RSA Security

On 10 March 2020, Dell Technologies announced that they will be selling RSA Security to a consortium, led by Symphony Technology Group (STG), Ontario Teachers’ Pension Plan Board (Ontario Teachers’) and AlpInvest Partners (AlpInvest) for US$2.1 billion, the same price when it was bought by EMC back in 2006.

[11] RSA is based in Chelmsford, Massachusetts, with regional headquarters in Bracknell (UK) and Singapore, and numerous international offices.

In its early years, RSA and its leaders were prominent advocates of strong cryptography for public use, while the NSA and the Bush and Clinton administrations sought to prevent its proliferation.

The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department of engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA.

"[35] For example, RSA was reported to have accepted $10 million from the NSA in 2004 in a deal to use the NSA-designed Dual EC DRBG random number generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored.

[36][37] RSA Security later released a statement about the Dual_EC_DRBG kleptographic backdoor: We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption.

Later cryptanalysis showed that extended random did not add any security, and it was rejected by the prominent standards group Internet Engineering Task Force.

Scientifically speaking, the backdoor employs kleptography, and is, essentially, an instance of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and Moti Yung.

[42] The possibility that the random number generator could contain a backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the NIST SP 800-90A standard that contains Dual_EC_DRBG.

[45] ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007.

After the New York Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor.

[36][48] RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known,[36][48] or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor.

[36] On 20 December 2013, Reuters' Joseph Menn reported that NSA secretly paid RSA Security $10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE.

The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists".

[53] Among them was Mikko Hyppönen, a Finnish researcher with F-Secure, who cited RSA's denial of the alleged $10 million payment by the NSA as suspicious.

NetWitness was a packet capture tool aimed at gaining full network visibility to detect security incidents.

A suburban office building
RSA headquarters in Chelmsford, Massachusetts
RSA SecurID security tokens .
RSA Security campaigned against the Clipper Chip backdoor in the so-called Crypto Wars , including the use of this iconic poster in the debate.