Is this a dead DUHK, one that has ceased to be? Or should organisations rightly be getting their feathers ruffled?
Here at IT Security Thing we were intrigued to see news of the Don’t Use Hard-coded Keys (DUHK) attack methodology. Not just because anything to do with cryptography gets us a little bit turned on, but also as it seems to be something of a lame DUHK as far as real world threats are concerned.
According to the researchers that uncovered the DUHK vulnerability it affects devices using an ANSI X9.31 random number generator along with a hard-coded seed key. They go on to say that it enables an attacker to recover secret keys from a vulnerable implementation, and then decrypt communications passing over VPN connections or encrypted web sessions.
The bits that touched my cynical real world nerve were “to have been” and “historically compliant” both of which suggest past tense.So maybe this is a lame duck after all, in threat likelihood terms? Read on…