RSA Security
   HOME

TheInfoList



OR:

RSA Security LLC, formerly RSA Security, Inc. and
doing business as A trade name, trading name, or business name, is a pseudonym used by companies that do not operate under their registered company name. The term for this type of alternative name is a "fictitious" business name. Registering the fictitious name w ...
RSA, is an American
computer A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
and
network security Network security consists of the policies, policies, processes and practices adopted to prevent, detect and monitor unauthorized access, Abuse, misuse, modification, or denial of a computer network and network-accessible resources. Network securi ...
company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders,
Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
,
Adi Shamir Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...
and
Leonard Adleman Leonard Adleman (born December 31, 1945) is an American computer scientist. He is one of the creators of the RSA encryption algorithm, for which he received the 2002 Turing Award, often called the Nobel prize of Computer science. He is also kno ...
, after whom the RSA
public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
was also named. Among its products is the
SecurID RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource. Description The RSA SecurID authentication mechanism consists of a " token"—either ...
authentication token. The
BSAFE Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA ...
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
libraries were also initially owned by RSA. RSA is known for incorporating backdoors developed by the
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
in its products. It also organizes the annual
RSA Conference The RSA Conference is a series of IT security conferences. Approximately 45,000 people attend one of the conferences each year. It was founded in 1991 as a small cryptography conference. RSA conferences take place in the United States, Europe, Asia ...
, an information security conference. Founded as an independent company in 1982, RSA Security was acquired by
EMC Corporation Dell EMC (EMC Corporation until 2016) is an American multinational corporation headquartered in Hopkinton, Massachusetts and Round Rock, Texas, United States. Dell EMC sells data storage, information security, virtualization, analytics, cloud ...
in 2006 for US$2.1 billion and operated as a division within EMC. When EMC was acquired by
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
in 2016, RSA became part of the Dell Technologies family of brands. On 10 March 2020, Dell Technologies announced that they will be selling RSA Security to a consortium, led by Symphony Technology Group (STG), Ontario Teachers’ Pension Plan Board (Ontario Teachers’) and
AlpInvest Partners AlpInvest Partners is a Dutch private equity asset manager with over $47 billion of assets under management as of September 30, 2017. The firm invests on behalf of a broad range of institutional investors from North America, Asia, Europe, South ...
(AlpInvest) for US$2.1 billion, the same price when it was bought by EMC back in 2006. RSA is based in
Bedford, Massachusetts Bedford is a town in Middlesex County, Massachusetts, United States. The population of Bedford was 14,383 at the time of the 2020 United States Census. History ''The following compilation comes from Ellen Abrams (1999) based on information ...
, with regional headquarters in
Bracknell Bracknell () is a large town and civil parish in Berkshire, England, the westernmost area within the Greater London Built-up Area, Greater London Urban Area and the administrative centre of the Bracknell Forest, Borough of Bracknell Forest. It l ...
(UK) and
Singapore Singapore (), officially the Republic of Singapore, is a sovereign island country and city-state in maritime Southeast Asia. It lies about one degree of latitude () north of the equator, off the southern tip of the Malay Peninsula, borde ...
, and numerous international offices.


History

Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
,
Adi Shamir Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...
and
Leonard Adleman Leonard Adleman (born December 31, 1945) is an American computer scientist. He is one of the creators of the RSA encryption algorithm, for which he received the 2002 Turing Award, often called the Nobel prize of Computer science. He is also kno ...
, who developed the RSA encryption algorithm in 1977, founded RSA Data Security in 1982. * In 1994, RSA was against the
Clipper Chip The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, ...
during the
Crypto War Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencie ...
. * In 1995, RSA sent a handful of people across the hall to found Digital Certificates International, better known as
VeriSign Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and gener ...
. * The company then called ''Security Dynamics'' acquired ''RSA Data Security'' in July 1996 and ''DynaSoft AB'' in 1997. * In January 1997, it proposed the first of the
DES Challenges The DES Challenges were a series of brute force attack contests created by RSA Security to highlight the lack of security provided by the Data Encryption Standard. The Contests The first challenge began in 1997 and was solved in 96 days by the D ...
which led to the first public breaking of a message based on the
Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
. * In February 2001, it acquired ''Xcert International, Inc.'', a privately held company that developed and delivered digital certificate-based products for securing e-business transactions. * In May 2001, it acquired ''3-G International, Inc.'', a privately held company that developed and delivered smart card and
biometric authentication Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify in ...
products. * In August 2001, it acquired ''Securant Technologies, Inc.'', a privately held company that produced ClearTrust, an identity management product. * In December 2005, it acquired Cyota, a privately held
Israel Israel (; he, יִשְׂרָאֵל, ; ar, إِسْرَائِيل, ), officially the State of Israel ( he, מְדִינַת יִשְׂרָאֵל, label=none, translit=Medīnat Yīsrāʾēl; ), is a country in Western Asia. It is situated ...
i company specializing in online security and anti-fraud solutions for financial institutions. * In April 2006, it acquired ''PassMark Security''. * On September 14, 2006, RSA stockholders approved the acquisition of the company by
EMC Corporation Dell EMC (EMC Corporation until 2016) is an American multinational corporation headquartered in Hopkinton, Massachusetts and Round Rock, Texas, United States. Dell EMC sells data storage, information security, virtualization, analytics, cloud ...
for $2.1 billion. * In 2007, RSA acquired Valyd Software, a
Hyderabad Hyderabad ( ; , ) is the capital and largest city of the Indian state of Telangana and the ''de jure'' capital of Andhra Pradesh. It occupies on the Deccan Plateau along the banks of the Musi River (India), Musi River, in the northern part ...
-based
India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...
n company specializing in file and data security . * In 2009, RSA launched the RSA Share Project. As part of this project, some of the RSA BSAFE libraries were made available for free. To promote the launch, RSA ran a programming competition with a US$10,000 first prize. * In March 2011, RSA suffered a security breach and its most valuable secrets were leaked, compromising the security of all existing
RSA SecurID RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource. Description The RSA SecurID authentication mechanism consists of a " token"—either ...
tokens. * In 2011, RSA introduced a new CyberCrime Intelligence Service designed to help organizations identify computers, information assets and identities compromised by trojans and other online attacks. * In July 2013, RSA acquired Aveksa the leader in Identity and Access Governance sector * On September 7, 2016, RSA was acquired by and became a subsidiary of
Dell EMC Infrastructure Solutions Group Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products incl ...
through the acquisition of
EMC Corporation Dell EMC (EMC Corporation until 2016) is an American multinational corporation headquartered in Hopkinton, Massachusetts and Round Rock, Texas, United States. Dell EMC sells data storage, information security, virtualization, analytics, cloud ...
by
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
in a cash and stock deal led by
Michael Dell Michael Saul Dell (born February 23, 1965) is an American billionaire businessman and philanthropist. He is the founder, chairman, and CEO of Dell Technologies, one of the world's largest technology infrastructure companies. He is ranked the 2 ...
. *On February 18, 2020,
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
announced their intention to sell RSA for $2.075 billion to
Symphony Technology Group Symphony Technology Group (STG) is an American private equity firm based in Menlo Park, California. Its Chairman and CEO is Dr. Romesh Wadhwani, who founded the firm in 2002. Investments The company has investments in the following companies: ...
. *In anticipation of the sale of RSA to
Symphony Technology Group Symphony Technology Group (STG) is an American private equity firm based in Menlo Park, California. Its Chairman and CEO is Dr. Romesh Wadhwani, who founded the firm in 2002. Investments The company has investments in the following companies: ...
,
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
made the strategic decision to retain the
BSAFE Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA ...
product line. To that end, RSA transferred
BSAFE Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA ...
products (including the Data Protection Manager product) and customer agreements, including maintenance and support, to
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
on July 1, 2020. *On September 1, 2020,
Symphony Technology Group Symphony Technology Group (STG) is an American private equity firm based in Menlo Park, California. Its Chairman and CEO is Dr. Romesh Wadhwani, who founded the firm in 2002. Investments The company has investments in the following companies: ...
(STG
completed its acquisition of RSA
from
Dell Technologies Dell Technologies Inc. is an American multinational technology company headquartered in Round Rock, Texas. It was formed as a result of the September 2016 merger of Dell and EMC Corporation (which later became Dell EMC). Dell's products inc ...
. RSA became an independent company, one of the world’s largest cybersecurity and risk management organizations.


Controversy


SecurID security breach

On March 17, 2011, RSA disclosed an attack on its
two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
products. The attack was similar to the Sykipot attacks, the July 2011 SK Communications hack, and the NightDragon series of attacks. RSA called it an
advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
. Today, SecurID is more commonly used as a software token rather than older physical tokens.


Relationship with NSA

RSA's relationship with the
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
has changed over the years. Reuters' Joseph Menn and cybersecurity analyst
Jeffrey Carr Jeffrey Carr is a cybersecurity author, researcher, entrepreneur and consultant, who focuses on cyberwarfare, cyber warfare. Career In 2008, Carr founded Project Grey Goose, a crowd-sourced open-source intelligence effort to attribute major cyber a ...
Carr, Jeffrey. (2014-01-06
Digital Dao: NSA's $10M RSA Contract: Origins
Jeffreycarr.blogspot.dk. Retrieved on 2014-05-11.
have noted that the two once had an adversarial relationship. In its early years, RSA and its leaders were prominent advocates of strong cryptography for public use, while the NSA and the
Bush Bush commonly refers to: * Shrub, a small or medium woody plant Bush, Bushes, or the bush may also refer to: People * Bush (surname), including any of several people with that name **Bush family, a prominent American family that includes: *** ...
and Clinton administrations sought to prevent its proliferation. In the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the
Clipper Chip The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, ...
, an encryption chip with a backdoor that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use the chip in their devices, and relaxed
export restrictions Export restrictions, or a restriction on exportation, are limitations on the quantity of goods exported to a specific country or countries by a Government. Export restrictions could be aimed at achieving diverse policy objectives such as environ ...
on products that used it. (Such restrictions had prevented RSA Security from selling its software abroad.) RSA joined
civil libertarians Civil libertarianism is a strain of political thought that supports civil liberties, or which emphasizes the supremacy of individual rights and personal freedoms over and against any kind of authority (such as a state, a corporation, social nor ...
and others in opposing the Clipper Chip by, among other things, distributing posters with a foundering sailing ship and the words "Sink Clipper!" RSA Security also created the
DES Challenges The DES Challenges were a series of brute force attack contests created by RSA Security to highlight the lack of security provided by the Data Encryption Standard. The Contests The first challenge began in 1997 and was solved in 96 days by the D ...
to show that the widely used DES encryption was breakable by well-funded entities like the NSA. The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA. It became a very different company later on." For example, RSA was reported to have accepted $10 million from the NSA in 2004 in a deal to use the NSA-designed
Dual EC DRBG Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is an algorithm that was presented as a cryptographically secure pseudorandom number generator (CSPRNG) using methods in elliptic curve cryptography. Despite wide public criti ...
random number generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored. RSA Security later released a statement about the Dual_EC_DRBG
kleptographic Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology—Crypto '96.A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, ...
backdoor: In March 2014, it was reported by
Reuters Reuters ( ) is a news agency owned by Thomson Reuters Corporation. It employs around 2,500 journalists and 600 photojournalists in about 200 locations worldwide. Reuters is one of the largest news agencies in the world. The agency was estab ...
that RSA had also adapted the extended random standard championed by NSA. Later cryptanalysis showed that extended random did not add any security, and was rejected by the prominent standards group
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
. Extended random did however make NSA's backdoor for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the key to the Dual_EC_DRBG backdoor (presumably only NSA), because the extended nonces in extended random made part of the internal state of Dual_EC_DRBG easier to guess. Only RSA Security's
Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...
version was hard to crack without extended random, since the caching of Dual_EC_DRBG output in e.g. RSA Security's
C programming language ''The C Programming Language'' (sometimes termed ''K&R'', after its authors' initials) is a computer programming book written by Brian Kernighan and Dennis Ritchie, the latter of whom originally designed and implemented the language, as well as ...
version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extended random in its Java implementation of Dual_EC_DRBG.


NSA Dual_EC_DRBG backdoor

From 2004 to 2013, RSA shipped security software—
BSAFE toolkit Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C_(programming_language), C and Java_(programming_language), Java. BSAFE was initially created by RSA Security, which was purchased by Dell ...
and Data Protection Manager—that included a default
cryptographically secure pseudorandom number generator A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely kno ...
,
Dual EC DRBG Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is an algorithm that was presented as a cryptographically secure pseudorandom number generator (CSPRNG) using methods in elliptic curve cryptography. Despite wide public criti ...
, that was later suspected to contain a secret
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
kleptographic Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology—Crypto '96.A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, ...
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...
. The backdoor could have made data encrypted with these tools much easier to break for the NSA, which would have had the secret
private key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
to the backdoor. Scientifically speaking, the backdoor employs
kleptography Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology—Crypto '96.A. Young, M. Yung, "The Dark Side of Black-Box Cryptography ...
, and is, essentially, an instance of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and
Moti Yung Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography. Career Yung earned his PhD from Columbia University in 1988 under the supervision of Zvi Galil. In the past, he worked at the ...
.A. Young, M. Yung, "Kleptography: Using Cryptography Against Cryptography" In Proceedings of Eurocrypt '97, W. Fumy (Ed.), Springer-Verlag, pages 62–74, 1997. RSA Security employees should have been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 2000s.Green, Matthew. (2013-12-28
A Few Thoughts on Cryptographic Engineering: A few more notes on NSA random number generators
Blog.cryptographyengineering.com. Retrieved on 2014-05-11.
The possibility that the random number generator could contain a backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the
NIST SP 800-90A NIST SP 800-90A ("SP" stands for "''special publication''") is a publication by the National Institute of Standards and Technology with the title ''Recommendation for Random Number Generation Using Deterministic Random Bit Generators''. The publica ...
standard that contains Dual_EC_DRBG. In January 2005, two employees of the cryptography company
Certicom BlackBerry Limited is a Canadian software company specializing in cybersecurity. Founded in 1984, it was originally known as Research In Motion (RIM). As RIM, it developed the BlackBerry brand of interactive pagers, smartphones, and tablets ...
—who were also members of the X9F1 group—wrote a patent application that described a backdoor for Dual_EC_DRBG identical to the NSA one.Patent CA2594670A1 - Elliptic curve random number generation - Google Patents
Google.com (2011-01-24). Retrieved on 2014-05-11.
The patent application also described three ways to neutralize the backdoor. Two of these—ensuring that two arbitrary elliptic curve points P and Q used in Dual_EC_DRBG are independently chosen, and a smaller output length—were added to the standard as an option, though NSA's backdoored version of P and Q and large output length remained as the standard's default option. Kelsey said he knew of no implementers who actually generated their own non-backdoored P and Q,http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2013-12/nist_cryptography_800-90.pdf and there have been no reports of implementations using the smaller outlet. Nevertheless, NIST included Dual_EC_DRBG in its 2006
NIST SP 800-90A NIST SP 800-90A ("SP" stands for "''special publication''") is a publication by the National Institute of Standards and Technology with the title ''Recommendation for Random Number Generation Using Deterministic Random Bit Generators''. The publica ...
standard with the default settings enabling the backdoor, largely at the behest of NSA officials, who had cited RSA Security's early use of the random number generator as an argument for its inclusion. The standard did also not fix the unrelated (to the backdoor) problem that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically sound. ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007. Commenting on Shumow and Ferguson's presentation, prominent security researcher and cryptographer
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
called the possible NSA backdoor "rather obvious", and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general poor quality and possible backdoor would ensure that nobody would ever use it. There does not seem to have been a general awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak. In September 2013, the ''New York Times'', drawing on the Snowden leaks, revealed that the NSA worked to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program. One of these vulnerabilities, the ''Times'' reported, was the Dual_EC_DRBG backdoor. With the renewed focus on Dual_EC_DRBG, it was noted that RSA Security's BSAFE used Dual_EC_DRBG by default, which had not previously been widely known. After the ''New York Times'' published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor. RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known, or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor. On 20 December 2013,
Reuters Reuters ( ) is a news agency owned by Thomson Reuters Corporation. It employs around 2,500 journalists and 600 photojournalists in about 200 locations worldwide. Reuters is one of the largest news agencies in the world. The agency was estab ...
' Joseph Menn reported that NSA secretly paid RSA Security $10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists". Interviewed by CNET, Schneier called the $10 million deal a bribe. RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products." Menn stood by his story, and media analysis noted that RSA's reply was a
non-denial denial A non-denial denial is a statement that, at first hearing, seems to be a direct, clearcut and unambiguous denial of some allegation or accusation, but after being parsed carefully turns out to not be a denial at all, and is thus not explicitly unt ...
, which denied only that company officials knew about the backdoor when they agreed to the deal, an assertion Menn's story did not make. In the wake of the reports, several industry experts cancelled their planned talks at RSA's 2014
RSA Conference The RSA Conference is a series of IT security conferences. Approximately 45,000 people attend one of the conferences each year. It was founded in 1991 as a small cryptography conference. RSA conferences take place in the United States, Europe, Asia ...
. Among them was
Mikko Hyppönen Mikko Hermanni Hyppönen (; born 13 October 1969) is a Finnish computer security expert, speaker and author. He is known for the Hyppönen Law about IoT security, which states that whenever an appliance is described as being "smart", it is vulner ...
, a Finnish researcher with
F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...
, who cited RSA's denial of the alleged $10 million payment by the NSA as suspicious. Hyppönen announced his intention to give his talk, "Governments as Malware Authors", at a conference quickly set up in reaction to the reports: TrustyCon, to be held on the same day and one block away from the RSA Conference.Gallagher, Sean. (2014-01-21
“TrustyCon” security counter-convention planned for RSA refusniks
Ars Technica. Retrieved on 2014-05-11.
At the 2014
RSA Conference The RSA Conference is a series of IT security conferences. Approximately 45,000 people attend one of the conferences each year. It was founded in 1991 as a small cryptography conference. RSA conferences take place in the United States, Europe, Asia ...
, former RSA Security Executive Chairman Art Coviello defended RSA Security's choice to keep using Dual_EC_DRBG by saying "it became possible that concerns raised in 2007 might have merit" only after
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
acknowledged the problems in 2013.


Products

RSA is most known for its SecurID product, which provides two-factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on timed intervals, software tokens, and one time codes. In 2016, RSA re-branded the SecurID platform as RSA SecurID Access. This release added Single-Sign-On capabilities and cloud authentication for resources using SAML 2.0 and other types of federation. The RSA SecurID Suite also contains the RSA Identity Governance and Lifecycle software (formally Aveksa). The software provides visibility of who has access to what within an organization and manages that access with various capabilities such as access review, request and provisioning. RSA enVision is a ''security information and event management'' (
SIEM Siem is a surname. Notable people with the surname include: * Charlie Siem (born 1986), British violinist * Kjetil Siem (born 1960), Norwegian businessperson, journalist, author and sports official * Kristian Siem (born 1949), Norwegian businessman ...
) platform, with centralised log-management service that claims to "enable organisations to simplify compliance process as well as optimise security-incident management as they occur." On April 4, 2011, EMC purchased NetWitness and added it to the RSA group of products. NetWitness was a packet capture tool aimed at gaining full network visibility to detect security incidents. This tool was re-branded RSA Security Analytics and was a combination of RSA enVIsion and NetWitness as a SIEM tool that did log and packet capture. The RSA Archer GRC platform is software that supports business-level management of governance, risk management, and compliance (GRC). The product was originally developed by Archer Technologies, which EMC acquired in 2010.


See also

* Hardware token *
RSA Factoring Challenge The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptograp ...
*
RSA Secret-Key Challenge The RSA Secret-Key Challenge was a series of cryptographic contests organised by RSA Laboratories with the intent of helping to demonstrate the relative security of different encryption algorithms. The challenge ran from 28 January 1997 until May ...
*
BSAFE Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA ...
*
RSA SecurID RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource. Description The RSA SecurID authentication mechanism consists of a " token"—either ...
*
Software token A software token (a.k.a. ''soft token'') is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop comput ...


References

{{Authority control Cryptography organizations American companies established in 1982 Software companies based in Massachusetts Software companies established in 1982 Former certificate authorities Computer security companies Companies based in Bedford, Massachusetts 1982 establishments in Massachusetts 2020 mergers and acquisitions Software companies of the United States Private equity portfolio companies