DUHK attack, continuing a week of named issues - Internet Security

SANS ISC: DUHK attack, continuing a week of named issues - Internet Security | DShield

SANS Site Network
- Current Site
- Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

SANS ISC InfoSec Forums

DUHK attack, continuing a week of named issues

DUHK (Don't Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that uncommon in products.

A device is susceptible to the attack if:

It uses the X9.31 random number generator

and

The seed key used by the generator is hard-coded into the implementation

and

The output from the random number generator is directly used to generate cryptographic keys

and

At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

(from https://duhkattack.com/ )

The full list of susceptible devices is in the paper https://duhkattack.com/paper.pdf on page 7.

Fortinet users make sure you are on firmware 5.x as a minimum as that changes the implementation to CTR_DRBG implementation rather than using ANSI X9.31 RNG. For other affected products the fix is generally "run the current version".

Mark H - Shearwater

Mark

392 Posts
ISC Handler

Reply Subscribe

Oct 25th 2017
1 year ago