Crypto Attack Exposes VPN Connections by Recovering Encryption Keys

  • Usman Hayat
  • Oct-24-2017

The aftereffects of KRACK attacks have not been vanished completely and we are witnessing yet another DUHK (Don’t Use Hard-Coded Keys) attack. Yes, you read it correctly. We are talking about DUKH Crypto attack that exposes VPN connection through recovering encryption keys. The story does not end here; this is because the attack leaves online privacy of the users highly vulnerable.

DUHK Crypto Attack Exposes VPN Connections

The first factor is all about the application of the ANSI X9.31 Random Number Generator (RNG). This algorithm takes random number data and produces encryption keys. These encryption keys are used to protect the VPN connections, users’ browsing sessions and other crucial data. The second factor relates to the seed key that is the key hardware vendors use for the ANSI X9.31 RNG algorithm.

If your product combines both ANSI X9.31 and hardcoded seed key, attackers can decrypt all the communication that takes place on the device. This includes all the confidential information like username, password, credit card data, and others that you secure through the help of a VPN.

Old Fortinet Fortigate Devices are Vulnerable to DUHK Attacks

The Fortinet Fortigate devices that use FortiOS 4.3.0 to FortiOS can become an easy target of DUHK attacks. Moreover, there were 23000 older Fortinet 4.x devices exposed online. In addition, the attack does need any user interaction. The attacker using a latest system can recover the encryption key within four minutes per connection.

What Should I Do to Secure Myself?

You need to take proactive measure to secure yourself from the DUHK attack. Here is the list of precautionary measures you can take. These are:

  • Cryptographic software developer should not use X9.31 Random Number Generator
  • Update your products on a regular basis to comply with the latest standards
  • Improve the overall encryption standards to the required level
  • The vendors must produce a random seed key at device startup or before initiating the ANSI X9.31 algorithm
Usman Hayat

Usman Hayat

All Posts by Usman Hayat

Usman Hayat's Biography :

A business school grad specializing in marketing, Usman found his love for writing during studies. Salmi now pursues a career as a digital privacy & security advocate for VPNRanks working as a blogger. Salmi loves reading about sci-fi & technology while cricket is his game of choice. When the world cries ‘online freedom’ Salmi stands resolute raising his voice for the rights of netizens everywhere.