Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: DUHK attack, continuing a week of named issues - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DUHK attack, continuing a week of named issues

DUHK (Don't Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that uncommon in products. 

A device is susceptible to the attack if: 

  • It uses the X9.31 random number generator


  • The seed key used by the generator is hard-coded into the implementation


  • The output from the random number generator is directly used to generate cryptographic keys


  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

(from ) 













The full list of susceptible devices is in the paper on page 7.  

Fortinet users make sure you are on firmware 5.x as a minimum as that changes the implementation to CTR_DRBG implementation rather than using ANSI X9.31 RNG. For other affected products the fix is generally "run the current version". 

Mark H - Shearwater



392 Posts
ISC Handler
Oct 25th 2017

Sign Up for Free or Log In to start participating in the conversation!