standards, parameter choices, subtle vulnerabilities, and implementation flaws might allow state-level actors to passively decrypt encrypted network traffic.