RSA Security LLC, [ 5 ] once RSA Security, Inc. and doing business as RSA, is an american calculator and network security company with a focus on encoding and encoding standards. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir and Leonard Adleman, after whom the RSA public key cryptanalysis algorithm was besides named. [ 6 ] Among its products is the SecurID authentication token. The BSAFE cryptography libraries were besides initially owned by RSA. RSA is known for incorporating backdoors developed by the NSA in its products. [ 7 ] [ 8 ] It besides organizes the annual RSA Conference, an information security league. Founded as an mugwump company in 1982, RSA Security was acquired by EMC Corporation in 2006 for US $ 2.1 billion and operated as a division within EMC. [ 9 ] When EMC was acquired by Dell Technologies in 2016, [ 10 ] RSA became part of the Dell Technologies family of brands. On 10 March 2020, Dell Technologies announced that they will be selling RSA Security to a consortium, led by Symphony Technology Group ( STG ), Ontario Teachers ’ Pension Plan Board ( Ontario Teachers ’ ) and AlpInvest Partners ( AlpInvest ) for US $ 2.1 billion, the same price when it was bought by EMC back in 2006. [ 11 ]
Reading: RSA Security – Wikipedia
RSA is based in Bedford, Massachusetts, with regional headquarters in Bracknell ( UK ) and Singapore, and numerous international offices. [ 12 ]
history [edit ]
RSA headquarters in Bedford, Massachusetts Ron Rivest, Adi Shamir and Leonard Adleman, who developed the RSA encoding algorithm in 1977, founded RSA Data Security in 1982. [ 1 ] [ 2 ]
controversy [edit ]
SecurID security breach [edit ]
On March 17, 2011, RSA disclosed an attack on its two-factor authentication products. The attack was like to the Sykipot attacks, the July 2011 SK Communications hack, and the NightDragon series of attacks. [ 24 ] RSA called it an boost haunting threat. [ 25 ] Today, SecurID is more normally used as a software token rather than older physical tokens .
relationship with NSA [edit ]
RSA Security campaigned against the Clipper Chip back door in the alleged Crypto Wars, including the function of this iconic post horse in the debate. RSA ‘s relationship with the NSA has changed over the years. Reuters ‘ Joseph Menn [ 26 ] and cybersecurity analyst Jeffrey Carr [ 27 ] have noted that the two once had an adversarial kinship. In its early years, RSA and its leaders were outstanding advocates of potent cryptanalysis for public manipulation, while the NSA and the Bush and Clinton administrations sought to prevent its proliferation .
For about 10 years, I ‘ve been going toe to toe with these people at Fort Meade. The success of this caller [ RSA ] is the worst thing that can happen to them. To them, we ‘re the substantial enemy, we ‘re the very target. We have the arrangement that they ‘re most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encoding engineering. And all those things together are thus synergistically threatening to the N.S.A. ‘s interests that it ‘s driving them into a craze .RSA president James Bidzos, June 1994
In the mid-1990s, RSA and Bidzos led a “ ferocious ” public campaign against the Clipper Chip, an encoding chip with a back door that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use the chip in their devices, and relaxed export restrictions on products that used it. ( such restrictions had prevented RSA Security from selling its software abroad. ) RSA joined civil libertarians and others in opposing the Clipper Chip by, among other things, distributing posters with a foundering sailing transport and the words “ Sink Clipper ! ” [ 29 ] RSA Security besides created the DES Challenges to show that the wide used DES encoding was breakable by well-funded entities like the NSA. The relationship shifted from adversarial to cooperative after Bidzos stepped down deoxyadenosine monophosphate chief executive officer in 1999, according to Victor Chan, who led RSA ‘s department mastermind until 2005 : “ When I joined there were 10 people in the lab, and we were fighting the NSA. It became a very different company former on. ” [ 29 ] For case, RSA was reported to have accepted $ 10 million from the NSA in 2004 in a deal to use the NSA-designed Dual EC DRBG random act generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored. [ 30 ] [ 31 ] RSA Security belated released a statement about the Dual_EC_DRBG kleptographic back door :
We made the decision to use Dual EC DRBG as the default option in BSAFE toolkits in 2004, in the context of an industry-wide campaign to develop newer, stronger methods of encoding. At that time, the NSA had a hope function in the community-wide campaign to strengthen, not weaken, encoding. This algorithm is lone one of multiple choices available within BSAFE toolkits, and users have always been release to choose whichever one best suits their needs. We continued using the algorithm as an choice within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS submission. When business surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued raw guidance recommending no foster consumption of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the switch openly in the media .RSA, The Security Division of EMC
In March 2014, it was reported by Reuters that RSA had besides adapted the stretch random standard championed by NSA. Later cryptanalysis showed that carry random did not add any security, and was rejected by the outstanding standards group Internet Engineering Task Force. Extended random did however make NSA ‘s back door for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the samara to the Dual_EC_DRBG back door ( presumably only NSA ), because the extensive nonces in cover random made part of the home country of Dual_EC_DRBG easier to guess. only RSA Security ‘s Java translation was heavily to crack without extend random, since the hoard of Dual_EC_DRBG end product in e.g. RSA Security ‘s C scheduling speech version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extend random in its Java execution of Dual_EC_DRBG. [ 33 ] [ 34 ]
NSA Dual_EC_DRBG back door [edit ]
From 2004 to 2013, RSA shipped security system software— BSAFE toolkit and Data Protection Manager—that included a default option cryptographically secure pseudorandom number generator, Dual EC DRBG, that was late suspected to contain a secret National Security Agency kleptographic back door. The back door could have made data encrypted with these tools a lot easier to break for the NSA, which would have had the secret individual cardinal to the back door. scientifically speaking, the back door employs kleptography, and is, basically, an exemplify of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and Moti Yung. [ 35 ]
RSA Security employees should have been mindful, at least, that Dual_EC_DRBG might contain a back door. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for circumstance in the early 2000s. [ 36 ] The possibility that the random count generator could contain a back door was “ first raised in an ANSI X9 meet ”, according to John Kelsey, a co-author of the NIST SP 800-90A standard that contains Dual_EC_DRBG. [ 37 ] In January 2005, two employees of the cryptanalysis party Certicom —who were besides members of the X9F1 group—wrote a patent application that described a back door for Dual_EC_DRBG identical to the NSA one. [ 38 ] The patent application besides described three ways to neutralize the back door. Two of these—ensuring that two arbitrary elliptic crook points P and Q used in Dual_EC_DRBG are independently chosen, and a smaller output length—were added to the standard as an choice, though NSA ‘s backdoored version of P and Q and large output signal duration remained as the standard ‘s default option choice. Kelsey said he knew of no implementers who actually generated their own non-backdoored P and Q, [ 37 ] and there have been no reports of implementations using the smaller wall socket. however, NIST included Dual_EC_DRBG in its 2006 NIST SP 800-90A standard with the default settings enabling the back door, largely at the behest of NSA officials, [ 31 ] who had cited RSA Security ‘s early habit of the random number generator as an argumentation for its inclusion body. [ 29 ] The standard did besides not fix the unrelated ( to the back door ) trouble that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically legal. [ 39 ] ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the back door in 2007. [ 40 ] Commenting on Shumow and Ferguson ‘s presentation, outstanding security research worker and cryptanalyst Bruce Schneier called the possible NSA back door “ rather obvious ”, and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general inadequate quality and possible back door would ensure that cipher would ever use it. [ 31 ] There does not seem to have been a cosmopolitan awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak. [ 31 ] In September 2013, the New York Times, drawing on the Snowden leaks, revealed that the NSA worked to “ Insert vulnerabilities into commercial encoding systems, IT systems, networks, and end point communications devices used by targets ” as part of the Bullrun program. One of these vulnerabilities, the Times reported, was the Dual_EC_DRBG back door. [ 41 ] With the renewed focus on Dual_EC_DRBG, it was noted that RSA Security ‘s BSAFE used Dual_EC_DRBG by nonpayment, which had not previously been widely known. After the New York Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had intentionally inserted a back door. [ 30 ] [ 42 ] RSA Security officials have largely declined to explain why they did not remove the doubtful random act generator once the flaws became known, [ 30 ] [ 42 ] or why they did not implement the simple extenuation that NIST added to the standard to neutralize the suggested and later verify back door. [ 30 ] On 20 December 2013, Reuters ‘ Joseph Menn reported that NSA secretly paid RSA Security $ 10 million in 2004 to set Dual_EC_DRBG as the default option CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that “ no alarms were raised because the deal was handled by clientele leaders rather than pure technologists ”. [ 29 ] Interviewed by CNET, Schneier called the $ 10 million bargain a bribe. [ 43 ] RSA officials responded that they have not “ entered into any contract or engaged in any stick out with the intention of weakening RSA ’ sulfur products. ” [ 44 ] Menn stand by his report, [ 45 ] and media analysis noted that RSA ‘s answer was a non-denial denial, which denied only that company officials knew about the back door when they agreed to the cope, an assertion Menn ‘s floor did not make. [ 46 ] In the wake of the reports, several industry experts cancelled their aforethought talks at RSA ‘s 2014 RSA Conference. [ 47 ] Among them was Mikko Hyppönen, a finnish research worker with F-Secure, who cited RSA ‘s denial of the alleged $ 10 million payment by the NSA as fishy. [ 48 ] Hyppönen announced his purpose to give his spill, “ Governments as Malware Authors ”, at a conference cursorily set up in reaction to the reports : TrustyCon, to be held on the like day and one engine block away from the RSA Conference. [ 49 ] At the 2014 RSA Conference, early [ 50 ] RSA Security Executive Chairman Art Coviello defended RSA Security ‘s choice to keep using Dual_EC_DRBG by saying “ it became possible that concerns raised in 2007 might have merit ” only after NIST acknowledged the problems in 2013. [ 51 ]
Products [edit ]
RSA is most known for its SecurID product, which provides two-factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on clock intervals, software tokens, and one clock codes. In 2016, RSA re-branded the SecurID platform as RSA SecurID Access. [ 52 ] This unblock added Single-Sign-On capabilities and cloud authentication for resources using SAML 2.0 and other types of federation. The RSA SecurID Suite besides contains the RSA Identity Governance and Lifecycle software ( formally Aveksa ). The software provides visibility of who has access to what within an administration and manages that access with respective capabilities such as access inspection, request andprovisioning. [ 53 ] RSA visualize is a security information and event management ( SIEM ) platform, with centralize log-management service that claims to “ enable organisations to simplify complaisance procedure vitamin a well as optimize security-incident management as they occur. ” [ 54 ] On April 4, 2011, EMC purchased NetWitness and added it to the RSA group of products. NetWitness was a mailboat capture tool aimed at gaining full moon network visibility to detect security incidents. [ 55 ] This instrument was re-branded RSA Security Analytics and was a combination of RSA envision and NetWitness as a SIEM tool that did log and packet capture.
The RSA Archer GRC platform is software that supports business-level management of administration, risk management, and conformity ( GRC ). [ 56 ] The product was in the first place developed by Archer Technologies, which EMC acquired in 2010. [ 57 ]