Security Advisory
Dual_EC_DRBG and Extended Random (ER) Algorithms not used in
VanDyke Software products
Posted: April 16, 2014
Description
In September, 2013, documents leaked by Edward Snowden revealed
a possible backdoor vulnerability in the Dual_EC_DRBG
algorithm used to generate random numbers. Both RSA and NIST
later released guidelines recommending that the Dual_EC_DRBG
algorithm no longer be used for random number generation.
Some of VanDyke Software's products use RSA BSafe CryptoC-ME
libraries. However, VanDyke Software products which use
RSA BSafe libraries do not use (and have never used) the
Dual_EC_DRBG algorithm in any way, nor can our products be
configured to use this algorithm.
Recently, new information was brought to light regarding a
second tool known as "Extended Random" (ER). Developed by
the NSA, ER is reported to allow significantly increased
success rates of attacks on SSL/TLS encryption based on
random numbers generated using Dual_EC_DRBG.
VanDyke Software products do not use (and have not ever
used) either the ER or the Dual_EC_DRBG algorithms in any
way, and cannot be configured to do so.
Revision History
April 16, 2014 - Security Advisory published.
