RSA Security
Website | www |
---|
RSA Security LLC,
Founded as an independent company in 1982, RSA Security was acquired by
RSA is based in Chelmsford, Massachusetts, with regional headquarters in Bracknell (UK) and Singapore, and numerous international offices.[12]
History
This section is in prose.(June 2023) |
- In 1994, RSA was against the Crypto War.[14]
- In 1995, RSA sent a handful of people across the hall to found Digital Certificates International, better known as VeriSign.[citation needed]
- The company then called Security Dynamics acquired RSA Data Security in July 1996 and DynaSoft AB in 1997.
- In January 1997, it proposed the first of the DES Challenges which led to the first public breaking of a message based on the Data Encryption Standard.
- In February 2001, it acquired Xcert International, Inc., a privately held company that developed and delivered digital certificate-based products for securing e-business transactions.[citation needed]
- In June 2001, it acquired 3-G International, Inc., a privately held company that developed and delivered smart card and biometric authentication products.[15]
- In August 2001, it acquired Securant Technologies, Inc., a privately held company that produced ClearTrust, an identity management product.[citation needed]
- In December 2005, it acquired Cyota, a privately held Israeli company specializing in online security and anti-fraud solutions for financial institutions.[16]
- In April 2006, it acquired PassMark Security.[citation needed]
- On September 14, 2006, RSA stockholders approved the acquisition of the company by
- In 2007, RSA acquired Valyd Software, a Hyderabad-based Indian company specializing in file and data security.[citation needed]
- In 2009, RSA launched the RSA Share Project.[19] As part of this project, some of the RSA BSAFE libraries were made available for free. To promote the launch, RSA ran a programming competition with a US$10,000 first prize.[20]
- In March 2011, RSA suffered a security breach and its most valuable secrets were leaked, compromising the security of all existing RSA SecurID tokens.[21][22]
- In 2011, RSA introduced a new CyberCrime Intelligence Service designed to help organizations identify computers, information assets and identities compromised by trojans and other online attacks.[23]
- In July 2013, RSA acquired Aveksa the leader in Identity and Access Governance sector[24]
- On September 7, 2016, RSA was acquired by and became a subsidiary of ]
- On February 18, 2020, Dell Technologies announced their intention to sell RSA for $2.075 billion to Symphony Technology Group.[citation needed]
- In anticipation of the sale of RSA to Symphony Technology Group, Dell Technologies made the strategic decision to retain the BSAFE product line. To that end, RSA transferred BSAFE products (including the Data Protection Manager product) and customer agreements, including maintenance and support, to Dell Technologies on July 1, 2020.[25]
- On September 1, 2020, Symphony Technology Group (STG) completed its acquisition of RSA from Dell Technologies.[26] RSA became an independent company, one of the world’s largest cybersecurity and risk management organizations.[27][28][29]
Controversy
SecurID security breach
On March 17, 2011, RSA disclosed an attack on its
Relationship with NSA
RSA's relationship with the
For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company [RSA] is the worst thing that can happen to them. To them, we're the real enemy, we're the real target. We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically threatening to the N.S.A.'s interests that it's driving them into a frenzy.
— RSA president James Bidzos, June 1994[34]
In the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the
The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department of engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA. It became a very different company later on."
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs. We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
— RSA, The Security Division of EMC[38]
In March 2014, it was reported by
NSA Dual_EC_DRBG backdoor
From 2004 to 2013, RSA shipped security software—
RSA Security employees should have been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 2000s.
Nevertheless, NIST included Dual_EC_DRBG in its 2006 NIST SP 800-90A standard with the default settings enabling the backdoor, largely at the behest of NSA officials,[37] who had cited RSA Security's early use of the random number generator as an argument for its inclusion.[35] The standard did also not fix the unrelated (to the backdoor) problem that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically sound.[45]
ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007.[46] Commenting on Shumow and Ferguson's presentation, prominent security researcher and cryptographer Bruce Schneier called the possible NSA backdoor "rather obvious", and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general poor quality and possible backdoor would ensure that nobody would ever use it.[37] There does not seem to have been a general awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak.[37]
In September 2013, the New York Times, drawing on the
After the New York Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor.[36][48] RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known,[36][48] or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor.[36]
On 20 December 2013, Reuters' Joseph Menn reported that NSA secretly paid RSA Security $10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists".[35] Interviewed by CNET, Schneier called the $10 million deal a bribe.[49] RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products."[50] Menn stood by his story,[51] and media analysis noted that RSA's reply was a non-denial denial, which denied only that company officials knew about the backdoor when they agreed to the deal, an assertion Menn's story did not make.[52]
In the wake of the reports, several industry experts cancelled their planned talks at RSA's 2014 RSA Conference.[53] Among them was Mikko Hyppönen, a Finnish researcher with F-Secure, who cited RSA's denial of the alleged $10 million payment by the NSA as suspicious.[54] Hyppönen announced his intention to give his talk, "Governments as Malware Authors", at a conference quickly set up in reaction to the reports: TrustyCon, to be held on the same day and one block away from the RSA Conference.[55]
At the 2014
Products
RSA is most known for its SecurID product, which provides two-factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on timed intervals, software tokens, and one-time codes. In 2016, RSA re-branded the SecurID platform as RSA SecurID Access.[58] This release added Single-Sign-On capabilities and cloud authentication for resources using SAML 2.0 and other types of federation.
The RSA SecurID Suite also contains the RSA Identity Governance and Lifecycle software (formally Aveksa). The software provides visibility of who has access to what within an organization and manages that access with various capabilities such as access review, request and provisioning.[59]
RSA enVision is a security information and event management (
The RSA Archer GRC platform is software that supports business-level management of governance, risk management, and compliance (GRC).[62] The product was originally developed by Archer Technologies, which EMC acquired in 2010.[63]
See also
References
- ^ a b c "Distributed Team Cracks Hidden Message in RSA's 56-Bit RC5 Secret-Key Challenge". October 22, 1997. Archived from the original on September 29, 2011. Retrieved February 22, 2009.
- ^ a b Kaliski, Burt (October 22, 1997). "Growing Up with Alice and Bob: Three Decades with the RSA Cryptosystem". Archived from the original on September 29, 2011. Retrieved April 29, 2017.
- ^ "Rohit Ghai Named President at RSA". Archived from the original on September 24, 2020. Retrieved January 9, 2017.
- ^ "Amit Yoran Named President at RSA". October 29, 2014. Retrieved December 29, 2014.
- ^ "RSA Security LLC Company Profile". Retrieved May 15, 2013.
- ^ "RSA History". Retrieved June 8, 2011.
- ^ "NSA infiltrated RSA security more deeply than thought - study". Reuters. March 31, 2014. Retrieved March 31, 2014.
- ^ "RSA endowed crypto product with second NSA-influenced code". Ars Technica. March 31, 2014. Retrieved March 31, 2014.
- ^ a b "EMC Announces Definitive Agreement to Acquire RSA Security, Further Advancing Information-Centric Security". Rsasecurity.com. June 29, 2006. Archived from the original on October 20, 2006. Retrieved May 12, 2012.
- ^ "Dell Technologies - Who We Are". Dell Technologies Inc. Retrieved September 9, 2016.
- ^ "RSA® Emerges as Independent Company Following Completion of Acquisition by Symphony Technology Group". RSA.com. Retrieved November 2, 2020.
- ^ "About RSA | Cybersecurity and Digital Risk Management".
- ^ Bennett, Ralph (July 1985). "Public-Key Patent". Byte. p. 16. Retrieved May 21, 2023.
- ^ Levy, Stephen (June 12, 1994). "Battle of the Clipper Chip". The New York Times. Retrieved October 19, 2017.
- Newspapers.com.
- ^ "Business & Innovation | The Jerusalem Post". www.jpost.com.
- ^ "EMC Newsroom: EMC News and Press Releases". Emc.com. Archived from the original on December 10, 2007. Retrieved May 12, 2012.
- ^ "EMC Completes RSA Security Acquisition, Announces Acquisition of Network Intelligence". Rsasecurity.com. September 18, 2006. Archived from the original on December 9, 2006. Retrieved May 12, 2012.
- ^ "RSA Share Project". Retrieved January 4, 2013.[permanent dead link]
- ^ "Announcing the RSA Share Project Programming Contest". March 24, 2009. Retrieved January 4, 2013.
- ^ Greenberg, Andy. "The Full Story of the Stunning RSA Hack Can Finally be Told". Wired.
- ^ "The file that hacked RSA: How we found it - F-Secure Weblog : News from the Lab".
- ^ "RSA CyberCrime Intelligence Service". rsa.com. Retrieved December 19, 2013.
- ^ "EMC Acquires Aveksa Inc., Leading Provider of Business-Driven Identity and Access Management Solutions". EMC Corporation. July 8, 2013. Archived from the original on October 27, 2017. Retrieved September 24, 2018.
- ^ "BSAFE support and billing update | Dell US". www.dell.com. Retrieved September 2, 2020.
- ^ "News & Press". RSA. April 24, 2023.
- ^ "Learn About Archer Integrated Risk Management Solutions". Archer. Retrieved July 20, 2023.
- ^ "Archer History Timeline". Genial.ly. Retrieved July 20, 2023.
- ^ "Archer History Timeline". July 20, 2023. Archived from the original on July 20, 2023. Retrieved July 20, 2023.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link) - ^ "Command and Control in the Fifth Domain" (PDF). Command Five Pty Ltd. February 2012. Archived from the original (PDF) on February 27, 2012. Retrieved February 10, 2012.
- ^ "RSA hit by advanced persistent threat attacks". Computer Weekly. March 18, 2011. Retrieved May 4, 2011.
- ^ Joseph Menn (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". Reuters.
- ^ Carr, Jeffrey. (2014-01-06) Digital Dao: NSA's $10M RSA Contract: Origins. Jeffreycarr.blogspot.dk. Retrieved on 2014-05-11.
- ^ Steven Levy (June 12, 1994). "Battle of the Clipper Chip". New York Times. Retrieved March 8, 2014.
- ^ a b c d Menn, Joseph (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". Reuters. San Francisco. Retrieved December 20, 2013.
- ^ a b c d Matthew Green (September 20, 2013). "RSA warns developers not to use RSA products".
- ^ a b c d Bruce Schneier. "The Strange Story of Dual_EC_DRBG".
- ^ RSA. "RSA Response to Media Claims Regarding NSA Relationship". Archived from the original on March 8, 2014. Retrieved March 8, 2014.
- ^ Menn, Joseph (March 31, 2014). "Exclusive: NSA infiltrated RSA security more deeply than thought - study". Reuters. Retrieved April 4, 2014.
- ^ "TrustNet Cybersecurity and Compliance Solutions". TrustNet Cybersecurity Solutions.
- ^ A. Young, M. Yung, "Kleptography: Using Cryptography Against Cryptography" In Proceedings of Eurocrypt '97, W. Fumy (Ed.), Springer-Verlag, pages 62–74, 1997.
- ^ Green, Matthew. (2013-12-28) A Few Thoughts on Cryptographic Engineering: A few more notes on NSA random number generators. Blog.cryptographyengineering.com. Retrieved on 2014-05-11.
- ^ a b Kelsey, John (December 2013). "800-90 and Dual EC DRBG" (PDF). NIST.
- ^ Patent CA2594670A1 - Elliptic curve random number generation - Google Patents. Google.com (2011-01-24). Retrieved on 2014-05-11.
- ^ "Archived copy" (PDF). Archived from the original (PDF) on May 25, 2011. Retrieved November 16, 2007.
{{cite web}}
: CS1 maint: archived copy as title (link) - ^ Shumow, Dan; Ferguson, Niels. "On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng" (PDF).
- ^ "Secret Documents Reveal N.S.A. Campaign Against Encryption". New York Times.
- ^ a b "We don't enable backdoors in our crypto products, RSA tells customers". Ars Technica. September 20, 2013.
- ^ "Security firm RSA took millions from NSA: report". CNET.
- ^ "RSA Response to Media Claims Regarding NSA Relationship". RSA Security. Archived from the original on December 23, 2013. Retrieved January 20, 2014.
- ^ "RSA comes out swinging at claims it took NSA's $10m to backdoor crypto". The Register.
- ^ "RSA's 'Denial' Concerning $10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All". techdirt. December 23, 2013.
- ^ "RSA Conference speakers begin to bail, thanks to NSA". CNET.
- ^ "News from the Lab Archive : January 2004 to September 2015". archive.f-secure.com.
- ^ Gallagher, Sean. (2014-01-21) “TrustyCon” security counter-convention planned for RSA refusniks. Ars Technica. Retrieved on 2014-05-11.
- ^ "Arthur W. Coviello Jr. | RSA Conference". Archived from the original on July 16, 2015. Retrieved July 15, 2015.
- ^ "RSA Conference 2014 Keynote for Art Coviello" (PDF). February 25, 2014. Archived from the original (PDF) on July 14, 2014.
- ^ "RSA Changes the Identity Game: Unveils New RSA SecurID® Suite". www.rsa.com. Archived from the original on August 2, 2017. Retrieved June 6, 2017.
- ^ "RSA Identity Governance & Lifecycle". Retrieved September 24, 2018.
- ^ "RSA Envision". EMC. Retrieved December 19, 2012.
- ^ "Press Release: EMC Acquires Netwitness". www.emc.com. Retrieved June 6, 2017.
- ^ "RSA Archer Platform". EMC. Retrieved November 13, 2015.
- ^ "EMC to Acquire Archer Technologies, Leading Provider Of IT Governance Risk and Compliance Software". EMC. Retrieved August 28, 2018.