Product security is paramount to us: A response to recent Cavium product security concerns
To our Valued Customers:
Recently, reports have surfaced alleging that certain Cavium products included a “backdoor” for the National Security Agency (NSA). We assure you that neither Cavium nor Marvell have ever knowingly incorporated or retained any vulnerability or backdoor in our products.
Our products implement a suite of standards-based security algorithms like AES, 3DES, SHA etc. Prior to 2014, some of our software libraries included an algorithm for random number generation called Dual_EC_DRGB. This algorithm was one of four officially recommended at the time by the US National Institute for Standards and Technology (NIST) that our products implemented. In 2013, this algorithm was reported by the New York Times, The Guardian, and ProPublica to include a backdoor for the NSA. After we learned of the potential issue, Cavium removed this algorithm from its software libraries and has not included it in any product shipped since then.
Importantly, the Dual_EC_DRGB algorithm was included in some of Cavium’s software libraries for our chip-level products, but not in the chips themselves. As a result, while Cavium provided this algorithm (among many), the ultimate choice and control over the algorithms being used was managed by the equipment vendors integrating our products into their system level products. Many companies, not just Cavium, implemented the NIST standard algorithms including this algorithm. In fact, according to NIST’s historical validation data, approximately 80 different products with semiconductors from different vendors implemented this algorithm in some combination of hardware, software, and firmware before it was removed.
LiquidSecurity, Marvell’s cloud-optimized Hardware Secure Module (HSM) adapter, is a system-level product provided by Marvell, and previously Cavium, and these products have never included or implemented the Dual_EC_DRGB algorithm.
At Marvell, and previously at Cavium, maintaining the integrity and security of our products is paramount, and we continually invest in rigorous validations and updates. Although we believe our actions eliminated this particular vulnerability, new vulnerabilities may be created and exploited. Therefore, we have created robust processes to identify and address potential vulnerabilities in our chip designs and firmware.
We assure you and our other partners that our products have been rigorously designed and tested to deliver unparalleled security and performance.
Sincerely,
Raghib Hussain
President, Products & Technologies
(Previously co-founder of Cavium)