back to article Holy DUHK! Boffins name bug that could crack crypto wide open

Crypto researchers from the University of Pennsylvania, working with Johns Hopkins cryptographer Matthew Green, have discovered a serious security blunder and branded it DUHK, which stands for Don't Use Hardcoded Keys. The vulnerability – described in depth at this “silly logo” website here – lies within an ancient pseudo- …

  1. Khaptain Silver badge

    K

    What would it actually take to obtain K ? How would they retrieve it from a running system ?

    Is this a script kiddie possibility or more of a serious black hat challenge .

    1. Anonymous Coward
      Coat

      Re: K

      "What would it actually take to obtain K ?"

      Lure him into some sort of trap involving a creature from another planet?

      1. WhoAmI?
        Alien

        Re: K

        I got that reference!

        1. Zog_but_not_the_first
          Boffin

          Re: K

          "What would it actually take to obtain K ?"

          Lure him into some sort of trap involving a creature from another planet?

          Or traduce him.

      2. JLV

        Re: K

        Summon him to the castle.

    2. theblackhand

      Re: K

      From: https://www.cryptosys.net/rng_algorithms_old.html#rng_X917

      X9.17/X9.31 algorithm to generate the next 64-bit block

      Given

      D, a 64-bit representation of the current date-time

      S, a secret 64-bit seed that will be updated by this process

      K, a secret Triple DES key

      Step 1. Compute the 64-bit block X = G(S, K, D) as follows:

      I = E(D, K)

      X = E(I XOR S, K)

      S' = E(X XOR I, K)

      where E(p, K) is the Triple DES encryption of the 64-bit block p using key K.

      Step 2. Return X and set S = S' for the next cycle.

      Given there are likely to be flaws that result in device reloads (across all potentially vulnerable devices) making K known and D a fairly small range, the vulnerability looks bad.

      The only potential mitigation is that this may only apply to devices using older crypto options (I.e DES/3DES or MD5/SHA-1) as you shouldn't be using this for important stuff when AES GCM and SHA-2 are readily available for most encryption functions.

    3. This post has been deleted by its author

  2. wyatt

    All crypto is breakable, most not within a period where the data encrypted is of use.

    When in the army the type of encryption used depended on the value of the information being passed. As computing power and research methods improve, expect more methods to be deprecated.

    1. DropBear

      Sorry, we're long past that point. Back when nothing much besides "attack at dawn" was using encryption, all you needed was that crypto holding until noon - but these days anything and everything uses encryption, including "long shelf life" things like documents, logs, and captured data streams that you don't want accessible anywhere within a lifetime. Using keys derived from a predictable engine that also produces publicly available nonces won't exactly do that kind of thing for you.

    2. Alan Brown Silver badge

      "When in the army the type of encryption used depended on the value of the information being passed. "

      Which gave an indication of the value of attempting to crack it and the value of targetting those sending it.

      One of the first principles of crypto is that you should use the same crypto for everything and encrypt everything including your laundry lists so that attackers don't get clued into what's valuable or not (which in turn means it should be strong crypto)

      The more sadistic might choose to only encrypt their laundry lists and watch the spooks pile in to try and decode the "valuable data".

      1. TRT Silver badge

        laundry list...

        SOCKS vulnerability exploit.

      2. Claptrap314 Silver badge

        Yes and no--and mostly no. It is true than in WWII, we decrypted 95% of Japan's top-encrypted code and <30% of their less encrypted. But their top-encrypted system was not field-mobile. (Same issue in Europe, as I understand it.) You can only afford so much encryption--which is why AES does not use 8196 bit keys. Mobile hardware operates under a lot of hard constraints--encryption becomes something else you pay for.

        Certainly, if any level of encryption carried the same cost as the highest, then I would encrypt my laundry list and rickroll. But it does not.

  3. John Smith 19 Gold badge
    Unhappy

    From the website, which is clear and well structured.

    "How easy is it to carry out the attack? Is it practical?

    Yes. Our attack against Fortigate device can be carried out on a modern computer in about four minutes. In the more general case, the practicality depends on the specific implementation details of the RNG."

    Key problem. The seed value is hard coded in the program. Any implementation could do this.

    A very bad idea, regardless of how "random" (and they make no comment on how good a generator it is) the PRNG is .

    IOW "DUHK, you suckers !"

  4. Bronek Kozicki

    Obligatory

    XKCD

  5. RealBigAl

    Top trolling in a research paper

    "Are you a government with a desire for large scale decryption capabilities?

    Weakening, sabotaging, backdooring, or frontdooring encryption standards may harm both the overall security of your country as well as your reputation!"

  6. Anonymous Coward
    Stop

    That picture again...

    Didn't 'The Register' already agree not to use this image and similar? Come on please, I expect better of you. You are helping normalize a very sick activity with that image.

  7. CAPS LOCK

    Horrible image is horrible...

    ...what next ElReg, 'crushcat'?

    1. WolfFan Silver badge

      Re: Horrible image is horrible...

      ...what next ElReg, 'crushcat'?

      finest thing which could happen to a cat.

      Oh, alright, call off the pitchforks, I was just joking... have a nice pic. http://2jx7c41t791b2q0ncb3duyom.wpengine.netdna-cdn.com/wp-content/uploads/2017/01/dogs-and-cats.jpg

      1. Sandtitz Silver badge
        Happy

        Re: Horrible image is horrible...

        No, the Kitten Stomper.

        Sick but funny!

  8. Flywheel

    "government crypto certifications are largely worthless"

    Maybe, but isn't that by design, even though it my be accidental? Is it a case of "make it look secure but actually there's a known, consistent weakness"? That would most convenient for certain people.

    1. Christian Berger

      Well...

      ... crypto certifications require resources which could otherwise be used to have better crypto.

      Or in a practical example: Imagine company X has a random number generator which passed certification. Now one of the engineers has a good idea to make it much more secure. They will be stopped from implementing it since any change would mean recertification which is expensive.

  9. fluffybunnyuk

    not news. alot of proprietary VPN software STILL suffers from the same problem.

  10. Version 1.0 Silver badge

    Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.

    - John von Neumann, 1951

    1. Nick Ryan Silver badge

      Thinking of which... whatever happened to hardware random number generators? I (vaguely) remember these things being available as add-on cards for systems.

      1. Anonymous Coward
        Anonymous Coward

        Re: hardware RNGs

        I (vaguely) remember these things being available as add-on cards for systems.

        They still are.

  11. FuzzyWuzzys
    Happy

    "..something like a random nonce...".

    I'm sorry, I'm in a very puerile mindset today!

  12. burtmianus

    Trump's writing about technology apparently?

    I feel it only fair to point out for the sake of accuracy in this world of “fake news” and questionable statistics that this post’s targeting of Fortinet is pretty unfair. The firmware in question (4.3) went out of support in 2014, and the issue was found in 4.3.13 and patched in all subsequent builds. Frankly if an IT admin is not keeping on top of their security patching at such a fundamental level then they need to be put into a dark room, have the door bricked up, wall paper applied and forgotten about. In the real world security engineers are aware that there are unsavoury people out there whose sole purpose is to get in to our little fiefdoms and wreak havoc, so we spend all our lives updating firmware, installing patches, deploying new versions, and inconveniencing users to try and stay one step ahead.

    To say that this will “flay Fortinet first” given they fixed the issue 3 years ago and have since end of supported the entire 4.x line to move customers to the 5.x line is like writing an article entitled “Londoners dying of cholera and typhoid” focusing on the practice of slop buckets and failing to mention that time has passed, things have developed, and improvements have been made. As we’re aware London has sewers and deaths by cholera and typhoid are few and far between these days cos we aren’t tipping buckets of excrement out the window.

    I know very well the pain involved in maintaining a secure environment and Fortinet aren’t perfect, but this article is simply inaccurate and needs to be fact checked by someone not working in the Trump White House.

    1. cbars Bronze badge

      Re: Trump's writing about technology apparently?

      hmm. while I appreciate your argument, I have many devices (hello TV, hello 'tablet', hello most consumer electronics) which are out of support, and have not been patched. Businesses are usually the same and simply play "hide the weak thing under the blanket of the external firewall".

      Just because it was patched 3 years ago doesn't mean there are not hundreds of thousands of devices sitting around unpatched. There have been lots of botnets rolling printers and security cameras into their midst for exactly this reason.

      Unfortunately the reality is that sysadmins don't buy all the gear, and it doesn't all get patched, so I think a fairer comparison would be an article like "there could be a problem with cars getting stuck in the tunnel because they run out of fuel as the fuel gauge is incorrect" < and your response is: well, everybody knows to fill up with fuel so this should never happen, and the new cars have a fixed fuel gauge and everybody should update their fuel gauges as soon as new ones are available.

      So yes, you're right. But it's worth the article to get the word out to any of us who do have these devices and the ability to do anything about it. It's certainly not on par with Trump's - ahem - political commentary

      1. tom dial Silver badge

        Re: Trump's writing about technology apparently?

        It seems like the normal, prudent, default rules ought to be something like:

        Apply software patches that correct vulnerabilities;

        Upgrade software that is out of support;

        Replace hardware that is out of support. is issued.

        That makes sense whether you are a business or an individual consumer. Not doing them is accepting a risk that could be mitigated at a cost. Companies and individuals may do this consciously and rationally based on a proper risk analysis. More often they do it unaware of the risk, or based on a faulty risk analysis.

        Consumer devices present the ugly problem that end of support dates often are not announced (and the support often is deficient anyhow), and few consumers can do a risk analysis anyhow.

        1. cbars Bronze badge

          Re: Trump's writing about technology apparently?

          So, before I buy something I need to have a full understanding of every design feature so I can perform a risk analysis?

          One: burden!

          Two: doesn't feel like I'm going to be able to do this without the source code and tool chain, 48 PhDs and a lot of time

          Three: When products degrade due to wear and tear, I expect them to break in a safe manner. I don't expect my fridge to burn down my house and this is precisely why we have legal requirements for their safety. (Yes, these change over time but we still have product recalls as an option. I don't see why the cost should be borne by me except rolled up into the original purchase price)

          We need legal requirements which dictate what is and what isn't a safe device. But it's the internet so it's confusing and normal rules don't seem to be adequate.

          No: government approved does not equal safe, but there are existing standards bodies that span borders and something similar needs to be in place and enforced........ IMO, maybe I'm just lazy and cheap

  13. Claptrap314 Silver badge

    How exactly is this news? As mentioned, this vuln was published, and fixed years ago. I suspect these two academics are making noise to try to land a grant or something.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon