After the disclosure of the KRACK and ROCA attacks, another attack scenario scares IT community. It is the DUHK vulnerability (Don’t Use Hard-coded Keys), it is the last cryptographic implementation vulnerability that could be exploited by attackers to recover encryption keys used to secure VPN connections and web browsing sessions.
The DUHK vulnerability was reported by the cryptography researchers Shaanan Cohney, Nadia Heninger, and Matthew Green.
The group researchers have published technical details about the attack on a dedicated website.
“DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key.” wrote the researchers.
“The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.”
The DUHK vulnerability affects a wide range of products from dozens of vendors, including CISCO, Fortinet, and TechGuard. The vulnerability affects every device the relies on the outdated pseudorandom number generation algorithm ANSI X9.31 RNG ‘in conjunction with a hard-coded seed key.’
The bad news is that the ANSI X9.31 RNG was included into several cryptographic standards over the last three decades until January 2016 when it was removed from the list of FIPS-approved pseudorandom number generation algorithms.
The problem is related to the fact that Pseudorandom number generators are not able to generate random numbers and the knowledge of initial secret value (seed) could be used to determine the number generated by the algorithm.
Unfortunately, some vendors store the seed value hard-coded into the source code of their solutions. An attacker can obtain the seed by a reverse-engineering of the source code of the products.
The DUHK is described as ‘state recovery attack,’ an attacker with the knowledge of the seed value can power a man-in-the-middle attack to recover the current state value after observing some outputs.
Attackers can then use the values to re-calculate the encryption keys and decrypt data potentially exposing sensitive data, including login credentials, credit card data, and other confidential information.
“In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4.” researchers said.
“Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS.”
Below a partial list of affected devices tested by the researchers:
Further technical details are included in the paper “Practical state recovery attacks against legacy RNG implementations.”