Don’t use hard-coded keys (DUHK), a new cryptographic vulnerability that allows attackers to recover encryption keys from VPN sessions and web browsers, has been reported from KRACK Wi-Fi attack. The vulnerability affects vendor’s devices that rely on ANSI X9.31 RNG and “in conjunction with a hard-coded seed key.” ANSI x9.31 RNG is an algorithym that was commonly used to generate cryptographic keys in order to secure VPN connections and web browsers.
The DUHK vulnerability could allow a “state recovery attack, allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs.”
https://duhkattack.com
https://thehackernews.com/2017/10/crack-prng-encryption-keys.html
Richard,
Thanks for sharing your views on this article. Hard Coding keys has been a threat for a long time now, not only with respect to VPN, but also with Online Banking, Payment systems, and Credit Cards. With the new cryptographic vulnerability of the DUHK, it would be interesting to see how much can this be prevented in the shortest time possible. These attacks can be extremely dangerous as you mentioned because they can cause man-in-the-middle attacks to leak current session state of users who are connected to the VPN network.