Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DUHK attack, continuing a week of named issues SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DUHK attack, continuing a week of named issues

DUHK (Don't Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that uncommon in products. 

A device is susceptible to the attack if: 

                                                 
  • It uses the X9.31 random number generator

and

  • The seed key used by the generator is hard-coded into the implementation

and

  • The output from the random number generator is directly used to generate cryptographic keys

and

  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

(from https://duhkattack.com/ ) 

 

 

 

 

 

 

 

 

 

 

 

 

The full list of susceptible devices is in the paper https://duhkattack.com/paper.pdf on page 7.  

Fortinet users make sure you are on firmware 5.x as a minimum as that changes the implementation to CTR_DRBG implementation rather than using ANSI X9.31 RNG. For other affected products the fix is generally "run the current version". 

Mark H - Shearwater

 

 Mark

391 Posts
ISC Handler
Subscribe Oct 25th 2017
2 years ago

Sign Up for Free or Log In to start participating in the conversation!