Just as we had begun to feel safeguarded from the recent spell of crypto-related threats, yet another vulnerability impacting online security is unveiled.
DUHK — Don’t Use Hard-coded Keys – is the third in a series of threats that hit the headlines earlier this month. It has the potential to affect traffic from leading VPN vendors by decrypting and reading communications passing over so-called ‘secure’ encrypted connections and web browsing sessions.
Cryptography researchers – Shaanan Cohney, Nadia Heninger, and Matthew Green – behind the discovery of DUHK, identified a vulnerability affecting devices using the AES based ANSI X9.31 algorithm with hardcoded seed material for Random Number Generation (RNG). As in any similar use case, this algorithm generates encryption keys. The latter are then used to secure VPN connections, browsing sessions and other encrypted traffic/data.
However, the attack showed that when the output of this RNG is used directly to generate cryptographic keys, and at least some of the random numbers are transmitted unencrypted, symmetric session keys can be recovered by a passive attacker, i.e., by simply observing network traffic.
While it might look like these conditions restrict the scope of the attack, it is common for cryptographic implementations to reuse the output of a RNG primitive while the application of the scheme in standard internet protocols such as SSL/TLS and IPSEC. Hence, the attack rendered vulnerable a surprising numbers of VPN implementations – including those from Fortinet, Cisco & Techguard.
Basically, software using the hard-coded X9.31 RNG seed keys, and any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 may see its secured channels unveiled.
The X9.31 algorithm was previously certified by but was dropped from the list of in 2016. Still, it was discovered that the standard allowed the ‘secret’ seed key to be stored in the source code of its implementation.
The team classify the DUHK vulnerability as ‘non-trivial’, however it is, thankfully for some, limited to legacy implementations and does not allow a takeover of the device running them. Maybe more seriously is the fact that this attack signals a historical failure of the federal standardization process for cryptography. According to a DUHK website set up by the research team: “The general vulnerability has been known for at least two decades, yet none of the descriptions of the algorithm we could find mentioned that the seed key should be unpredictable to the attacker.”
Random number generation is a prerequisite to any cryptographic scheme, and the produced numerical sequence becomes predictable once the seed key (the starting point from which they begin to produce their output) is known. To guarantee absolute randomness, RNGs must not be vulnerable to prediction or bias. Instead of relying on a (potentially hardcoded) seed number, a true random number generator – such as the Quantis QRNG – is required, ensuring unpredictable physical processes to generate numbers.
DUHK was, as we mentioned, the third in a spate of recent attacks. It followed hot on the heels of the KRACK and ROCA attacks, exposed earlier in the month. The KRACK attack did not target the crypto keys as with DUHK, but the WPA2 protocol. This protocol is the most advanced and widely used way to secure Wi-Fi networks. Surprisingly, this discovery comes 13 years after the standard was published to address the vulnerabilities of its predecessor, the WEP protocol. As WPA2 was widely thought to be well secured, this attack comes as a reminder that not having a security flaw does not guarantee the safety of a system and that weaknesses can be discovered, and either be published or exploited by third parties, at any time.
On the other hand, the ROCA attack allowed hackers to derive the private key from the public key due to “optimizations” in the key generation algorithm implemented in a number of chips used in Infineon’s trusted platform modules (TPM). This is worth a few words as it left “millions of high-security crypto keys crippled”. Moreover, the researchers who discovered the attack believe that it affects around one-quarter of all current TPM devices globally. Among other impacts, this attack forced the Estonian government to close its ID card public key database and start an enormous key rotation process to migrate to a safer alternative.
In RSA a private key consists of a pair of prime numbers. The public key is then constructed as the multiplication of the two primes. In a bid to boost performance, the library used by Infineon employed a shortcut to generate faster primes. In doing so, the implementation introduced a special structure in these prime numbers that made the keys weaker and the underlying factorization problem easier to solve.
This exposes the ‘secret numbers’ underpinning their security, rendering them insecure. In fact, 1024bit keys generated with the faulty Infineon library would take just three months to be factorized and 2048bit keys an average recovery time of 50 CPU years. Or even less. Using cloud computing, it would require no more than 17 days and $40,300 using a 1000-instance machine on an Amazon Web service to break a 2048bit RSA key. And finally, potentially most dangerous, it is worth noting that no access to the device holding the private is needed at any point…! The sole knowledge of the public key, which as its name suggests is public, allows for this devastating attack. Technical details on the attack can be found at https://crocs.fi.muni.cz/public/papers/rsa_ccs17
Threats such as these prove a strong case for true random number generation, advanced encryption methods, and the need for handling standards and technical certifications with extreme scrutiny.