Even with catchy branding and cute mascot and a theme song, these two SSL/TLS vulnerabilities nearly went unnoticed last week. The WPA2 Key Reinstallation Attack (KRACK) overshadowed them both, vacuuming up the tech media attention.
DUHK and ROCA are both implementation-specific vulnerabilities concerning one of my favorite topics, random number generators.
The “Don’t Use Hardcoded Keys” (DUHK) vulnerability is sponsored by that amazing team of researchers Nadia Heninger and Matthew Green, though they are honest and explicitly say that their graduate student, Shaanan Cohney, did all the grunt work. Heninger has been behind a ton of interesting crypto attacks, including the DROWN attack, and my personal favorite, the cracking of 1% of SSL keys due to bad random numbers, Mining your Ps and Qs.
