DUHK (Don’t Use Hard-coded Keys) is a new crypto implementation attack that could enable attackers to obtain secret keys that secure VPN (Virtual Private Network) connections, web browsing sessions and read encrypted communications crossing over VPN connections. The encrypted data could contain sensitive business data, login credentials, credit card information and other private data.
The DUHK attack has been discovered by two security researchers from the University of Pennsylvania and one researcher from Johns Hopkins University.
According to the researchers:
“DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.”
Any traffic from any VPN that use FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network attacker who can monitor the encrypted handshake traffic.
The researchers tested the DUHK attack technique against Fortinet’s FortiGate virtual private network gateway products, which use the FortiOS OS. Also, an Internet scan proved that there are more than 25,000 Fortinet devices that are weak and exploitable.
The researchers who found the attack said they don’t intend to release any code used in their implementation of the method.