Misplaced Pages

#68931

44-595: RSA Security LLC , formerly RSA Security, Inc. and trade name RSA , is an American computer and network security company with a focus on encryption and decryption standards. RSA was named after the initials of its co-founders, Ron Rivest , Adi Shamir and Leonard Adleman , after whom the RSA public key cryptography algorithm was also named. Among its products is the SecurID authentication token. The BSAFE cryptography libraries were also initially owned by RSA. RSA

88-420: A DBA must be registered with a local or state government, or both, depending on the jurisdiction. For example, California, Texas and Virginia require a DBA to be registered with each county (or independent city in the case of Virginia) where the owner does business. Maryland and Colorado have DBAs registered with a state agency. Virginia also requires corporations and LLCs to file a copy of their registration with

132-467: A DBA statement, though names including the first and last name of the owner may be accepted. This also reduces the possibility of two local businesses operating under the same name, although some jurisdictions do not provide exclusivity for a name, or may allow more than one party to register the same name. Note, though, that this is not a substitute for filing a trademark application. A DBA filing carries no legal weight in establishing trademark rights. In

176-521: A NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media. In March 2014, it

220-575: A backdoor was "first raised in an ANSI X9 meeting", according to John Kelsey, a co-author of the NIST SP 800-90A standard that contains Dual_EC_DRBG. In January 2005, two employees of the cryptography company Certicom —who were also members of the X9F1 group—wrote a patent application that described a backdoor for Dual_EC_DRBG identical to the NSA one. The patent application also described three ways to neutralize

264-516: A businessperson writes a trade name on a contract, invoice, or cheque, they must also add the legal name of the business. Numbered companies will very often operate as something other than their legal name, which is unrecognizable to the public. In Chile , a trade name is known as a nombre de fantasía ('fantasy' or 'fiction' name), and the legal name of business is called a razón social (social name). In Ireland , businesses are legally required to register business names where these differ from

308-479: A conference quickly set up in reaction to the reports: TrustyCon, to be held on the same day and one block away from the RSA Conference. At the 2014 RSA Conference , former RSA Security Executive Chairman Art Coviello defended RSA Security's choice to keep using Dual_EC_DRBG by saying "it became possible that concerns raised in 2007 might have merit" only after NIST acknowledged the problems in 2013. RSA

352-551: A consortium, led by Symphony Technology Group (STG) , Ontario Teachers’ Pension Plan Board (Ontario Teachers’) and AlpInvest Partners (AlpInvest) for US$ 2.1 billion, the same price when it was bought by EMC back in 2006. RSA is based in Chelmsford, Massachusetts , with regional headquarters in Bracknell (UK) and Singapore , and numerous international offices. Ron Rivest , Adi Shamir and Leonard Adleman , who developed

396-439: A default cryptographically secure pseudorandom number generator , Dual EC DRBG , that was later suspected to contain a secret National Security Agency kleptographic backdoor . The backdoor could have made data encrypted with these tools much easier to break for the NSA, which would have had the secret private key to the backdoor. Scientifically speaking, the backdoor employs kleptography , and is, essentially, an instance of

440-650: A general awareness that RSA Security had made it the default in some of its products in 2004, until the Snowden leak. In September 2013, the New York Times , drawing on the Snowden leaks , revealed that the NSA worked to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program. One of these vulnerabilities,

484-414: A public presentation about the backdoor in 2007. Commenting on Shumow and Ferguson's presentation, prominent security researcher and cryptographer Bruce Schneier called the possible NSA backdoor "rather obvious", and wondered why NSA bothered pushing to have Dual_EC_DRBG included, when the general poor quality and possible backdoor would ensure that nobody would ever use it. There does not seem to have been

SECTION 10

#1732779834069

528-458: A registered legal name and a fictitious business name, or trade name, is important because fictitious business names do not always identify the entity that is legally responsible . Legal agreements (such as contracts ) are normally made using the registered legal name of the business. If a corporation fails to consistently adhere to such important legal formalities like using its registered legal name in contracts, it may be subject to piercing of

572-537: A truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically threatening to the N.S.A.'s interests that it's driving them into a frenzy. In the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the Clipper Chip , an encryption chip with a backdoor that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use

616-454: Is also sometimes used. A company typically uses a trade name to conduct business using a simpler name rather than using their formal and often lengthier name. Trade names are also used when a preferred name cannot be registered, often because it may already be registered or is too similar to a name that is already registered. Using one or more fictitious business names does not create additional separate legal entities. The distinction between

660-683: Is known for incorporating backdoors developed by the NSA in its products. It also organizes the annual RSA Conference , an information security conference. Founded as an independent company in 1982, RSA Security was acquired by EMC Corporation in 2006 for US$ 2.1 billion and operated as a division within EMC. When EMC was acquired by Dell Technologies in 2016, RSA became part of the Dell Technologies family of brands. On 10 March 2020, Dell Technologies announced that they will be selling RSA Security to

704-500: Is most known for its SecurID product, which provides two-factor authentication to hundreds of technologies utilizing hardware tokens that rotate keys on timed intervals, software tokens, and one-time codes. In 2016, RSA re-branded the SecurID platform as RSA SecurID Access. This release added Single-Sign-On capabilities and cloud authentication for resources using SAML 2.0 and other types of federation. The RSA SecurID Suite also contains

748-649: The RSA encryption algorithm in 1977, founded RSA Data Security in 1982. The company acquired a "worldwide exclusive license" from the Massachusetts Institute of Technology to a patent on the RSA cryptosystem technology granted in 1983. On March 17, 2011, RSA disclosed an attack on its two-factor authentication products. The attack was similar to the Sykipot attacks, the July 2011 SK Communications hack, and

792-575: The Times reported, was the Dual_EC_DRBG backdoor. With the renewed focus on Dual_EC_DRBG, it was noted that RSA Security's BSAFE used Dual_EC_DRBG by default, which had not previously been widely known. After the New York Times published its article, RSA Security recommended that users switch away from Dual_EC_DRBG, but denied that they had deliberately inserted a backdoor. RSA Security officials have largely declined to explain why they did not remove

836-466: The United Kingdom , there is no filing requirement for a "business name", defined as "any name under which someone carries on business" that, for a company or limited liability partnership, "is not its registered name", but there are requirements for disclosure of the owner's true name and some restrictions on the use of certain names. A minority of U.S. states, including Washington , still use

880-557: The Diffie Hellman kleptographic attack published in 1997 by Adam Young and Moti Yung . RSA Security employees should have been aware, at least, that Dual_EC_DRBG might contain a backdoor. Three employees were members of the ANSI X9F1 Tool Standards and Guidelines Group, to which Dual_EC_DRBG had been submitted for consideration in the early 2000s. The possibility that the random number generator could contain

924-604: The Dual_EC_DRBG backdoor (presumably only NSA) because the extended nonces in extended random made part of the internal state of Dual_EC_DRBG easier to guess. Only RSA Security's Java version was hard to crack without extended random since the caching of Dual_EC_DRBG output in e.g. RSA Security's C programming language version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extended random in its Java implementation of Dual_EC_DRBG. From 2004 to 2013, RSA shipped security software— BSAFE toolkit and Data Protection Manager—that included

SECTION 20

#1732779834069

968-458: The NSA and the Bush and Clinton administrations sought to prevent its proliferation. For almost 10 years, I've been going toe to toe with these people at Fort Meade . The success of this company [RSA] is the worst thing that can happen to them. To them, we're the real enemy, we're the real target. We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have

1012-533: The NightDragon series of attacks. RSA called it an advanced persistent threat . Today, SecurID is more commonly used as a software token rather than older physical tokens. RSA's relationship with the NSA has changed over the years. Reuters' Joseph Menn and cybersecurity analyst Jeffrey Carr have noted that the two once had an adversarial relationship. In its early years, RSA and its leaders were prominent advocates of strong cryptography for public use, while

1056-641: The RSA Identity Governance and Lifecycle software (formally Aveksa). The software provides visibility of who has access to what within an organization and manages that access with various capabilities such as access review, request and provisioning. RSA enVision is a security information and event management ( SIEM ) platform, with centralised log-management service that claims to "enable organisations to simplify compliance process as well as optimise security-incident management as they occur." On April 4, 2011, EMC purchased NetWitness and added it to

1100-432: The RSA group of products. NetWitness was a packet capture tool aimed at gaining full network visibility to detect security incidents. This tool was re-branded RSA Security Analytics and was a combination of RSA enVIsion and NetWitness as a SIEM tool that did log and packet capture. The RSA Archer GRC platform is software that supports business-level management of governance, risk management, and compliance (GRC). The product

1144-418: The U.S., trademark rights are acquired by use in commerce, but there can be substantial benefits to filing a trademark application. Sole proprietors are the most common users of DBAs. Sole proprietors are individual business owners who run their businesses themselves. Since most people in these circumstances use a business name other than their own name, it is often necessary for them to get DBAs. Generally,

1188-442: The backdoor when they agreed to the deal, an assertion Menn's story did not make. In the wake of the reports, several industry experts cancelled their planned talks at RSA's 2014 RSA Conference . Among them was Mikko Hyppönen , a Finnish researcher with F-Secure , who cited RSA's denial of the alleged $ 10 million payment by the NSA as suspicious. Hyppönen announced his intention to give his talk, "Governments as Malware Authors", at

1232-462: The backdoor. Two of these—ensuring that two arbitrary elliptic curve points P and Q used in Dual_EC_DRBG are independently chosen, and a smaller output length—were added to the standard as an option, though NSA's backdoored version of P and Q and large output length remained as the standard's default option. Kelsey said he knew of no implementers who actually generated their own non-backdoored P and Q, and there have been no reports of implementations using

1276-529: The chip in their devices, and relaxed export restrictions on products that used it. (Such restrictions had prevented RSA Security from selling its software abroad.) RSA joined civil libertarians and others in opposing the Clipper Chip by, among other things, distributing posters with a foundering sailing ship and the words "Sink Clipper!" RSA Security also created the DES Challenges to show that

1320-504: The context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs. We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as

1364-484: The corporate veil . In English , trade names are generally treated as proper nouns . In Argentina , a trade name is known as a nombre de fantasía ('fantasy' or 'fiction' name), and the legal name of business is called a razón social (social name). In Brazil , a trade name is known as a nome fantasia ('fantasy' or 'fiction' name), and the legal name of business is called razão social (social name). In some Canadian jurisdictions , such as Ontario , when

RSA Security - Misplaced Pages Continue

1408-534: The county or city to be registered with the State Corporation Commission. DBA statements are often used in conjunction with a franchise . The franchisee will have a legal name under which it may sue and be sued, but will conduct business under the franchiser's brand name (which the public would recognize). A typical real-world example can be found in a well-known pricing mistake case, Donovan v. RRL Corp. , 26 Cal. 4th 261 (2001), where

1452-431: The deal was handled by business leaders rather than pure technologists". Interviewed by CNET, Schneier called the $ 10 million deal a bribe. RSA officials responded that they have not "entered into any contract or engaged in any project with the intention of weakening RSA’s products." Menn stood by his story, and media analysis noted that RSA's reply was a non-denial denial , which denied only that company officials knew about

1496-461: The dubious random number generator once the flaws became known, or why they did not implement the simple mitigation that NIST added to the standard to neutralize the suggested and later verified backdoor. On 20 December 2013, Reuters ' Joseph Menn reported that NSA secretly paid RSA Security $ 10 million in 2004 to set Dual_EC_DRBG as the default CSPRNG in BSAFE. The story quoted former RSA Security employees as saying that "no alarms were raised because

1540-402: The law is to protect the public from fraud, by compelling the business owner to first file or register his fictitious business name with the county clerk, and then making a further public record of it by publishing it in a newspaper. Several other states, such as Illinois , require print notices as well. In Uruguay , a trade name is known as a nombre fantasía , and the legal name of business

1584-461: The named defendant, RRL Corporation, was a Lexus car dealership doing business as " Lexus of Westminster ", but remaining a separate legal entity from Lexus, a division of Toyota Motor Sales, USA, Inc. . In California , filing a DBA statement also requires that a notice of the fictitious name be published in local newspapers for some set period of time to inform the public of the owner's intent to operate under an assumed name . The intention of

1628-660: The smaller outlet. Nevertheless, NIST included Dual_EC_DRBG in its 2006 NIST SP 800-90A standard with the default settings enabling the backdoor, largely at the behest of NSA officials, who had cited RSA Security's early use of the random number generator as an argument for its inclusion. The standard did also not fix the unrelated (to the backdoor) problem that the CSPRNG was predictable, which Gjøsteen had pointed out earlier in 2006, and which led Gjøsteen to call Dual_EC_DRBG not cryptographically sound. ANSI standard group members and Microsoft employees Dan Shumow and Niels Ferguson made

1672-459: The surname(s) of the sole trader or partners, or the legal name of a company. The Companies Registration Office publishes a searchable register of such business names. In Japan , the word yagō ( 屋号 ) is used. In Colonial Nigeria , certain tribes had members that used a variety of trading names to conduct business with the Europeans. Two examples were King Perekule VII of Bonny , who

1716-469: The term trade name to refer to "doing business as" (DBA) names. In most U.S. states now, however, DBAs are officially referred to using other terms. Almost half of the states, including New York and Oregon , use the terms assumed business name or assumed name ; nearly as many, including Pennsylvania , use the term fictitious name . For consumer protection purposes, many U.S. jurisdictions require businesses operating with fictitious names to file

1760-403: The widely used DES encryption was breakable by well-funded entities like the NSA. The relationship shifted from adversarial to cooperative after Bidzos stepped down as CEO in 1999, according to Victor Chan, who led RSA's department of engineering until 2005: "When I joined there were 10 people in the labs, and we were fighting the NSA. It became a very different company later on." For example, RSA

1804-553: Was known as Captain Pepple in trade matters, and King Jubo Jubogha of Opobo , who bore the pseudonym Captain Jaja . Both Pepple and Jaja would bequeath their trade names to their royal descendants as official surnames upon their deaths. In Singapore , there is no filing requirement for a "trading as" name, but there are requirements for disclosure of the underlying business or company's registered name and unique entity number. In

RSA Security - Misplaced Pages Continue

1848-583: Was originally developed by Archer Technologies, which EMC acquired in 2010. Trade name In a number of countries, the phrase " trading as " (abbreviated to t/a ) is used to designate a trade name. In the United States , the phrase " doing business as " (abbreviated to DBA , dba , d.b.a. , or d/b/a ) is used, among others, such as assumed business name or fictitious business name . In Canada , " operating as " (abbreviated to o/a ) and " trading as " are used, although " doing business as "

1892-399: Was reported by Reuters that RSA had also adapted the extended random standard championed by NSA. Later cryptanalysis showed that extended random did not add any security, and it was rejected by the prominent standards group Internet Engineering Task Force . Extended random did however make NSA's backdoor for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the key to

1936-508: Was reported to have accepted $ 10 million from the NSA in 2004 in a deal to use the NSA-designed Dual EC DRBG random number generator in their BSAFE library, despite many indications that Dual_EC_DRBG was both of poor quality and possibly backdoored. RSA Security later released a statement about the Dual_EC_DRBG kleptographic backdoor: We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in

#68931