DUHK Attack

DUHK ( Do n’t Use Hard-coded Keys ) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator ( RNG ) in junction with a hard-coded seed key. The ANSI X9.31 RNG is an algorithm that until recently was normally used to generate cryptanalytic keys that guarantee VPN connections and web browse sessions, preventing third base parties from reading intercepted communications .
DUHK allows attackers to recover privy encoding keys from vulnerable implementations and decode and read communications passing over VPN connections or encrypted world wide web sessions. The code data could include sensitive business data, login credentials, credit card data and other confidential subject .
The affect implementations were all historically compliant with FIPS, the Federal Information Processing Standards .

Who is vulnerable?

traffic from any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network adversary who can observe the code handshake dealings. other key recovery attacks on different protocols may besides be possible.

Reading: DUHK Attack

We besides found eleven other historically FIPS-certified implementations that document hard-coded X9.31 RNG seed keys in their products. We give the full list in our composition .
Users of feign products should apply the latest software updates .
A device is vulnerable to DUHK if :

  • It uses the X9.31 random number generator


  • The seed key used by the generator is hard-coded into the implementation


  • The output from the random number generator is directly used to generate cryptographic keys


  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

Full technical paper

Practical state recovery attacks against legacy RNG implementations [ PDF ]
By Shaanan Cohney, Nadia Heninger, and Matthew D. Green
The team can be contacted at [email protected] .

Our Advice

Are you a crypto implementer?

Developers of cryptanalytic software should stop using the X9.31 generator. It was removed from the number of FIPS-approved random number generation algorithm in January 2016. If you must use a pulley cipher-based RNG, do n’t use a hard-coded key, and regenerate the identify frequently .

Are you an end user of cryptography?

regularly practice software updates. It ‘s good practice and will protect you against flaws that are of greater risk to you than this one .

Are you a company worried about FIPS compliance?

Update your products to comply with the latest standards. We do n’t know of any backdoors in the current list of recommend algorithm.

Are you a government with a desire for large scale decryption capabilities?

Weakening, sabotaging, backdooring, or frontdooring encoding standards may harm both the overall security of your area vitamin a well as your reputation !

final update October 23, 2017 .

Leave a Reply

Your email address will not be published.