RSA Security: Difference between revisions

RSA Security LLC
Trade name	RSA
Company type	Division of EMC Corporation
Traded as	Nasdaq: RSAS
Industry	Encryption and Network Security
Founded	1982
Founder	Ron Rivest; Adi Shamir; Leonard Adleman;
Fate	Acquired by EMC Corporation
Headquarters	Bedford, Massachusetts, United States
Key people	Thomas P. Heiser (President); Arthur W. Coviello, Jr. (Executive Chairman);
Products	Encryption and network security software
Revenue	Not separately disclosed by EMC
Number of employees	1,319 (as of 2007)
Parent	EMC Corporation
Website	www.rsa.com

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 18:24, 21 January 2014

RSA Security LLC,^[3] formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir, and Len Adleman, after whom the RSA public key cryptography algorithm was also named.^[4] Among its products include the RSA BSAFE cryptography libraries and the SecurID authentication token. It also organizes the annual RSA Conference, an information security conference.

Founded as an independent company in 1982, RSA Security, Inc. was acquired by EMC Corporation in 2006 for US$2.1 billion and operates as a division within EMC.^[5]

RSA is based in Bedford, Massachusetts, maintaining offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan.

History

Ron Rivest, Adi Shamir and Leonard Adleman, who developed the RSA encryption algorithm in 1977, founded RSA Data Security in 1982.^[1]^[2]

In 1995, RSA sent a handful of people across the hall to found Digital Certificates International, better known as VeriSign.
The company then called Security Dynamics acquired RSA Data Security in July 1996 and DynaSoft AB in 1997.
In January 1997, it proposed the first of the DES Challenges which led to the first public breaking of a message based on the Data Encryption Standard.
In February 2001, it acquired Xcert International, Inc., a privately held company that developed and delivered digital certificate-based products for securing e-business transactions.
In May 2001, it acquired 3-G International, Inc., a privately held company that developed and delivered smart card and biometric authentication products.
In August 2001, it acquired Securant Technologies, Inc., a privately held company that produced ClearTrust, an identity management product.
In December 2005, it acquired Cyota, a privately held Israeli company specializing in online security and anti-fraud solutions for financial institutions.
In April 2006, it acquired PassMark Security.
On September 14, 2006, RSA stockholders approved the acquisition of the company by EMC Corporation for $2.1 billion.^[5]^[6]^[7]
On 2007 RSA acquired Valyd Software, a Hyderabad-based Indian company specializing in file and data security .
In 2009 RSA launched the RSA Share Project.^[8] As part of this project, some of the RSA BSAFE libraries were made available for free. To promote the launch, RSA ran a programming competition with a US$10,000 first prize.^[9]
In 2011, RSA introduced a new CyberCrime Intelligence Service designed to help organizations identify computers, information assets and identities compromised by trojans and other online attacks.^[10]

SecurID security breach

On March 17, 2011, about a month after announcing its CyberCrime Intelligence Service, RSA disclosed an attack on its two-factor authentication products. The attack was similar to the Sykipot attacks, the July 2011 SK Communications hack, and the NightDragon series of attacks.^[11] RSA called it an Advanced Persistent Threat.^[12]

=

Products

RSA enVision is a security information and event management (SIEM) platform, with centralised log-management service that claims to "enable organisations to simplify compliance process as well as optimise security-incident management as they occur."^[13]

References

^ ^a ^b ^c "Distributed Team Cracks Hidden Message in RSA's 56-Bit RC5 Secret-Key Challenge". October 22, 1997. Retrieved February 22, 2009.
^ ^a ^b Kaliski, Burt (October 22, 1997). "Growing Up with Alice and Bob: Three Decades with the RSA Cryptosystem". Retrieved February 22, 2009.
^ "RSA Security LLC Company Profile". Retrieved May 15, 2013.
^ "RSA History". Retrieved June 8, 2011.
^ ^a ^b "EMC Announces Definitive Agreement to Acquire RSA Security, Further Advancing Information-Centric Security". Rsasecurity.com. June 29, 2006. Retrieved May 12, 2012.
^ "EMC Newsroom: EMC News and Press Releases". Emc.com. Retrieved May 12, 2012.
^ "EMC Completes RSA Security Acquisition, Announces Acquisition of Network Intelligence". Rsasecurity.com. September 18, 2006. Retrieved May 12, 2012.
^ "RSA Share Project". Retrieved January 4, 2013.
^ "Announcing the RSA Share Project Programming Contest". March 24, 2009. Retrieved January 4, 2013.
^ "RSA CyberCrime Intelligence Service". rsa.com. Retrieved December 19, 2013.
^ "Command and Control in the Fifth Domain" (PDF). Command Five Pty Ltd. February 2012. Retrieved February 10, 2012.
^ "RSA hit by advanced persistent threat attacks". Computer Weekly. March 18, 2011. Retrieved May 4, 2011.
^ "RSA Envision". EMC. Retrieved December 19, 2012.

External links

Oral history interview with James Bidzos, Charles Babbage Institute University of Minnesota, Minneapolis. Bidzos discusses his leadership of software security firm RSA Data Security as it sought to commercialize encryption technology as well as his role in creating the RSA Conference and founding Verisign. Oral history interview 2004, Mill Valley, California.
Oral history interview with Martin Hellman Oral history interview 2004, Palo Alto, California. Charles Babbage Institute, University of Minnesota, Minneapolis. Hellman describes his invention of public key cryptography with collaborators Whitfield Diffie and Ralph Merkle at Stanford University in the mid-1970s. He also describes the commercialization of cryptography with RSA Data Security and VeriSign.

[RC5Challenge-1] "Distributed Team Cracks Hidden Message in RSA's 56-Bit RC5 Secret-Key Challenge". October 22, 1997. Retrieved February 22, 2009.

[kaliski-2] Kaliski, Burt (October 22, 1997). "Growing Up with Alice and Bob: Three Decades with the RSA Cryptosystem". Retrieved February 22, 2009.

[3] "RSA Security LLC Company Profile". Retrieved May 15, 2013.

[4] "RSA History". Retrieved June 8, 2011.

[EMCpurchase-5] "EMC Announces Definitive Agreement to Acquire RSA Security, Further Advancing Information-Centric Security". Rsasecurity.com. June 29, 2006. Retrieved May 12, 2012.

[6] "EMC Newsroom: EMC News and Press Releases". Emc.com. Retrieved May 12, 2012.

[7] "EMC Completes RSA Security Acquisition, Announces Acquisition of Network Intelligence". Rsasecurity.com. September 18, 2006. Retrieved May 12, 2012.

[8] "RSA Share Project". Retrieved January 4, 2013.

[9] "Announcing the RSA Share Project Programming Contest". March 24, 2009. Retrieved January 4, 2013.

[10] "RSA CyberCrime Intelligence Service". rsa.com. Retrieved December 19, 2013.

[11] "Command and Control in the Fifth Domain" (PDF). Command Five Pty Ltd. February 2012. Retrieved February 10, 2012.

[RSAHACKED-12] "RSA hit by advanced persistent threat attacks". Computer Weekly. March 18, 2011. Retrieved May 4, 2011.

[13] "RSA Envision". EMC. Retrieved December 19, 2012.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

@@ Line 53: / Line 53: @@
 =
-===NSA Dual_EC_DRBG backdoor===
-From 2004 to 2013, RSA shipped security software — [[BSAFE toolkit]] and [[Data Protection Manager (RSA security)|Data Protection Manager]] &mdash; that included a secret [[National Security Agency]] [[Backdoor (computing)|backdoor]] in the random number generator [[Dual elliptic curve deterministic random bit generator|Dual_EC_DRBG]], which made data encrypted with these tools much easier to break for NSA, which had the secret [[Public-key cryptography|private key]] to the back door. RSA Security was the most important distributor of the backdoored algorithm,<ref name="NSApaid" /> through other companies' use of their BSAFE cryptography library.
-RSA Security employees had long been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 1990s.<ref name="green_other">http://blog.cryptographyengineering.com/2013/12/a-few-more-notes-on-nsa-random-number.html</ref> The possibility that the random number generator could contain a backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the [[NIST SP 800-90A]] standard that contains Dual_EC_DRBG.<ref name="kelsey" />
-In the mid-2000s, various researchers confirmed that Dual_EC_DRBG was a poor random number generator, and that the weaknesses could work as a carefully designed backdoor.<ref>http://eprint.iacr.org/2006/190</ref> In January 2005, two employees of the cryptography company [[Certicom]] &mdash; they were also members of the X9F1 group &mdash; wrote a patent application that described a backdoor for Dual_EC_DRBG identical to the NSA one.<ref name="patent">https://www.google.com/patents/CA2594670A1</ref> The patent application also described two ways to neutralize the backdoor. One of these &mdash; ensuring that two arbitrary elliptic curve points P and Q used in Dual_EC_DRBG are independently chosen &mdash; was added to the standard as an option, though NSA's backdoored version of P and Q remained as the standard's default option. (Kelsey knows of no implementers who actually generated their own non-backdoored P and Q.<ref name="kelsey">http://cryptome.org/2013/12/800-90-dual-ec-drbg.pdf</ref>)
-Nevertheless, NIST included Dual_EC_DRBG in its 2006 [[NIST SP 800-90A]] standard, largely at the behest of NSA officials,<ref name="schneier" /> who had cited RSA Security's early use of the random number generator as an argument for its inclusion.<ref name="NSApaid" />
-The ANSI standard group's suspicion had apparently not been widely publicized, because the potential backdoor was rediscovered in 2007 by Dan Shumow and Niels Ferguson when they implemented Dual_EC_DRBG in Windows.<ref>http://rump2007.cr.yp.to/15-shumow.pdf</ref> Shumow and Ferguson's work drew enough attention to the problem that security researcher [[Bruce Schneier]] declared that henceforth, no one could be tricked into using Dual_EC_DRBG.<ref>https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html</ref> (There does not seem to have been a general awareness that RSA Security had made it the default in some of its products until the Snowden leak.<ref name="schneier">{{cite web|url=https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html|title=The Strange Story of Dual_EC_DRBG|author=Bruce Schneier}}</ref>)
-Given the strong and widely circulated technical arguments not to use Dual_EC_DRBG, Johns Hopkins University professor Matthew Green speculated in September 2013 that RSA Security (or an RSA Security employee) was pressured by the U.S. government to use it.<ref name="green" />
-{{quote|text=So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow — which has real performance implications — it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.|sign=Matthew Green, cryptographer and research professor at Johns Hopkins University|source=<ref name="green" />}}
-In September 2013, the New York Times, drawing on the [[2013 mass surveillance disclosures|Snowden leaks]], revealed that the NSA worked to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the [[Bullrun (code name)|Bullrun]] program. One of these vulnerabilities, the Times reported, was the Dual_EC_DRBG backdoor.<ref name="nyt9-13">{{cite web|url=http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html|publisher=New York Times|title=Secret Documents Reveal N.S.A. Campaign Against Encryption}}</ref>
-After the Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor.<ref name="green">{{cite web|url=http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html|title=RSA warns developers not to use RSA products|author=Matthew Green}}</ref><ref name="ars">{{cite web|url=http://arstechnica.com/security/2013/09/we-dont-enable-backdoors-in-our-crypto-products-rsa-tells-customers/|title=We don’t enable backdoors in our crypto products, RSA tells customers|publisher=Ars Technica}}</ref> RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known (saying, for example, that "Dual_EC_DRBG was an accepted and publicly scrutinized standard")<ref name="ars" /> or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified back door.<ref name="green" />
-On {{date|2013-12-20}}, [[Reuters]]' Joseph Menn reported that NSA secretly paid RSA Security $10 million to set Dual_EC_DRBG as default in 2004. The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists".<ref name="NSApaid">{{cite news | url=http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 | title=Exclusive: Secret contract tied NSA and security industry pioneer | date=December 20, 2013 | agency=Reuters | accessdate=December 20, 2013 | author=Menn, Joseph | location=San Francisco}}</ref> Interviewed by CNET, Schneier called the $10 million deal a bribe.<ref>{{cite web|url=http://news.cnet.com/8301-1009_3-57616205-83/security-firm-rsa-took-millions-from-nsa-report/|title=Security firm RSA took millions from NSA: report|publisher=CNET}}</ref>
-RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products."<ref>{{cite web|url=https://blogs.rsa.com/news-media-2/rsa-response/|title=RSA Response to Media Claims Regarding NSA Relationship|publisher=RSA Security}}</ref> Menn stood by his story,<ref>http://www.theregister.co.uk/2013/12/23/rsa_nsa_response/</ref> and media analysis noted that RSA's carefully worded reply denied only that company officials knew about the backdoor when they agreed to the deal, an assertion Menn's story did not make.<ref>{{cite web|url=http://www.techdirt.com/articles/20131222/23532125671/rsas-denial-concerning-10-million-nsa-to-promote-broken-crypto-not-really-denial-all.shtml|title=RSA's 'Denial' Concerning $10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All|publisher=techdirt}}</ref>
-Finnish [[F-Secure]] researcher [[Mikko Hyppönen]] cancelled his planned speech at the 2014 [[RSA Conference]] because of this backdoor,<ref>{{cite web|url=http://www.f-secure.com/weblog/archives/00002651.html|title=An Open Letter to the Chiefs of EMC and RSA}}</ref> and so have several others.<ref>{{cite web|url=http://news.cnet.com/8301-1009_3-57616842-83/rsa-conference-speakers-begin-to-bail-thanks-to-nsa/|title=C-net news}}</ref>
 ==Products==
 {{Expand section|date=December 2012}}