VanDyke Software

Security Advisory

Security Advisory

Dual_EC_DRBG and Extended Random (ER) Algorithms not used in VanDyke Software products


Posted: April 16, 2014

Description

In September, 2013, documents leaked by Edward Snowden revealed a possible backdoor vulnerability in the Dual_EC_DRBG algorithm used to generate random numbers. Both RSA and NIST later released guidelines recommending that the Dual_EC_DRBG algorithm no longer be used for random number generation.

Some of VanDyke Software's products use RSA BSafe CryptoC-ME libraries. However, VanDyke Software products which use RSA BSafe libraries do not use (and have never used) the Dual_EC_DRBG algorithm in any way, nor can our products be configured to use this algorithm.

Recently, new information was brought to light regarding a second tool known as "Extended Random" (ER). Developed by the NSA, ER is reported to allow significantly increased success rates of attacks on SSL/TLS encryption based on random numbers generated using Dual_EC_DRBG.

VanDyke Software products do not use (and have not ever used) either the ER or the Dual_EC_DRBG algorithms in any way, and cannot be configured to do so.

Revision History

April 16, 2014 - Security Advisory published.