Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - DUHK attack, continuing a week of named issues InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DUHK attack, continuing a week of named issues

Published: 2017-10-25
Last Updated: 2017-10-25 01:32:16 UTC
by Mark Hofman (Version: 1)
0 comment(s)

DUHK (Don't Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that uncommon in products. 

A device is susceptible to the attack if: 

                                                 
  • It uses the X9.31 random number generator

and

  • The seed key used by the generator is hard-coded into the implementation

and

  • The output from the random number generator is directly used to generate cryptographic keys

and

  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

(from https://duhkattack.com/ ) 

 

 

 

 

 

 

 

 

 

 

 

 

The full list of susceptible devices is in the paper https://duhkattack.com/paper.pdf on page 7.  

Fortinet users make sure you are on firmware 5.x as a minimum as that changes the implementation to CTR_DRBG implementation rather than using ANSI X9.31 RNG. For other affected products the fix is generally "run the current version". 

Mark H - Shearwater

 

Keywords: DUHK encryption IPSEC
0 comment(s)
Diary Archives