Riverbed statement regarding cryptographic random number generation practices

Recent disclosures in the information security community have revealed that certain weaknesses exist in a particular method for generating random numbers known as Dual Elliptic Curve Deterministic Random Bit Generation, or Dual_EC_DRBG. Under the right conditions, random number generators based on Dual_EC_DRBG lose their randomness, and patterns can be predicted.

Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of [Special Publication] 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.

No customer action is required. While Dual_EC_DRBG code is present in our implementations of the SSL libraries used in the Steelhead/Granite/Whitewater and the Stingray product families, it is not in use. Furthermore, it cannot be enabled by any means, including altering configuration through the command line, the graphical management interface, or programmatically via APIs. The cryptographic algorithms used by these products, including those that are FIPS-140-2 validated (see validation number 310), implement other, more secure methods for generating random numbers.

• Steelhead product family
• Granite product family
• Whitewater cloud storage family
• Stingray product family
• RPM product family