PRNG Weakness Reflects Poorly on Government Crypto Certification

Security researchers discovered that the pseudorandom number generator that underpins cryptographic operations in Fortinet appliances and products from other 11 other vendors rendered encrypted traffic vulnerable to snooping for years. The affected products were all compliant with government security certification standards.

The vulnerability, dubbed DUHK, was discovered by researchers from the University of Pennsylvania and Johns Hopkins University: Shaanan Cohney, Nadia Heninger and Matthew Green. It stems for the use by some vendors of hard-coded keys to seed the ANSI X9.31 pseudorandom number generator (PRNG) in their products. The name DUHK itself stands for Don’t Use Hard-coded Keys.

PRNGs produce the random numbers that are then used by different cryptographic algorithms to generate encryption keys and other secrets, so a weak PRNG can undermine the security of the entire cryptosystem built on top of it. In this particular case, the use of factory hard-coded keys to seed the ANSI X9.31 PRNG instead of generating unique random seeds each time made it possible for passive attackers to decrypt VPN traffic using the TLS and IPSec protocols.

The three researchers found potentially vulnerable ANSI X9.31 implementations in 40 product lines from 12 vendors. The impact for those products might vary depending on what they use the PRNG for. Many of the affected products have updated versions or they’ve reached end of support life, but a list of the vulnerable implementations and the vendor responses, where available, is included in the research paper (pages 6-7).

The greatest impact seems to be on VPN-capable appliances from Fortinet that use FortiOS versions 4.3.0 to 4.3.18, released December 2014. FortiOS has now reached version 5.6, but there are still thousands of devices out there running vulnerable versions from the 4.3.x branch.

Fortinet was notified about the vulnerability a year ago and published a security advisory in November 2016 recommending that users upgrade to FortiOS 4.3.19, 5.0 or above.

However, using internet scans and automated testing the researchers found that, as of this month, are still more than 25,000 vulnerable Fortinet devices that are accessible directly from the internet and whose VPN traffic could be decrypted.

This vulnerability also highlights the shortcomings of government cryptographic certification programs. All of the vulnerable implementations identified by the researchers were compliant with the U.S. government’s Federal Information Processing Standard (FIPS) Publication 140-2: Security Requirements For Cryptographic Modules.

In fact, the researchers found vulnerable implementations by reading the public security policy documents from 288 vendors that had been FIPS 140-2 certified for the ANSI X9.31 PRNG. They looked for wording about seed keys that could indicate problems such as hard-coded, statically stored, compiled into binary, embedded in flash, stored in flash, etc.

To make things worse, the ANSI X9.31 PRNG was known to be vulnerable if not used with random keys since 1998, yet the FIPS certification process accepted the use of hard-coded keys up to January 2016, when X9.31 was removed from the list of FIPS-approved random number generators.

One lesson here is that “government crypto certifications are largely worthless,” Matthew Green said in a blog post. “I realize that seems like a big conclusion to draw from a single vulnerability. But this isn’t just a single vendor — it’s potentially several vendors that all fell prey to the same well-known 20-year-old vulnerability. When a vulnerability is old enough to vote, your testing labs should be finding it. If they’re not finding things like this, what value are they adding?”

Even though it’s deprecated, ANSI X9.31 is still used by a very large number of products and it’s almost certain that the Fortinet issue is just the tip of the iceberg, Green said. “This algorithm should have disappeared ten (sic) years earlier — and yet here we are.”

Russian Cyberespionage Group APT28 Targets Cyber Conflict Conference

A sophisticated cyberespionage group of Russian origin known as APT28 and Fancy Bear has recently launched a spear-phishing campaign against people interested in the upcoming 2017 International Conference on Cyber Conflict U.S. (CyCon U.S.).

According to researchers from Cisco Systems’ Talos team, the attackers copied a description of the upcoming event from the conference’s website, pasted it into a Word document and added a macro that executes malicious VBA code.

The code installs a new version of a malware program known as a Seduploader that has been used for reconnaissance by APT28 for years. The new variant has some modifications so it can bypass detection rules based on older indicators of compromise (IOCs).

“Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets,” the Cisco researchers said in a blog post. “This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats.”

CyCon U.S. is an event organized by the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.

APT28 is a sophisticated cyberespionage group that has proven in the past that it has access to zero-day exploits—exploits for previously unknown and unpatched vulnerabilities. Their use of a more basic macro-based technique in this attack might be surprising at first but makes sense given the profession of their intended targets: security professionals who have a higher chance of detecting zero-day exploits.

“We could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations,” the Cisco researchers said. “Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct.”

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 101 posts and counting.See all posts by lucian-constantin

One thought on “PRNG Weakness Reflects Poorly on Government Crypto Certification

Comments are closed.