DUHK: The Technique That Got the VPN Compromised

                 The world we are living in is slowly moving towards digitalization, people are happy as their life is becoming so easy due to technology. Everything from our personal information to professional information is stored online and we think it’s secured and can only be accessed by us. At this point to wake us up from the dilemma, there is an attack which upheaval all the security claims and gets access to the most secure system even with encrypted keys.

The new attack that came into the frame was named as DUHK (Do not Use Hard-Coded Keys) which was followed by KRACK attack and Factorization Attack. This attack is used to target an old vulnerability that exists in the pseudorandom number generators called ANXI X3.91. It is a cryptographic algorithm which was designed to generate cryptographic secured keys which can be used for providing secure VPN connections and web browsing sessions.


The DUHK attack was discovered by three research persons, Mathew Green who is now working as a professor at John Hopkins University, Nadia Heninger who is working as an Assistant Professor at the University of Pennsylvania and Shannan N. Cohney who is an Aspiring P.H.D working under Nadia at the University of Pennsylvania. After the research, they declared the documentation on their website about how this attack works.

As per the research, this attack needs three crucial constituents, the first one is a Key which can be recovered from any target VPN network like Fortinet OS without facing any large problems. Then after that, the attacker needs to have access to any TLS or VPN traffic, since it’s not a live attack so we can put it on a network positioning that is capable enough for monitoring between two sides of the VPN or TLS connection. 

To be specific, the attacker needs a full AES block of output data from the ANSI generator and the second part of the data to check for its success. Luckily both IPsec and TLS include cryptographic nonce of a satisfactory length to achieve a required output, whereas both of them are drawn from the ANSI generator which is stored in the Fortinet OS kernel.

The attacker also needs Diffie-Helman keys in order to initiate the attack. The final key constituent is the TimeStamp, that was used to control the generator. In Fortinet OS the timestamp just has a resolution of one microsecond, grabbing that value is very challenging. Auspiciously, TLS and other protocols include the time-in-seconds as one of the outputs of the TLS output.

 With all the data on attackers approach, now he can decrypt the output block that he fetched from the nonce protocol using the key, with each possible timestamp value and moves forward and backward till he winds up the network Diffie-Hellman key.

 After the completion, the secret key is in the hand of the attacker, which he can use to completely decrypt the VPN network to read or modify all the traffic.
After going through the topic, I concluded that everything now is not secured, the security measures which were made previously and were adopted for many years tend to become obsolete after some time. Even sometimes people make mistakes, as in the previous time when these protocols were made they were made with limited knowledge, As per the technical achievements they need an upgrade. While improving them, we need to take some facts in our mind to stop these errors from becoming disastrous exposures.

As of the government standards, ANSI X9.31 and ANSI X9.17 which are almost 20 years old but regrettably many companies are still using it. These algorithms should have vanished almost a decade ago but it’s still here. It’s just high time that new policies, protocols, and algorithms should be researched and introduced to bolster the security.
Also Read: Google’s AlphaZero AI Masters Chess In Just 4 Hours, Defeats World’s Best Chess Program