Recently, three security researchers from the University of Pennsylvania and Johns Hopkins University uncovered an encryption flaw that places network devices at risk of cyber attacks.
This new crypto-attack is referred to as “Don’t Use Hard-coded Keys” or DUHK, for short.
The researchers discovered this vulnerability in certain devices that can allow hackers to obtain secret keys from Fortinet devices. The DUHK attack is possible on devices that use the ANSI X9.32 Random Number Generator (RNG) with a hard-coded seed key.
ANSI X9.31 RNG is an algorithm that is utilized for the generation of cryptographic keys in order to secure VPN connections and web sessions.
This prevented third parties from reading any network communications that they intercept. The researchers stated in a blog post that DHUK attacks enable hackers to acquire secret encryption keys from exploitable implementations.
Hackers can also decrypt and access information sent through Virtual Private Network (VPN) connections as well as encrypted web sessions. The encrypted data to be obtained in a DUHK attack could be in the form of login credentials, sensitive corporate data, intranet information, credit card details and other authentication credentials.
According to the DUHK attack researchers, all the affected implementations historically complied with Federal Information Processing Standards (FIPS).
The affected VPNs include those networks using FortiOS 4.3.0 up to FortiOS 4.3.18. A passive network actor can be able to decrypt user traffic across these devices. There is also the possibility of key recovery attacks on distinct protocols.
The researchers discovered 11 other FIPS-certified implementations that incorporated hard-coded X9.32 RNG seed encryption keys in their devices. In a paper detailing their findings, the researchers published a list of vulnerable products with the hard-coded seed keys.
There are currently more than 25,000 Fortinet devices that are vulnerable to a DUHK attack. The situation could be far worse since these numbers do not include devices in firewalled networks. Fortunately, the numbers are expected to reduce in the near future as more users implement software updates.
According to the researchers, a device is vulnerable to the DUHK attack if it employs the X9.31 RNG and the seed key the RNG uses as it’s hard-coded into the implementation.
This is also the case if the output from the RNG is used to generate cryptographic keys directly or if at least part of the random numbers before or after those used to produce the keys are transmitted before being encrypted. This is usually the case in TLS/SSL and IPsec implementations.
The ANSI X9.31 RNG employs an algorithm design that was present in different forms in cryptographic standards. It was also among the approved RNG for FIPS certifications for many years.
The interesting bit is that this RNG harbors a security flaw that was documented by experts as far back as 1998. At the time, researchers stated that if the seed key was known, the RNG algorithm could be broken.
The pseudorandom number generator employs block encryption to update state values from timestamps. It uses a seed key to achieve this.
When a hacker knows the seed key, they can obtain all past and future number outputs of the RNG from 16 bytes of output and a speculative timestamp.
The researchers of the DUHK attack stated that they were able to obtain encrypted data from Fortinet FortiGate devices used for VPNs and firewalls. They achieved this by reverse engineering FortiGate firmware images thus uncovering the hard-coded seed key.
They then executed a man-in-the-middle attack by observing the traffic from the affected devices. They proceeded with a brute-force attack against the encrypted data, using the seed key in order to uncover the remaining encryption parameters.
Armed with this information, the researchers of the DUHK attack method were able to recover the main encryption key. They then contacted Fortinet with their findings related to the DUHK attack, after which the firm removed the hard-coded seed key from FortiOS 4.3.19. Users of FortiOS 5.x are not affected by this exploit.
Although the DUHK attack method is quite difficult to execute, the security researchers stated that any hacker with a modern computer would be able to obtain the encryption key in approximately four minutes per connection.
Another concerning component of the DHUK attack is that it does not rely on user interaction. The hacker only has to observe traffic originating from an affected device. As such, the user will not be able to detect the DUHK attack.
The researchers of the DUHK attack advised cryptographic software developers to cease the use of X9.31 RNGs. This RNG was struck off the list of Federal Information Processing Standard-certified RNG algorithms back in January 2016.
Cryptographic software developers using RNG based on block ciphers should avoid using hard-coded keys or ensure they frequently regenerate the keys. The end users should regularly update their software to protect their devices against such exploits.