Editing RSA Security (section)

==Controversy==

===SecurID security breach===
[[File:RSA-SecurID-Tokens.jpg|thumb|RSA SecurID [[security token]]s.]]

{{main|SecurID#March 2011 system compromise}}

On March 17, 2011, RSA disclosed an attack on its [[two-factor authentication]] products. The attack was similar to the Sykipot attacks, the July 2011 SK Communications hack, and the NightDragon series of attacks.<ref>{{cite web
 |publisher    = Command Five Pty Ltd
 |url          = http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
 |title        = Command and Control in the Fifth Domain
 |date         = February 2012
 |access-date  = February 10, 2012
 |archive-date = February 27, 2012
 |archive-url  = https://web.archive.org/web/20120227035957/http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
 |url-status   = dead
}}</ref> RSA called it an [[advanced persistent threat]].<ref name="RSAHACKED">{{cite web|url=http://www.computerweekly.com/Articles/2011/03/18/245974/RSA-hit-by-advanced-persistent-threat-attacks.htm |title=RSA hit by advanced persistent threat attacks  |date=March 18, 2011 |work=Computer Weekly |access-date=May 4, 2011}}</ref> Today, SecurID is more commonly used as a software token rather than older physical tokens.{{Citation needed|date=June 2023}}

===Relationship with NSA===
[[File:Sink_Clipper_campaign.gif|thumb|right|RSA Security campaigned against the Clipper Chip backdoor in the so-called [[Crypto Wars]], including the use of this iconic poster in the debate.]]

RSA's relationship with the [[National Security Agency|NSA]] has changed over the years. Reuters' Joseph Menn<ref name="reuters">{{cite news|url=https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220|title=Exclusive: Secret contract tied NSA and security industry pioneer|author=Joseph Menn|newspaper=Reuters|date=December 20, 2013}}</ref> and cybersecurity analyst [[Jeffrey Carr]]<ref name="carr">Carr, Jeffrey. (2014-01-06) [http://jeffreycarr.blogspot.dk/2014/01/nsas-10m-rsa-contract-origins.html Digital Dao: NSA's $10M RSA Contract: Origins]. Jeffreycarr.blogspot.dk. Retrieved on 2014-05-11.</ref> have noted that the two once had an adversarial relationship. In its early years, RSA and its leaders were prominent advocates of [[strong cryptography]] for public use, while the NSA and the [[George H. W. Bush administration|Bush]] and [[Clinton Administration|Clinton administrations]] sought to prevent its proliferation.

{{blockquote|For almost 10 years, I've been going toe to toe with these people at [[Fort Meade]]. The success of this company <nowiki>[</nowiki>RSA<nowiki>]</nowiki> is the worst thing that can happen to them. To them, we're the real enemy, we're the real target. We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically threatening to the N.S.A.'s interests that it's driving them into a frenzy.|RSA president James Bidzos, June 1994<ref>{{cite web|url=http://www2.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-chip.html?pagewanted=all|title=Battle of the Clipper Chip|work=New York Times|date=12 Jun 1994|access-date=8 Mar 2014|author=Steven Levy}}</ref>}}

In the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the [[Clipper Chip]], an encryption chip with a backdoor that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use the chip in their devices, and relaxed [[Export of cryptography in the United States|export restrictions]] on products that used it. (Such restrictions had prevented RSA Security from selling its software abroad.) RSA joined [[Civil libertarianism|civil libertarians]] and others in opposing the Clipper Chip by, among other things, distributing posters with a foundering sailing ship and the words "Sink Clipper!"<ref name="NSApaid" /> RSA Security also created the [[DES Challenges]] to show that the widely used DES encryption was breakable by well-funded entities like the NSA.

The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department of engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA. It became a very different company later on."<ref name="NSApaid" /> For example, RSA was reported to have accepted $10 million from the NSA in 2004 in a deal to use the NSA-designed [[Dual EC DRBG]] random number generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored.<ref name="green" /><ref name="schneier" /> RSA Security later released a statement about the Dual_EC_DRBG [[kleptographic]] backdoor:

{{blockquote|We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs. We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.|RSA, The Security Division of EMC<ref>{{cite web|url=https://blogs.rsa.com/news-media/rsa-response/|title=RSA Response to Media Claims Regarding NSA Relationship|access-date=8 Mar 2014|author=RSA|archive-date=March 8, 2014|archive-url=https://web.archive.org/web/20140308180157/https://blogs.rsa.com/news-media/rsa-response/|url-status=dead}}</ref>}}

In March 2014, it was reported by [[Reuters]] that RSA had also adapted the [[extended random]] standard championed by NSA. Later cryptanalysis showed that extended random did not add any security, and it was rejected by the prominent standards group [[Internet Engineering Task Force]]. Extended random did however make NSA's backdoor for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the key to the Dual_EC_DRBG backdoor (presumably only NSA) because the extended [[Cryptographic nonce|nonces]] in extended random made part of the internal state of Dual_EC_DRBG easier to guess. Only RSA Security's [[Java (programming language)|Java]] version was hard to crack without extended random since the caching of Dual_EC_DRBG output in e.g. RSA Security's [[C programming language]] version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extended random in its Java implementation of Dual_EC_DRBG.<ref>{{cite news|first1=Joseph |last1=Menn |url=https://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 |title=Exclusive: NSA infiltrated RSA security more deeply than thought - study |newspaper=Reuters |date=31 March 2014 |access-date=4 April 2014}}</ref><ref>{{Cite web|url=https://www.trustnetinc.com/|title=TrustNet Cybersecurity and Compliance Solutions|website=TrustNet Cybersecurity Solutions}}</ref>

===NSA Dual_EC_DRBG backdoor===
From 2004 to 2013, RSA shipped security software—[[BSAFE toolkit]] and Data Protection Manager—that included a default [[cryptographically secure pseudorandom number generator]], [[Dual EC DRBG]], that was later suspected to contain a secret [[National Security Agency]] [[kleptographic]] [[Backdoor (computing)|backdoor]]. The backdoor could have made data encrypted with these tools much easier to break for the NSA, which would have had the secret [[Public-key cryptography|private key]] to the backdoor. Scientifically speaking, the backdoor employs [[kleptography]], and is, essentially, an instance of the Diffie Hellman kleptographic attack published in 1997 by Adam Young and [[Moti Yung]].<ref name="yy97">A. Young, [[Moti Yung|M. Yung]], "Kleptography: Using Cryptography Against Cryptography" In Proceedings of Eurocrypt '97, W. Fumy (Ed.), Springer-Verlag, pages 62–74, 1997.</ref>

RSA Security employees should have been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 2000s.<ref name="green_other">Green, Matthew. (2013-12-28) [http://blog.cryptographyengineering.com/2013/12/a-few-more-notes-on-nsa-random-number.html A Few Thoughts on Cryptographic Engineering: A few more notes on NSA random number generators]. Blog.cryptographyengineering.com. Retrieved on 2014-05-11.</ref> The possibility that the random number generator could contain a backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the [[NIST SP 800-90A]] standard that contains Dual_EC_DRBG.<ref name="kelsey" /> In January 2005, two employees of the cryptography company [[Certicom]]—who were also members of the X9F1 group—wrote a patent application that described a backdoor for Dual_EC_DRBG identical to the NSA one.<ref name="patent">[https://patents.google.com/patent/CA2594670A1 Patent CA2594670A1 - Elliptic curve random number generation - Google Patents]. Google.com (2011-01-24). Retrieved on 2014-05-11.</ref> The patent application also described three ways to neutralize the backdoor. Two of these—ensuring that two arbitrary elliptic curve points P and Q used in Dual_EC_DRBG are independently chosen, and a smaller output length—were added to the standard as an option, though NSA's backdoored version of P and Q and large output length remained as the standard's default option. Kelsey said he knew of no implementers who actually generated their own non-backdoored P and Q,<ref name="kelsey">{{Cite web |last=Kelsey |first=John |date=December 2013 |title=800-90 and Dual EC DRBG |url=http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2013-12/nist_cryptography_800-90.pdf |publisher=NIST}}</ref> and there have been no reports of implementations using the smaller outlet.

Nevertheless, NIST included Dual_EC_DRBG in its 2006 [[NIST SP 800-90A]] standard with the default settings enabling the backdoor, largely at the behest of NSA officials,<ref name="schneier" /> who had cited RSA Security's early use of the random number generator as an argument for its inclusion.<ref name="NSApaid" /> The standard did also not fix the unrelated (to the backdoor) problem that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically sound.<ref>{{cite web |url=http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-comments.pdf |title=Archived copy |access-date=2007-11-16 |url-status=dead |archive-url=https://web.archive.org/web/20110525081912/http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-comments.pdf |archive-date=May 25, 2011 |df=mdy-all }}</ref>

ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made a public presentation about the backdoor in 2007.<ref>{{Cite web |last1=Shumow |first1=Dan |last2=Ferguson |first2=Niels |date= |title=On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng |url=http://rump2007.cr.yp.to/15-shumow.pdf |publisher=}}</ref>  Commenting on Shumow and Ferguson's presentation, prominent security researcher and cryptographer [[Bruce Schneier]] called the possible NSA backdoor "rather obvious", and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general poor quality and possible backdoor would ensure that nobody would ever use it.<ref name="schneier" /> There does not seem to have been a general awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak.<ref name="schneier">{{cite web|url=https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html|title=The Strange Story of Dual_EC_DRBG|author=Bruce Schneier|date=November 15, 2007 }}</ref>

In September 2013, the ''New York Times'', drawing on the [[2013 mass surveillance disclosures|Snowden leaks]], revealed that the NSA worked to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the [[Bullrun (code name)|Bullrun]] program. One of these vulnerabilities, the ''Times'' reported, was the Dual_EC_DRBG backdoor.<ref name="nyt9-13">{{cite news|url=https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html|work=New York Times|title=Secret Documents Reveal N.S.A. Campaign Against Encryption}}</ref> With the renewed focus on Dual_EC_DRBG, it was noted that RSA Security's BSAFE used Dual_EC_DRBG by default, which had not previously been widely known.

After the ''New York Times'' published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor.<ref name="green">{{cite web|url=http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html|title=RSA warns developers not to use RSA products|author=Matthew Green|date=September 20, 2013}}</ref><ref name="ars">{{cite web|url=https://arstechnica.com/security/2013/09/we-dont-enable-backdoors-in-our-crypto-products-rsa-tells-customers/|title=We don't enable backdoors in our crypto products, RSA tells customers|date=September 20, 2013|publisher=Ars Technica}}</ref> RSA Security officials have largely declined to explain why they did not remove the dubious random number generator once the flaws became known,<ref name="green" /><ref name="ars" /> or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor.<ref name="green" />

On 20 December 2013, [[Reuters]]' Joseph Menn reported that NSA secretly paid RSA Security $10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that "no alarms were raised because the deal was handled by business leaders rather than pure technologists".<ref name="NSApaid">{{cite news | url=https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220 | title=Exclusive: Secret contract tied NSA and security industry pioneer | date=December 20, 2013 | work=Reuters | access-date=December 20, 2013 | author=Menn, Joseph | location=San Francisco}}</ref> Interviewed by CNET, Schneier called the $10 million deal a bribe.<ref>{{cite web|url=http://news.cnet.com/8301-1009_3-57616205-83/security-firm-rsa-took-millions-from-nsa-report/|title=Security firm RSA took millions from NSA: report|publisher=CNET}}</ref> RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products."<ref>{{cite web|url=https://blogs.rsa.com/news-media-2/rsa-response/|title=RSA Response to Media Claims Regarding NSA Relationship|publisher=RSA Security|access-date=January 20, 2014|archive-date=December 23, 2013|archive-url=https://web.archive.org/web/20131223121638/http://blogs.rsa.com/news-media-2/rsa-response/|url-status=dead}}</ref> Menn stood by his story,<ref>{{Cite web|url=https://www.theregister.co.uk/2013/12/23/rsa_nsa_response/|title = RSA comes out swinging at claims it took NSA's $10m to backdoor crypto|website = [[The Register]]}}</ref> and media analysis noted that RSA's reply was a [[non-denial denial]], which denied only that company officials knew about the backdoor when they agreed to the deal, an assertion Menn's story did not make.<ref>{{cite web|url=http://www.techdirt.com/articles/20131222/23532125671/rsas-denial-concerning-10-million-nsa-to-promote-broken-crypto-not-really-denial-all.shtml|title=RSA's 'Denial' Concerning $10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All|date=December 23, 2013|publisher=techdirt}}</ref>

In the wake of the reports, several industry experts cancelled their planned talks at RSA's 2014 [[RSA Conference]].<ref>{{Cite web|url=https://www.cnet.com/news/privacy/rsa-conference-speakers-begin-to-bail-thanks-to-nsa/|title=RSA Conference speakers begin to bail, thanks to NSA|website=CNET}}</ref> Among them was [[Mikko Hyppönen]], a Finnish researcher with [[F-Secure]], who cited RSA's denial of the alleged $10 million payment by the NSA as suspicious.<ref>{{Cite web|url=https://archive.f-secure.com/weblog/archives/00002651.html|title=News from the Lab Archive : January 2004 to September 2015|website=archive.f-secure.com}}</ref> Hyppönen announced his intention to give his talk, "Governments as Malware Authors", at a conference quickly set up in reaction to the reports: TrustyCon, to be held on the same day and one block away from the RSA Conference.<ref name="arstrusty">Gallagher, Sean. (2014-01-21) [https://arstechnica.com/information-technology/2014/01/trustycon-security-counter-convention-planned-for-rsa-refusniks/ “TrustyCon” security counter-convention planned for RSA refusniks]. Ars Technica. Retrieved on 2014-05-11.</ref>

At the 2014 [[RSA Conference]], former<ref>{{Cite web |url=http://www.rsaconference.com/speakers/arthur-coviello |title=Arthur W. Coviello Jr. &#124; RSA Conference |access-date=July 15, 2015 |archive-date=July 16, 2015 |archive-url=https://web.archive.org/web/20150716023029/http://www.rsaconference.com/speakers/arthur-coviello |url-status=dead }}</ref> RSA Security Executive Chairman Art Coviello defended RSA Security's choice to keep using Dual_EC_DRBG by saying "it became possible that concerns raised in 2007 might have merit" only after [[NIST]] acknowledged the problems in 2013.<ref>{{cite web |url=http://uk.emc.com/collateral/corporation/rsa-conference-keynote-art-coviello-feburary-24-2014.pdf |title=RSA Conference 2014 Keynote for Art Coviello |date=February 25, 2014 |url-status=dead |archive-url=https://web.archive.org/web/20140714192650/http://uk.emc.com/collateral/corporation/rsa-conference-keynote-art-coviello-feburary-24-2014.pdf |archive-date=2014-07-14}}</ref>