fbpx
Wikipedia

RSA Security

December 08, 2023

RSA Security LLC,[5] formerly RSA Security, Inc. and trade name RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir and Leonard Adleman, after whom the RSA public key cryptography algorithm was also named.[6] Among its products is the SecurID authentication token. The BSAFE cryptography libraries were also initially owned by RSA. RSA is known for incorporating backdoors developed by the NSA in its products.[7][8] It also organizes the annual RSA Conference, an information security conference.

RSA Security LLC
RSA
TypeIndependent
IndustryNetwork Security and Authentication
Founded1982; 41 years ago (1982)[1][2]
Founder
[1]
Headquarters
Chelmsford, Massachusetts
,
United States
Key people
ProductsRSA Access Manager, RSA Adaptive Authentication, RSA Adaptive Authentication for eCommerce, RSA Archer Suite, RSA Authentication Manager, RSA Cybercrime Intelligence, RSA Data Loss Prevention, RSA Digital Certificate Solutions, RSA Federated Identity Manager, RSA FraudAction Services, RSA Identity Governance and Lifecycle, RSA NetWitness Endpoint, RSA NetWitness Investigator, RSA NetWitness Orchestrator, RSA NetWitness Platform, RSA NetWitness UEBA, RSA SecurID Access, RSA Web Threat Detection
Number of employees
2,700+
ParentSymphony Technology Group
Websitewww.rsa.com

Founded as an independent company in 1982, RSA Security was acquired by EMC Corporation in 2006 for US$2.1 billion and operated as a division within EMC.[9] When EMC was acquired by Dell Technologies in 2016,[10] RSA became part of the Dell Technologies family of brands. On 10 March 2020, Dell Technologies announced that they will be selling RSA Security to a consortium, led by Symphony Technology Group (STG), Ontario Teachers’ Pension Plan Board (Ontario Teachers’) and AlpInvest Partners (AlpInvest) for US$2.1 billion, the same price when it was bought by EMC back in 2006.[11]

RSA is based in Chelmsford, Massachusetts, with regional headquarters in Bracknell (UK) and Singapore, and numerous international offices.[12]

History edit

 
RSA headquarters in Chelmsford, Massachusetts

Ron Rivest, Adi Shamir and Leonard Adleman, who developed the RSA encryption algorithm in 1977, founded RSA Data Security in 1982.[1][2] The company acquired a "worldwide exclusive license" from the Massachusetts Institute of Technology to a patent on the RSA cryptosystem technology granted in 1983.[13]

  • In 1994, RSA was against the Clipper chip during the Crypto War.[14]
  • In 1995, RSA sent a handful of people across the hall to found Digital Certificates International, better known as VeriSign.[citation needed]
  • The company then called Security Dynamics acquired RSA Data Security in July 1996 and DynaSoft AB in 1997.
  • In January 1997, it proposed the first of the DES Challenges which led to the first public breaking of a message based on the Data Encryption Standard.
  • In February 2001, it acquired Xcert International, Inc., a privately held company that developed and delivered digital certificate-based products for securing e-business transactions.[citation needed]
  • In May 2001, it acquired 3-G International, Inc., a privately held company that developed and delivered smart card and biometric authentication products.[citation needed]
  • In August 2001, it acquired Securant Technologies, Inc., a privately held company that produced ClearTrust, an identity management product.[citation needed]
  • In December 2005, it acquired Cyota, a privately held Israeli company specializing in online security and anti-fraud solutions for financial institutions.[15]
  • In April 2006, it acquired PassMark Security.[citation needed]
  • On September 14, 2006, RSA stockholders approved the acquisition of the company by EMC Corporation for $2.1 billion.[9][16][17]
  • In 2007, RSA acquired Valyd Software, a Hyderabad-based Indian company specializing in file and data security.[citation needed]
  • In 2009, RSA launched the RSA Share Project.[18] As part of this project, some of the RSA BSAFE libraries were made available for free. To promote the launch, RSA ran a programming competition with a US$10,000 first prize.[19]
  • In March 2011, RSA suffered a security breach and its most valuable secrets were leaked, compromising the security of all existing RSA SecurID tokens.[20][21]
  • In 2011, RSA introduced a new CyberCrime Intelligence Service designed to help organizations identify computers, information assets and identities compromised by trojans and other online attacks.[22]
  • In July 2013, RSA acquired Aveksa the leader in Identity and Access Governance sector[23]
  • On September 7, 2016, RSA was acquired by and became a subsidiary of Dell EMC Infrastructure Solutions Group through the acquisition of EMC Corporation by Dell Technologies in a cash and stock deal led by Michael Dell.[citation needed]
  • On February 18, 2020, Dell Technologies announced their intention to sell RSA for $2.075 billion to Symphony Technology Group.[citation needed]
  • In anticipation of the sale of RSA to Symphony Technology Group, Dell Technologies made the strategic decision to retain the BSAFE product line. To that end, RSA transferred BSAFE products (including the Data Protection Manager product) and customer agreements, including maintenance and support, to Dell Technologies on July 1, 2020.[24]
  • On September 1, 2020, Symphony Technology Group (STG) completed its acquisition of RSA from Dell Technologies.[25] RSA became an independent company, one of the world’s largest cybersecurity and risk management organizations.[26][27][28]

Controversy edit

SecurID security breach edit

 
RSA SecurID security tokens.
Main article: SecurID § March 2011 system compromise

On March 17, 2011, RSA disclosed an attack on its two-factor authentication products. The attack was similar to the Sykipot attacks, the July 2011 SK Communications hack, and the NightDragon series of attacks.[29] RSA called it an advanced persistent threat.[30] Today, SecurID is more commonly used as a software token rather than older physical tokens.

Relationship with NSA edit

 
RSA Security campaigned against the Clipper Chip backdoor in the so-called Crypto Wars, including the use of this iconic poster in the debate.

RSA's relationship with the NSA has changed over the years. Reuters' Joseph Menn[31] and cybersecurity analyst Jeffrey Carr[32] have noted that the two once had an adversarial relationship. In its early years, RSA and its leaders were prominent advocates of strong cryptography for public use, while the NSA and the Bush and Clinton administrations sought to prevent its proliferation.

For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company [RSA] is the worst thing that can happen to them. To them, we're the real enemy, we're the real target. We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically threatening to the N.S.A.'s interests that it's driving them into a frenzy.

— RSA president James Bidzos, June 1994[33]

In the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the Clipper Chip, an encryption chip with a backdoor that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use the chip in their devices, and relaxed export restrictions on products that used it. (Such restrictions had prevented RSA Security from selling its software abroad.) RSA joined civil libertarians and others in opposing the Clipper Chip by, among other things, distributing posters with a foundering sailing ship and the words "Sink Clipper!"[34] RSA Security also created the DES Challenges to show that the widely used DES encryption was breakable by well-funded entities like the NSA.

The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department of engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA. It became a very different company later on."[34] For example, RSA was reported to have accepted $10 million from the NSA in 2004 in a deal to use the NSA-designed Dual EC DRBG random number generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored.[35][36] RSA Security later released a statement about the Dual_EC_DRBG kleptographic backdoor:

We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs. We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

— RSA, The Security Division of EMC[37]

In March 2014, it was reported by Reuters that RSA had also adapted the extended random standard championed by NSA. Later cryptanalysis showed that extended random did not add any security, and it was rejected by the prominent standards group Internet Engineering Task Force. Extended random did however make NSA's backdoor for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the key to the Dual_EC_DRBG backdoor (presumably only NSA) because the extended nonces in extended random made part of the internal state of Dual_EC_DRBG easier to guess. Only RSA Security's Java version was hard to crack without extended random since the caching of Dual_EC_DRBG output in e.g. RSA Security's C programming language version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extended random in its Java implementation of Dual_EC_DRBG.[38][39]

NSA Dual_EC_DRBG backdoor edit

From 2004 to 2013, RSA shipped security software—BSAFE toolkit and Data Protection Manager—that included a default cryptographically secure pseudorandom number generator, Dual EC DRBG, that was later suspected to contain a secret National Security Agency kleptographic backdoor. The backdoor could have made data encrypted with these tools much easier to break for the NSA, which would have had the secret private key to the backdoor. Scientifically speaking, the backdoor employs kleptography, and is, essentially, an instance of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and Moti Yung.[40]

RSA Security employees should have been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 2000s.[41] The possibility that the random number generator could contain a backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the NIST SP 800-90A standard that contains Dual_EC_DRBG.[42] In January 2005, two employees of the cryptography company Certicom—who were also members of the X9F1 group—wrote a patent application that described a backdoor for Dual_EC_DRBG identical to the NSA one.[43] The patent application also described three ways to neutralize the backdoor. Two of these—ensuring that two arbitrary elliptic curve points P and Q used in Dual_EC_DRBG are independently chosen, and a smaller output length—were added to the standard as an option, though NSA's backdoored version of P and Q and large output length remained as the standard's default option. Kelsey said he knew of no implementers who actually generated their own non-backdoored P and Q,[42] and there have been no reports of implementations using the smaller outlet.

Nevertheless, NIST included Dual_EC_DRBG in its 2006 NIST SP 800-90A standard with the default settings enabling the backdoor, largely at the behest of NSA officials,[36] who had cited RSA Security's early use of the random number generator as an argument for its inclusion.[34] The standard did also not fix the unrelated (to the backdoor) problem that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically sound.[44]

ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007.[45] Commenting on Shumow and Ferguson's presentation, prominent security researcher and cryptographer Bruce Schneier called the possible NSA backdoor "rather obvious", and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general poor quality and possible backdoor would ensure that nobody would ever use it.[36] There does not seem to have been a general awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak.[36]

In September 2013, the New York Times, drawing on the Snowden leaks, revealed that the NSA worked to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program. One of these vulnerabilities, the Times reported, was the Dual_EC_DRBG backdoor.[46] With the renewed focus on Dual_EC_DRBG, it was noted that RSA Security's BSAFE used Dual_EC_DRBG by default, which had not previously been widely known.

After the New York Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor.[35][47] RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known,[35][47] or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor.[35]

On 20 December 2013, Reuters' Joseph Menn reported that NSA secretly paid RSA Security $10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists".[34] Interviewed by CNET, Schneier called the $10 million deal a bribe.[48] RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products."[49] Menn stood by his story,[50] and media analysis noted that RSA's reply was a non-denial denial, which denied only that company officials knew about the backdoor when they agreed to the deal, an assertion Menn's story did not make.[51]

In the wake of the reports, several industry experts cancelled their planned talks at RSA's 2014 RSA Conference.[52] Among them was Mikko Hyppönen, a Finnish researcher with F-Secure, who cited RSA's denial of the alleged $10 million payment by the NSA as suspicious.[53] Hyppönen announced his intention to give his talk, "Governments as Malware Authors", at a conference quickly set up in reaction to the reports: TrustyCon, to be held on the same day and one block away from the RSA Conference.[54]

At the 2014 RSA Conference, former[55] RSA Security Executive Chairman Art Coviello defended RSA Security's choice to keep using Dual_EC_DRBG by saying "it became possible that concerns raised in 2007 might have merit" only after NIST acknowledged the problems in 2013.[56]

Products edit

RSA is most known for its SecurID product, which provides two-factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on timed intervals, software tokens, and one-time codes. In 2016, RSA re-branded the SecurID platform as RSA SecurID Access.[57] This release added Single-Sign-On capabilities and cloud authentication for resources using SAML 2.0 and other types of federation.

The RSA SecurID Suite also contains the RSA Identity Governance and Lifecycle software (formally Aveksa). The software provides visibility of who has access to what within an organization and manages that access with various capabilities such as access review, request and provisioning.[58]

RSA enVision is a security information and event management (SIEM) platform, with centralised log-management service that claims to "enable organisations to simplify compliance process as well as optimise security-incident management as they occur."[59] On April 4, 2011, EMC purchased NetWitness and added it to the RSA group of products. NetWitness was a packet capture tool aimed at gaining full network visibility to detect security incidents.[60] This tool was re-branded RSA Security Analytics and was a combination of RSA enVIsion and NetWitness as a SIEM tool that did log and packet capture.

The RSA Archer GRC platform is software that supports business-level management of governance, risk management, and compliance (GRC).[61] The product was originally developed by Archer Technologies, which EMC acquired in 2010.[62]

See also edit

References edit

  1. ^ a b c . October 22, 1997. Archived from the original on September 29, 2011. Retrieved February 22, 2009.
  2. ^ a b Kaliski, Burt (October 22, 1997). . Archived from the original on September 29, 2011. Retrieved April 29, 2017.
  3. ^ . Archived from the original on September 24, 2020. Retrieved January 9, 2017.
  4. ^ "Amit Yoran Named President at RSA". October 29, 2014. Retrieved December 29, 2014.
  5. ^ "RSA Security LLC Company Profile". Retrieved May 15, 2013.
  6. ^ "RSA History". Retrieved June 8, 2011.
  7. ^ "NSA infiltrated RSA security more deeply than thought - study". Reuters. March 31, 2014. Retrieved March 31, 2014.
  8. ^ "RSA endowed crypto product with second NSA-influenced code". Ars Technica. March 31, 2014. Retrieved March 31, 2014.
  9. ^ a b . Rsasecurity.com. June 29, 2006. Archived from the original on October 20, 2006. Retrieved May 12, 2012.
  10. ^ "Dell Technologies - Who We Are". Dell Technologies Inc. Retrieved September 9, 2016.
  11. ^ "RSA® Emerges as Independent Company Following Completion of Acquisition by Symphony Technology Group". RSA.com. Retrieved November 2, 2020.
  12. ^ "About RSA | Cybersecurity and Digital Risk Management".
  13. ^ Bennett, Ralph (July 1985). "Public-Key Patent". Byte. p. 16. Retrieved May 21, 2023.
  14. ^ Levy, Stephen (June 12, 1994). "Battle of the Clipper Chip". The New York Times. Retrieved October 19, 2017.
  15. ^ "Business & Innovation | The Jerusalem Post". www.jpost.com.
  16. ^ . Emc.com. Archived from the original on December 10, 2007. Retrieved May 12, 2012.
  17. ^ . Rsasecurity.com. September 18, 2006. Archived from the original on December 9, 2006. Retrieved May 12, 2012.
  18. ^ "RSA Share Project". Retrieved January 4, 2013.[permanent dead link]
  19. ^ "Announcing the RSA Share Project Programming Contest". March 24, 2009. Retrieved January 4, 2013.
  20. ^ Greenberg, Andy. "The Full Story of the Stunning RSA Hack Can Finally be Told". Wired.
  21. ^ "The file that hacked RSA: How we found it - F-Secure Weblog : News from the Lab".
  22. ^ "RSA CyberCrime Intelligence Service". rsa.com. Retrieved December 19, 2013.
  23. ^ "EMC Acquires Aveksa Inc., Leading Provider of Business-Driven Identity and Access Management Solutions". EMC Corporation. July 8, 2013. from the original on October 27, 2017. Retrieved September 24, 2018.
  24. ^ "BSAFE support and billing update | Dell US". www.dell.com. Retrieved September 2, 2020.
  25. ^ "News & Press". RSA. April 24, 2023.
  26. ^ "Learn About Archer Integrated Risk Management Solutions". Archer. Retrieved July 20, 2023.
  27. ^ "Archer History Timeline". Genial.ly. Retrieved July 20, 2023.
  28. ^ . July 20, 2023. Archived from the original on July 20, 2023. Retrieved July 20, 2023.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  29. ^ (PDF). Command Five Pty Ltd. February 2012. Archived from the original (PDF) on February 27, 2012. Retrieved February 10, 2012.
  30. ^ "RSA hit by advanced persistent threat attacks". Computer Weekly. March 18, 2011. Retrieved May 4, 2011.
  31. ^ Joseph Menn (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". Reuters.
  32. ^ Carr, Jeffrey. (2014-01-06) Digital Dao: NSA's $10M RSA Contract: Origins. Jeffreycarr.blogspot.dk. Retrieved on 2014-05-11.
  33. ^ Steven Levy (June 12, 1994). "Battle of the Clipper Chip". New York Times. Retrieved March 8, 2014.
  34. ^ a b c d Menn, Joseph (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". Reuters. San Francisco. Retrieved December 20, 2013.
  35. ^ a b c d Matthew Green (September 20, 2013). "RSA warns developers not to use RSA products".
  36. ^ a b c d Bruce Schneier. "The Strange Story of Dual_EC_DRBG".
  37. ^ RSA. "RSA Response to Media Claims Regarding NSA Relationship". Retrieved March 8, 2014.
  38. ^ Menn, Joseph (March 31, 2014). "Exclusive: NSA infiltrated RSA security more deeply than thought - study". Reuters. Retrieved April 4, 2014.
  39. ^ "TrustNet Cybersecurity and Compliance Solutions". TrustNet Cybersecurity Solutions.
  40. ^ A. Young, M. Yung, "Kleptography: Using Cryptography Against Cryptography" In Proceedings of Eurocrypt '97, W. Fumy (Ed.), Springer-Verlag, pages 62–74, 1997.
  41. ^ Green, Matthew. (2013-12-28) A Few Thoughts on Cryptographic Engineering: A few more notes on NSA random number generators. Blog.cryptographyengineering.com. Retrieved on 2014-05-11.
  42. ^ a b Kelsey, John (December 2013). "800-90 and Dual EC DRBG" (PDF). NIST.
  43. ^ Patent CA2594670A1 - Elliptic curve random number generation - Google Patents. Google.com (2011-01-24). Retrieved on 2014-05-11.
  44. ^ (PDF). Archived from the original (PDF) on May 25, 2011. Retrieved November 16, 2007.{{cite web}}: CS1 maint: archived copy as title (link)
  45. ^ Shumow, Dan; Ferguson, Niels. "On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng" (PDF).
  46. ^ "Secret Documents Reveal N.S.A. Campaign Against Encryption". New York Times.
  47. ^ a b "We don't enable backdoors in our crypto products, RSA tells customers". Ars Technica. September 20, 2013.
  48. ^ "Security firm RSA took millions from NSA: report". CNET.
  49. ^ . RSA Security. Archived from the original on December 23, 2013. Retrieved January 20, 2014.
  50. ^ "RSA comes out swinging at claims it took NSA's $10m to backdoor crypto". The Register.
  51. ^ "RSA's 'Denial' Concerning $10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All". techdirt. December 23, 2013.
  52. ^ "RSA Conference speakers begin to bail, thanks to NSA". CNET.
  53. ^ "News from the Lab Archive : January 2004 to September 2015". archive.f-secure.com.
  54. ^ Gallagher, Sean. (2014-01-21) “TrustyCon” security counter-convention planned for RSA refusniks. Ars Technica. Retrieved on 2014-05-11.
  55. ^ . Archived from the original on July 16, 2015. Retrieved July 15, 2015.
  56. ^ (PDF). February 25, 2014. Archived from the original (PDF) on July 14, 2014.
  57. ^ . www.rsa.com. Archived from the original on August 2, 2017. Retrieved June 6, 2017.
  58. ^ "RSA Identity Governance & Lifecycle". Retrieved September 24, 2018.
  59. ^ "RSA Envision". EMC. Retrieved December 19, 2012.
  60. ^ "Press Release: EMC Acquires Netwitness". www.emc.com. Retrieved June 6, 2017.
  61. ^ "RSA Archer Platform". EMC. Retrieved November 13, 2015.
  62. ^ "EMC to Acquire Archer Technologies, Leading Provider Of IT Governance Risk and Compliance Software". EMC. Retrieved August 28, 2018.

December 08, 2023
security, formerly, trade, name, american, computer, network, security, company, with, focus, encryption, encryption, standards, named, after, initials, founders, rivest, shamir, leonard, adleman, after, whom, public, cryptography, algorithm, also, named, amon. RSA Security LLC 5 formerly RSA Security Inc and trade name RSA is an American computer and network security company with a focus on encryption and encryption standards RSA was named after the initials of its co founders Ron Rivest Adi Shamir and Leonard Adleman after whom the RSA public key cryptography algorithm was also named 6 Among its products is the SecurID authentication token The BSAFE cryptography libraries were also initially owned by RSA RSA is known for incorporating backdoors developed by the NSA in its products 7 8 It also organizes the annual RSA Conference an information security conference RSA Security LLCTrade nameRSATypeIndependentIndustryNetwork Security and AuthenticationFounded1982 41 years ago 1982 1 2 FounderRon RivestAdi ShamirLeonard Adleman 1 HeadquartersChelmsford Massachusetts United StatesKey peopleRohit Ghai 2017 present 3 Amit Yoran 2014 2016 4 ProductsRSA Access Manager RSA Adaptive Authentication RSA Adaptive Authentication for eCommerce RSA Archer Suite RSA Authentication Manager RSA Cybercrime Intelligence RSA Data Loss Prevention RSA Digital Certificate Solutions RSA Federated Identity Manager RSA FraudAction Services RSA Identity Governance and Lifecycle RSA NetWitness Endpoint RSA NetWitness Investigator RSA NetWitness Orchestrator RSA NetWitness Platform RSA NetWitness UEBA RSA SecurID Access RSA Web Threat DetectionNumber of employees2 700 ParentSymphony Technology GroupWebsitewww wbr rsa wbr comFounded as an independent company in 1982 RSA Security was acquired by EMC Corporation in 2006 for US 2 1 billion and operated as a division within EMC 9 When EMC was acquired by Dell Technologies in 2016 10 RSA became part of the Dell Technologies family of brands On 10 March 2020 Dell Technologies announced that they will be selling RSA Security to a consortium led by Symphony Technology Group STG Ontario Teachers Pension Plan Board Ontario Teachers and AlpInvest Partners AlpInvest for US 2 1 billion the same price when it was bought by EMC back in 2006 11 RSA is based in Chelmsford Massachusetts with regional headquarters in Bracknell UK and Singapore and numerous international offices 12 Contents 1 History 2 Controversy 2 1 SecurID security breach 2 2 Relationship with NSA 2 3 NSA Dual EC DRBG backdoor 3 Products 4 See also 5 ReferencesHistory editThis section is in list format but may read better as prose You can help by converting this section if appropriate Editing help is available June 2023 nbsp RSA headquarters in Chelmsford MassachusettsRon Rivest Adi Shamir and Leonard Adleman who developed the RSA encryption algorithm in 1977 founded RSA Data Security in 1982 1 2 The company acquired a worldwide exclusive license from the Massachusetts Institute of Technology to a patent on the RSA cryptosystem technology granted in 1983 13 In 1994 RSA was against the Clipper chip during the Crypto War 14 In 1995 RSA sent a handful of people across the hall to found Digital Certificates International better known as VeriSign citation needed The company then called Security Dynamics acquired RSA Data Security in July 1996 and DynaSoft AB in 1997 In January 1997 it proposed the first of the DES Challenges which led to the first public breaking of a message based on the Data Encryption Standard In February 2001 it acquired Xcert International Inc a privately held company that developed and delivered digital certificate based products for securing e business transactions citation needed In May 2001 it acquired 3 G International Inc a privately held company that developed and delivered smart card and biometric authentication products citation needed In August 2001 it acquired Securant Technologies Inc a privately held company that produced ClearTrust an identity management product citation needed In December 2005 it acquired Cyota a privately held Israeli company specializing in online security and anti fraud solutions for financial institutions 15 In April 2006 it acquired PassMark Security citation needed On September 14 2006 RSA stockholders approved the acquisition of the company by EMC Corporation for 2 1 billion 9 16 17 In 2007 RSA acquired Valyd Software a Hyderabad based Indian company specializing in file and data security citation needed In 2009 RSA launched the RSA Share Project 18 As part of this project some of the RSA BSAFE libraries were made available for free To promote the launch RSA ran a programming competition with a US 10 000 first prize 19 In March 2011 RSA suffered a security breach and its most valuable secrets were leaked compromising the security of all existing RSA SecurID tokens 20 21 In 2011 RSA introduced a new CyberCrime Intelligence Service designed to help organizations identify computers information assets and identities compromised by trojans and other online attacks 22 In July 2013 RSA acquired Aveksa the leader in Identity and Access Governance sector 23 On September 7 2016 RSA was acquired by and became a subsidiary of Dell EMC Infrastructure Solutions Group through the acquisition of EMC Corporation by Dell Technologies in a cash and stock deal led by Michael Dell citation needed On February 18 2020 Dell Technologies announced their intention to sell RSA for 2 075 billion to Symphony Technology Group citation needed In anticipation of the sale of RSA to Symphony Technology Group Dell Technologies made the strategic decision to retain the BSAFE product line To that end RSA transferred BSAFE products including the Data Protection Manager product and customer agreements including maintenance and support to Dell Technologies on July 1 2020 24 On September 1 2020 Symphony Technology Group STG completed its acquisition of RSA from Dell Technologies 25 RSA became an independent company one of the world s largest cybersecurity and risk management organizations 26 27 28 Controversy editSecurID security breach edit nbsp RSA SecurID security tokens Main article SecurID March 2011 system compromise On March 17 2011 RSA disclosed an attack on its two factor authentication products The attack was similar to the Sykipot attacks the July 2011 SK Communications hack and the NightDragon series of attacks 29 RSA called it an advanced persistent threat 30 Today SecurID is more commonly used as a software token rather than older physical tokens Relationship with NSA edit nbsp RSA Security campaigned against the Clipper Chip backdoor in the so called Crypto Wars including the use of this iconic poster in the debate RSA s relationship with the NSA has changed over the years Reuters Joseph Menn 31 and cybersecurity analyst Jeffrey Carr 32 have noted that the two once had an adversarial relationship In its early years RSA and its leaders were prominent advocates of strong cryptography for public use while the NSA and the Bush and Clinton administrations sought to prevent its proliferation For almost 10 years I ve been going toe to toe with these people at Fort Meade The success of this company RSA is the worst thing that can happen to them To them we re the real enemy we re the real target We have the system that they re most afraid of If the U S adopted RSA as a standard you would have a truly international interoperable unbreakable easy to use encryption technology And all those things together are so synergistically threatening to the N S A s interests that it s driving them into a frenzy RSA president James Bidzos June 1994 33 In the mid 1990s RSA and Bidzos led a fierce public campaign against the Clipper Chip an encryption chip with a backdoor that would allow the U S government to decrypt communications The Clinton administration pressed telecommunications companies to use the chip in their devices and relaxed export restrictions on products that used it Such restrictions had prevented RSA Security from selling its software abroad RSA joined civil libertarians and others in opposing the Clipper Chip by among other things distributing posters with a foundering sailing ship and the words Sink Clipper 34 RSA Security also created the DES Challenges to show that the widely used DES encryption was breakable by well funded entities like the NSA The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999 according to Victor Chan who led RSA s department of engineering until 2005 When I joined there were 10 people in the labs and we were fighting the NSA It became a very different company later on 34 For example RSA was reported to have accepted 10 million from the NSA in 2004 in a deal to use the NSA designed Dual EC DRBG random number generator in their BSAFE library despite many indications that Dual EC DRBG was both of poor quality and possibly backdoored 35 36 RSA Security later released a statement about the Dual EC DRBG kleptographic backdoor We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004 in the context of an industry wide effort to develop newer stronger methods of encryption At that time the NSA had a trusted role in the community wide effort to strengthen not weaken encryption This algorithm is only one of multiple choices available within BSAFE toolkits and users have always been free to choose whichever one best suits their needs We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance When concern surfaced around the algorithm in 2007 we continued to rely upon NIST as the arbiter of that discussion When NIST issued new guidance recommending no further use of this algorithm in September 2013 we adhered to that guidance communicated that recommendation to customers and discussed the change openly in the media RSA The Security Division of EMC 37 In March 2014 it was reported by Reuters that RSA had also adapted the extended random standard championed by NSA Later cryptanalysis showed that extended random did not add any security and it was rejected by the prominent standards group Internet Engineering Task Force Extended random did however make NSA s backdoor for Dual EC DRBG tens of thousands of times faster to use for attackers with the key to the Dual EC DRBG backdoor presumably only NSA because the extended nonces in extended random made part of the internal state of Dual EC DRBG easier to guess Only RSA Security s Java version was hard to crack without extended random since the caching of Dual EC DRBG output in e g RSA Security s C programming language version already made the internal state fast enough to determine And indeed RSA Security only implemented extended random in its Java implementation of Dual EC DRBG 38 39 NSA Dual EC DRBG backdoor edit From 2004 to 2013 RSA shipped security software BSAFE toolkit and Data Protection Manager that included a default cryptographically secure pseudorandom number generator Dual EC DRBG that was later suspected to contain a secret National Security Agency kleptographic backdoor The backdoor could have made data encrypted with these tools much easier to break for the NSA which would have had the secret private key to the backdoor Scientifically speaking the backdoor employs kleptography and is essentially an instance of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and Moti Yung 40 RSA Security employees should have been aware at least that Dual EC DRBG might contain a backdoor Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group to which Dual EC DRBG had been submitted for consideration in the early 2000s 41 The possibility that the random number generator could contain a backdoor was first raised in an ANSI X9 meeting according to John Kelsey a co author of the NIST SP 800 90A standard that contains Dual EC DRBG 42 In January 2005 two employees of the cryptography company Certicom who were also members of the X9F1 group wrote a patent application that described a backdoor for Dual EC DRBG identical to the NSA one 43 The patent application also described three ways to neutralize the backdoor Two of these ensuring that two arbitrary elliptic curve points P and Q used in Dual EC DRBG are independently chosen and a smaller output length were added to the standard as an option though NSA s backdoored version of P and Q and large output length remained as the standard s default option Kelsey said he knew of no implementers who actually generated their own non backdoored P and Q 42 and there have been no reports of implementations using the smaller outlet Nevertheless NIST included Dual EC DRBG in its 2006 NIST SP 800 90A standard with the default settings enabling the backdoor largely at the behest of NSA officials 36 who had cited RSA Security s early use of the random number generator as an argument for its inclusion 34 The standard did also not fix the unrelated to the backdoor problem that the CSPRNG was predictable which Gjosteen had pointed out earlier in 2006 and which led Gjosteen to call Dual EC DRBG not cryptographically sound 44 ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007 45 Commenting on Shumow and Ferguson s presentation prominent security researcher and cryptographer Bruce Schneier called the possible NSA backdoor rather obvious and wondered why NSA bothered pushing to have Dual EC DRBG included when the general poor quality and possible backdoor would ensure that nobody would ever use it 36 There does not seem to have been a general awareness that RSA Security had made it the default in some of its products in 2004 until the Snowden leak 36 In September 2013 the New York Times drawing on the Snowden leaks revealed that the NSA worked to Insert vulnerabilities into commercial encryption systems IT systems networks and endpoint communications devices used by targets as part of the Bullrun program One of these vulnerabilities the Times reported was the Dual EC DRBG backdoor 46 With the renewed focus on Dual EC DRBG it was noted that RSA Security s BSAFE used Dual EC DRBG by default which had not previously been widely known After the New York Times published its article RSA Security recommended that users switch away from Dual EC DRBG but denied that they had deliberately inserted a backdoor 35 47 RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known 35 47 or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor 35 On 20 December 2013 Reuters Joseph Menn reported that NSA secretly paid RSA Security 10 million in 2004 to set Dual EC DRBG as the default CSPRNG in BSAFE The story quoted former RSA Security employees as saying that no alarms were raised because the deal was handled by business leaders rather than pure technologists 34 Interviewed by CNET Schneier called the 10 million deal a bribe 48 RSA officials responded that they have not entered into any contract or engaged in any project with the intention of weakening RSA s products 49 Menn stood by his story 50 and media analysis noted that RSA s reply was a non denial denial which denied only that company officials knew about the backdoor when they agreed to the deal an assertion Menn s story did not make 51 In the wake of the reports several industry experts cancelled their planned talks at RSA s 2014 RSA Conference 52 Among them was Mikko Hypponen a Finnish researcher with F Secure who cited RSA s denial of the alleged 10 million payment by the NSA as suspicious 53 Hypponen announced his intention to give his talk Governments as Malware Authors at a conference quickly set up in reaction to the reports TrustyCon to be held on the same day and one block away from the RSA Conference 54 At the 2014 RSA Conference former 55 RSA Security Executive Chairman Art Coviello defended RSA Security s choice to keep using Dual EC DRBG by saying it became possible that concerns raised in 2007 might have merit only after NIST acknowledged the problems in 2013 56 Products editRSA is most known for its SecurID product which provides two factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on timed intervals software tokens and one time codes In 2016 RSA re branded the SecurID platform as RSA SecurID Access 57 This release added Single Sign On capabilities and cloud authentication for resources using SAML 2 0 and other types of federation The RSA SecurID Suite also contains the RSA Identity Governance and Lifecycle software formally Aveksa The software provides visibility of who has access to what within an organization and manages that access with various capabilities such as access review request and provisioning 58 RSA enVision is a security information and event management SIEM platform with centralised log management service that claims to enable organisations to simplify compliance process as well as optimise security incident management as they occur 59 On April 4 2011 EMC purchased NetWitness and added it to the RSA group of products NetWitness was a packet capture tool aimed at gaining full network visibility to detect security incidents 60 This tool was re branded RSA Security Analytics and was a combination of RSA enVIsion and NetWitness as a SIEM tool that did log and packet capture The RSA Archer GRC platform is software that supports business level management of governance risk management and compliance GRC 61 The product was originally developed by Archer Technologies which EMC acquired in 2010 62 See also editHardware token RSA Factoring Challenge RSA Secret Key Challenge BSAFE RSA SecurID Software tokenReferences edit a b c Distributed Team Cracks Hidden Message in RSA s 56 Bit RC5 Secret Key Challenge October 22 1997 Archived from the original on September 29 2011 Retrieved February 22 2009 a b Kaliski Burt October 22 1997 Growing Up with Alice and Bob Three Decades with the RSA Cryptosystem Archived from the original on September 29 2011 Retrieved April 29 2017 Rohit Ghai Named President at RSA Archived from the original on September 24 2020 Retrieved January 9 2017 Amit Yoran Named President at RSA October 29 2014 Retrieved December 29 2014 RSA Security LLC Company Profile Retrieved May 15 2013 RSA History Retrieved June 8 2011 NSA infiltrated RSA security more deeply than thought study Reuters March 31 2014 Retrieved March 31 2014 RSA endowed crypto product with second NSA influenced code Ars Technica March 31 2014 Retrieved March 31 2014 a b EMC Announces Definitive Agreement to Acquire RSA Security Further Advancing Information Centric Security Rsasecurity com June 29 2006 Archived from the original on October 20 2006 Retrieved May 12 2012 Dell Technologies Who We Are Dell Technologies Inc Retrieved September 9 2016 RSA Emerges as Independent Company Following Completion of Acquisition by Symphony Technology Group RSA com Retrieved November 2 2020 About RSA Cybersecurity and Digital Risk Management Bennett Ralph July 1985 Public Key Patent Byte p 16 Retrieved May 21 2023 Levy Stephen June 12 1994 Battle of the Clipper Chip The New York Times Retrieved October 19 2017 Business amp Innovation The Jerusalem Post www jpost com EMC Newsroom EMC News and Press Releases Emc com Archived from the original on December 10 2007 Retrieved May 12 2012 EMC Completes RSA Security Acquisition Announces Acquisition of Network Intelligence Rsasecurity com September 18 2006 Archived from the original on December 9 2006 Retrieved May 12 2012 RSA Share Project Retrieved January 4 2013 permanent dead link Announcing the RSA Share Project Programming Contest March 24 2009 Retrieved January 4 2013 Greenberg Andy The Full Story of the Stunning RSA Hack Can Finally be Told Wired The file that hacked RSA How we found it F Secure Weblog News from the Lab RSA CyberCrime Intelligence Service rsa com Retrieved December 19 2013 EMC Acquires Aveksa Inc Leading Provider of Business Driven Identity and Access Management Solutions EMC Corporation July 8 2013 Archived from the original on October 27 2017 Retrieved September 24 2018 BSAFE support and billing update Dell US www dell com Retrieved September 2 2020 News amp Press RSA April 24 2023 Learn About Archer Integrated Risk Management Solutions Archer Retrieved July 20 2023 Archer History Timeline Genial ly Retrieved July 20 2023 Archer History Timeline July 20 2023 Archived from the original on July 20 2023 Retrieved July 20 2023 a href Template Cite web html title Template Cite web cite web a CS1 maint bot original URL status unknown link Command and Control in the Fifth Domain PDF Command Five Pty Ltd February 2012 Archived from the original PDF on February 27 2012 Retrieved February 10 2012 RSA hit by advanced persistent threat attacks Computer Weekly March 18 2011 Retrieved May 4 2011 Joseph Menn December 20 2013 Exclusive Secret contract tied NSA and security industry pioneer Reuters Carr Jeffrey 2014 01 06 Digital Dao NSA s 10M RSA Contract Origins Jeffreycarr blogspot dk Retrieved on 2014 05 11 Steven Levy June 12 1994 Battle of the Clipper Chip New York Times Retrieved March 8 2014 a b c d Menn Joseph December 20 2013 Exclusive Secret contract tied NSA and security industry pioneer Reuters San Francisco Retrieved December 20 2013 a b c d Matthew Green September 20 2013 RSA warns developers not to use RSA products a b c d Bruce Schneier The Strange Story of Dual EC DRBG RSA RSA Response to Media Claims Regarding NSA Relationship Retrieved March 8 2014 Menn Joseph March 31 2014 Exclusive NSA infiltrated RSA security more deeply than thought study Reuters Retrieved April 4 2014 TrustNet Cybersecurity and Compliance Solutions TrustNet Cybersecurity Solutions A Young M Yung Kleptography Using Cryptography Against Cryptography In Proceedings of Eurocrypt 97 W Fumy Ed Springer Verlag pages 62 74 1997 Green Matthew 2013 12 28 A Few Thoughts on Cryptographic Engineering A few more notes on NSA random number generators Blog cryptographyengineering com Retrieved on 2014 05 11 a b Kelsey John December 2013 800 90 and Dual EC DRBG PDF NIST Patent CA2594670A1 Elliptic curve random number generation Google Patents Google com 2011 01 24 Retrieved on 2014 05 11 Archived copy PDF Archived from the original PDF on May 25 2011 Retrieved November 16 2007 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Shumow Dan Ferguson Niels On the Possibility of a Back Door in the NIST SP800 90 Dual Ec Prng PDF Secret Documents Reveal N S A Campaign Against Encryption New York Times a b We don t enable backdoors in our crypto products RSA tells customers Ars Technica September 20 2013 Security firm RSA took millions from NSA report CNET RSA Response to Media Claims Regarding NSA Relationship RSA Security Archived from the original on December 23 2013 Retrieved January 20 2014 RSA comes out swinging at claims it took NSA s 10m to backdoor crypto The Register RSA s Denial Concerning 10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All techdirt December 23 2013 RSA Conference speakers begin to bail thanks to NSA CNET News from the Lab Archive January 2004 to September 2015 archive f secure com Gallagher Sean 2014 01 21 TrustyCon security counter convention planned for RSA refusniks Ars Technica Retrieved on 2014 05 11 Arthur W Coviello Jr RSA Conference Archived from the original on July 16 2015 Retrieved July 15 2015 RSA Conference 2014 Keynote for Art Coviello PDF February 25 2014 Archived from the original PDF on July 14 2014 RSA Changes the Identity Game Unveils New RSA SecurID Suite www rsa com Archived from the original on August 2 2017 Retrieved June 6 2017 RSA Identity Governance amp Lifecycle Retrieved September 24 2018 RSA Envision EMC Retrieved December 19 2012 Press Release EMC Acquires Netwitness www emc com Retrieved June 6 2017 RSA Archer Platform EMC Retrieved November 13 2015 EMC to Acquire Archer Technologies Leading Provider Of IT Governance Risk and Compliance Software EMC Retrieved August 28 2018 Retrieved from https en wikipedia org w index php title RSA Security amp oldid 1187324079, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.