Security Experts: RSA Lacks Technical OpennessBy Ericka Chickowski | Posted 2011-03-19 Email Print
RSA channel partners are concerned about the lack of details from RSA following a security breach of its authentication SecurID product which is used by a range of organizations including banks and highly sensitive government entities.
Some security experts believe that aside from the breach, part of the issue has to do with the lack of technical openness that RSA has fostered with this set of authentication products. They used the breach as an opportunity to take a jab at RSA for not offering the security community with more details about the workings of SecurID in the first place.
"RSA broke a cardinal rule in the non-disclosure of their one-time authentication system; the fundamental crux of any security method or algorithm is wide publication and dissemination of the underpinning method used for purposes of peer review," says Gregory Perry, CEO of training firm GoVirtual, a former security firm executive and an open-source advocate. "RSA is not new to this concept, their RSA encryption algorithm and related method of implementation is the de facto standard for public key encryption in use on the Internet today, but for some reason they chose to adopt a mindset of 'security through obscurity' with their RSA SecurID method - which many industry veterans viewed with suspicion over the years and which raised the specter of a backdoor within the SecurID OTP authentication framework."