RSA Security: From Public Key Cryptography Breakthroughs to the Future of Identity Security

Since its inception, RSA Security has been a cybersecurity pioneer, providing leaders in government, financial services, energy, healthcare, and other highly-regulated industries with identity and access management (IAM), identity governance and administration (IGA), access, and multi-factor authentication (MFA) capabilities.

RSA Security was founded in 1982 by Ron Rivest, Adi Shamir, and Leonard Adelman, who developed the RSA encryption algorithm in 1977. While the public-key cryptography standard was released into the public domain in 200 and is no longer owned, sold, or managed by RSA Security, it does represent one important chapter in the RSA story.

Since its founding, RSA Security has helped organizations defend themselves from phishing, malware, social engineering, and other recurring threat vectors. RSA is continuing to innovate against emerging threats like deepfakes, AI-powered attacks, and IT Help Desk bypasses. And as the world approaches a new quantum computing era, RSA is continuing to innovate to help organizations stay ahead of bad actors.

Explore RSA’s history and its future at the forefront of identity security by reading the chapters below:translated

In 1977, the concept of public-key cryptography emerged as a solution to the limitations of symmetric encryption methods, which required secure key exchanges. The RSA algorithm addressed this challenge by utilizing a pair of keys: a public key for encryption and a private key for decryption. These paired RSA keys form the backbone of the RSA cryptosystem, enabling secure data transmission even over untrusted networks. This innovation enabled secure communications over untrusted channels without the need for prior key exchange. The security of RSA is based on the computational difficulty of factoring large prime numbers, making it a formidable tool against unauthorized data access.​

The Massachusetts Institute of Technology (MIT) received a patent for the RSA algorithm in 1983, with the terms of the patent set for 17 years.translated

The widespread adoption of the RSA cryptosystem led to the development of the RSA Public Key Infrastructure (PKI), a framework that manages digital certificates and public-key encryption. RSA PKI became instrumental in establishing secure communications across the internet, underpinning protocols such as SSL/TLS that are essential for e-commerce, secure email, and digital signatures.

RSA Security released the encryption algorithm into the public domain on September 6, 2000. The release would “allow anyone to create products that incorporate their own implementation of the algorithm. This means that RSA Security has waived its right to enforce the patent for any development activities that include the RSA algorithm occurring after September 6, 2000.” Today the algorithm is a public standard (FIPS 186-5).translated

More than two decades after RSA Security released the encryption algorithm into the public domain, RSA Security continues to develop new solutions to cybersecurity challenges.

Today, RSA Security is solely focused on identity security, providing a range of access, authentication, governance, and lifecycle solutions that help organizations prevent risks, detect threats, enable compliance, and accelerate productivity, including:

• RSA® ID Plus provides a complete range of IAM capabilities—including passwordless MFA, SSO, contextual access, integrations with Microsoft and other third-parties, and cloud directory services—across cloud, hybrid, and on-premises environments.
• RSA® Governance & Lifecycle helps organizations improve compliance, reduce risk, and optimize operations with by deploying IGA features across applications, systems, and data to manage and secure access at scale.
• RSA SecurID® protects on-premises resources with secure access, authentication, and identity lifecycle management capabilities.

To learn more about current RSA solutions, please contact us or start your free ID Plus trial today.translated

Advancements in quantum computing may one day pose threats to classical encryption algorithms, including Diffie-Hellman (DH) key exchange, Elliptic Curve Cryptography (ECC), and the RSA encryption algorithm. Quantum computers have the potential to solve complex mathematical problems, such as integer factorization, exponentially faster than classical computers.

Given that the RSA algorithm is based on the computational difficulty of factoring large prime numbers, quantum algorithms like Shor’s could be used to eventually crack RSA keys. The same is true for Diffie Hellman (DH), and also Elliptic Curve (ECC) keys. ECC is based on a different mathematical problem but fundamentally could also be broken with Shor’s algorithm—in fact the number of required qbits to achieve this would be smaller than for an RSA/DH key of comparable strength.

To prepare for this risk, NIST published initial draft guidance (“Transition to Post-Quantum Cryptography Standards,” NIST IR 8547) in 2024 that recommends at least 112 bits of security strength (2048-bit RSA keys) and a goal to utilize at least 4096-bit RSA keys (for 128 bits of security strength) after the year 2030. In that draft guidance, NIST recommended that no RSA encryption of any size keys be used after 2035.  Organizations should continue following best practices for key length and key rotation until then to keep their encryption secure. Modern web browsers can support 4096-bit keys, aligning with NIST’s RSA key guidance for 2030.

RSA Security believes these recommendations are an appropriate, risk-based measure. Given that quantum computing is still in its infancy and requires vast amounts of resources to operate, quantum computing does not pose an immediate threat to encryption. The most powerful quantum computers recently surpassed 1,000 quantum bits (qubits) in size, and can only maintain stable operation for 1-2 milliseconds. By comparison, researches believe that a theoretical 20 million qubit computer would require eight hours to crack a single 2048-bit RSA encryption key. By implementing NIST IR 8547, organizations should stay well ahead of the risks that quantum computing may one day pose.

RSA Security has implemented these guidelines in its own solutions and will continue to follow NIST Best practices.

In addition to implementing NIST post-quantum guidelines, organizations should strive to understand their current IT infrastructure. Cataloging current applications, updating software with the latest version, and basic cyber hygiene are essential cybersecurity best practices that will help organizations defend against current threats and prepare for emerging risks like quantum computing.translated

Organizations should be aware of and implement NIST quantum computing guidance to stay ahead of theoretical risks. But leaders should take a risk-based approach to cybersecurity and prepare for the most likely, highest-impact attacks. Prioritizing theoretical quantum computing risks overlooks the very clear, immediate, and active threats that cybercriminals are succeeding with today:

• Change Healthcare was compromised by stolen credentials and didn’t have MFA enabled on some of its accounts
• Scattered Spider convinced IT help desk staff to disable or reset MFA credentials in order to launch a ransomware attack that caused hundreds of millions of dollars in losses
• Colonial Pipeline was breached in part due to an orphaned VPN account
• Rose87168 claimed to have stolen 6 million data records from Oracle Cloud by exploiting an unpatched vulnerability

Quantum computing requires massive funding and resources. These data breaches did not. The vast amount of attacks today rely on and succeed with phishing, social engineering, password-based authentication, unpatched systems, and patchwork access provisioning. Those are the risks that demand organizations’ immediate attention, action, and investment.

Classical RSA encryption vs. post-quantum cryptography

translated
[Logical team please include the table here]

It’s important to note that, while post-quantum cryptography algorithms are thought to be resistant against quantum computing attacks, there is a risk that even those frameworks can be attacked by ‘traditional’ cryptanalysis and computing methods. If organizations use a post-quantum encryption algorithm, they should be secure from post-quantum attacks but may still be hacked by attacks powered by a pre-quantum method. Traditional algorithms like RSA/ECC/DH have been researched for decades: that research has not revealed fundamental weaknesses to traditional attacks.