Cisco is aware of the industry discussion regarding the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) and the recent decision of the U.S. National Institute of Standards and Technology (NIST) to reopen the 800-90A Special Publication (SP) to public review.
Cisco applauds the decision for increased public review of cryptographic standards and will monitor for any updates to NIST SP 800-90A.
Cisco has completed an internal investigation and has confirmed that the Dual_EC_DRBG is not in use in any Cisco products.
Cisco licenses third-party components that include the Dual_EC_DRBG; however, this Deterministic Random Bit Generator (DRBG) is not in use in any Cisco products.
Cisco products that use DRBGs for encryption are compliant with either the older ANSI X9.31 standard or the newer NIST SP 800-90A standard. The 800-90A-compliant crypto libraries in Cisco products have four DRBG options available to Cisco developers, but the standard Cisco implementation is Advanced Encryption Standard Counter mode (AES-CTR), not Dual_EC_DRBG. Additionally, there are no configuration modifications that could enable Dual_EC_DRBG.
Cisco provides strong encryption options that comply with international standards and local regulations. We are always watching for stronger encryption options, and if we find such an option, it will be implemented for the benefit of our customers.
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on the Cisco worldwide
This includes instructions for press inquiries regarding Cisco Security Notices. All Cisco Security Advisories are available at