DUHK (Don't Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.

DUHK allows attackers to recover secret encryption keys from vulnerable implementations and decrypt and read communications passing over VPN connections or encrypted web sessions. The encrypted data could include sensitive business data, login credentials, credit card data and other confidential content.

The affected implementations were all historically compliant with FIPS, the Federal Information Processing Standards.

Who is vulnerable?

Traffic from any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network adversary who can observe the encrypted handshake traffic. Other key recovery attacks on different protocols may also be possible.

We also found eleven other historically FIPS-certified implementations that document hard-coded X9.31 RNG seed keys in their products. We give the full list in our paper.

Users of affected products should apply the latest software updates.

A device is vulnerable to DUHK if:

It uses the X9.31 random number generator

and

The seed key used by the generator is hard-coded into the implementation

and

The output from the random number generator is directly used to generate cryptographic keys

and

At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

Full technical paper Practical state recovery attacks against legacy RNG implementations [PDF]

By Shaanan Cohney, Nadia Heninger, and Matthew D. Green The team can be contacted at [email protected].

Our Advice Are you a crypto implementer? Developers of cryptographic software should stop using the X9.31 generator. It was removed from the list of FIPS-approved random number generation algorithms in January 2016. If you must use a block cipher-based RNG, don't use a hard-coded key, and regenerate the key frequently. Are you an end user of cryptography? Regularly apply software updates. It's good practice and will protect you against flaws that are of greater risk to you than this one. Are you a company worried about FIPS compliance? Update your products to comply with the latest standards. We don't know of any backdoors in the current list of recommended algorithms. Are you a government with a desire for large scale decryption capabilities? Weakening, sabotaging, backdooring, or frontdooring encryption standards may harm both the overall security of your country as well as your reputation!