===================================================================== CERT-Renater Note d'Information No. 2013/VULN463 _____________________________________________________________________ DATE : 17/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Cisco software. ====================================================================== http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131016-ec-drbg ______________________________________________________________________ Use of Dual_EC_DRBG in Cisco Products Document ID: 36356 Revision 1.0 For Public Release 2013 October 16 16:00 UTC (GMT) +--------------------------------------------------------------------- Cisco Response ============== Cisco is aware of the industry discussion regarding the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) and the recent decision of the U.S. National Institute of Standards and Technology (NIST) to reopen the 800-90A Special Publication (SP) to public review. Cisco applauds the decision for increased public review of cryptographic standards and will monitor for any updates to NIST SP 800-90A. Cisco has completed an internal investigation and has confirmed that the Dual_EC_DRBG is not in use in any Cisco products. Additional Information ====================== Cisco licenses third-party components that include the Dual_EC_DRBG; however, this Deterministic Random Bit Generator (DRBG) is not in use in any Cisco products. Cisco products that use DRBGs for encryption are compliant with either the older ANSI X9.31 standard or the newer NIST SP 800-90A standard. The 800-90A-compliant crypto libraries in Cisco products have four DRBG options available to Cisco developers, but the standard Cisco implementation is Advanced Encryption Standard Counter mode (AES-CTR), not Dual_EC_DRBG. Additionally, there are no configuration modifications that could enable Dual_EC_DRBG. Cisco provides strong encryption options that comply with international standards and local regulations. We are always watching for stronger encryption options, and if we find such an option, it will be implemented for the benefit of our customers. This response is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131016-ec-drbg ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================