1. On Citrix ADC, the following cipher suite value must be added in the SSL Ciphers option: – ECDHE-RSA-AES256-GCM-SHA384.
Note: If the ciphers are already bound, go to step 2.
2. Bind Enable Elliptical Curve Cryptography (ECC).
For details, see ECDSA cipher suites support in the Citrix ADC 12.1 documentation https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdhe-ciphers.html.
For FIPS enabled environments, verify that the RSA key size for identity certificate (i.e. server certificate), intermediate certificates, and your root certificate are 2048 or 3072 bits. We do not currently support an RSA key size of 4096 bits in a FIPS-enabled environment . The new crypto library checks for key size and will reject the connection.
For configuration information see the following Citrix support article: https://support.citrix.com/article/CTX205289
Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We’re thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.
For additional documentation, downloads, and a, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!
|Update your feed preferences|
This article describes how to generate and install RSA Keys/public SSL certificate on a NetScaler appliance.
Ramesh wants to communicate with Suresh in a secure manner using RSA encryption algorithm.
RSA is one of the widely used Public Key cryptosystem used for encrypted data exchange. RSA stands for Rivest Shamir and Adleman, a combination of names of the designers who came up with the algorithm in 1977. RSA uses the concept of “Trap Door One-way function”. A Trap Door One-way function is easy to compute on one direction but difficult to reverse the computation. Its strength relies on the hardness of prime factorization. The time required to compute prime factorization increases exponentially with increase in size of the number, as there are more steps involved. As the number grows the computer needs minutes, then hours and eventually needs hundreds and thousands of years to factor huge numbers. This concept of factorization is used to build the trapdoor solution.
Advantages of using RSA are as follows:
There is no requirement for transmission of private keys. This improves security and convenience.
Anyone who wants to compute private key, requires knowledge of the factorization of “n” which is the number used for generating the private key. If “n” is large, it would take hundreds of years to compute the factorization that leads to the private key even with the most powerful computer.
Disadvantages of using RSA are as follows:
While using RSA, it takes time to compute private and public key and there are secret key encryption methods which are significantly faster than RSA. Thus the disadvantage of RSA is computation speed as it takes more time compared to other methods.
What would you do if you heard an advertisement on the radio misrepresenting a product your company offered? I’d like to share a true story and how RSA Archer helped this organization’s first line of defense own risk.
Sally was listening to the radio on her drive to work when she heard an advertisement about her company but the information was incorrect and misleading. When she got to work, she didn’t know who to report the information to but knew that if she didn’t report it, it could cause huge impacts to their organization. After approaching several people, she decided to call the IT help desk. While the IT help desk typically “helps” many, they are typically a little further downstream from the risk evaluation process. After some digging, the IT help desk sent the request to the Risk Management team, who then connected Sally with the third party risk team to address the issue with the third party.
When our customer approached RSA, we decided to provide a method via RSA Archer that not only addresses the problem but enables your organization to own risk. But we took it a bit further than just a risk reporting tool. There are often brilliant ideas that could positively impact your organization. There may also be specific issues or incidents that conflict with your organization’s corporate policies and procedures and someone within your organization has the knowledge needed to help avert or mitigate those issues early on.
The RSA Archer Speak Up app-pack provides a mechanism within RSA Archer for the first line of defense to communicate information to your management or risk management team while leveraging workflow to review and approve the information and get it to the right team to take action.
RSA Archer Speak Up allows you to:
With the RSA Archer Speak Up app-pack, your employees are empowered to speak up and own risk. And, your management team is empowered with accountability and a consistent governance process for addressing risks.
Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, February 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.
|Update your feed preferences|
In a recent blog post, the Hyperledger project has announced their latest project, Hyperledger Ursa, has been accepted by the Technical Steering Committee (TSC). Ursa’s primary objective is to simplify and consolidate cryptographic libraries in a trusted, consumable manner for use in distributed ledger technology projects in an interoperable way.
Within Project Ursa, a comprehensive library of modular signatures and symmetric-key primitives will be available so developers can swap in and out different cryptographic schemes through configuration and without having to modify their code. In addition to this base library, Ursa will also include newer cryptography, including pairing-based, threshold, and aggregate signatures. In addition to these signatures, zero-knowledge primitives including SNARKs will also be included.
Blockchain security is highly dependent upon cryptographic operations, but for developers, choosing the correct implementation is a challenge. Hart Montgomery, a cryptographic researcher at Fujitsu and a member of the Hyperledger TSC, explains:
As Hyperledger has matured, the individual projects within Hyperledger have started to find a need for sophisticated cryptographic implementations. Rather than have each project implement its own cryptographic protocols, it is much better to collaborate on a shared library.
The Hyperledger Ursa project has identified the following benefits:
- Avoiding duplication of solving similar security requirements across different blockchain implementations.
- Security audits of cryptographic operations are simpler to analyze when code is consolidated into a single location. This reduces maintenance efforts of these libraries and improves the security footprint for developers who may be less experienced in distributed ledger projects.
- Expert Reviews take place on all cryptographic code to reduce the likelihood of dangerous security bugs.
- Cross-platform interoperability improves when multiple platforms, who require cryptographic verification, are using the same security protocols on both platforms.
- Modularity of common components, lay the framework for future modular distributed ledger technology platforms using common components. A successful reference implementation of a common component, like security, creates future opportunities.
- New projects are able to accelerate their time to market if an existing security paradigm can be plugged-in without a project needing to build it themselves.
As Hyperledger Ursa is in its infancy, the project has broad future plans, including further investments in modularizing Minicrypt, Montgomery explains:
Our first library is our “base crypto” library. Right now we are focused on our shared modular signature library, but we plan to extend this to allow easy modularization of all commonly used cryptographic primitives in Minicrypt. This—work in progress—has the implementation of several different signature schemes with a common API, allowing for blockchain builders to change signature schemes almost on-the-fly—or to use and support multiple signature schemes easily. Exact implementations and APIs have not been finalized, but they are in progress.
Project Ursa does not include raw crypto implementations within their library, but chooses to use wrappers for code from existing libraries instead. Montgomery characterizes the benefit as:
The novelty here is the modularization and API, which enables blockchain platforms to easily use a wide variety of changeable cryptographic algorithms without having to understand or interact with the underlying mathematics.
Ursa is mostly written in Rust but will have interfaces in all of the different languages that are commonly used throughout Hyperledger including Go, Python and Java. The repository for Ursa is available on GitHub.
Hyperledger, the open source collaborative effort created to advance cross-industry blockchain technologies has announced that Hyperledger Ursa is the latest project to be accepted by the Hyperledger Technical Steering Committee (TSC). Ursa is a modular, flexible cryptography library that is intended for (but not limited to) use by other projects in Hyperledger.
Ursa aims to include things like a comprehensive library of modular signatures and symmetric-key primitives built on top of existing implementations, so blockchain developers can choose and modify their cryptographic schemes with a simple configuration file change. Ursa will also have implementations of newer, fancier cryptography, including things like pairing-based signatures, threshold signatures, and aggregate signatures, and also zero-knowledge primitives like SNARKs.
Available on GitHub, Ursa will be written mostly in Rust, but will have interfaces in all of the different languages commonly used throughout Hyperledger.
As Hyperledger has matured, the individual projects within Hyperledger have started to find a need for sophisticated cryptographic implementations. Rather than have each project implement its own cryptographic protocols, it is much better to collaborate on a shared library. There are many reasons to do this, including the following:
- Avoiding duplication: Crypto implementations are notoriously difficult to get correct (particularly when side channels are taken into account) and often require a lot of work in order to achieve a high level of security. The library allows projects to share crypto implementations, avoiding unnecessary duplication and extra work.
- Security: Having most (or all) of the crypto code in a single location substantially simplifies the security analysis of the crypto portion of Hyperledger. In addition, the lack of duplication means maintenance is easier (and thus, hopefully, security bugs are less numerous). The presence of easy to use, secure crypto implementations might also make it less likely for less experienced people to create less secure implementations.
- Expert Review: In addition, the ability to enforce expert review of all cryptographic code should increase security as well. Having all cryptographic code in a single location makes it easier to concentrate all of the cryptographic expertise in the project and ensures that code will be well reviewed, thus decreasing the likelihood of dangerous security bugs.
- Cross-platform interoperability: If two projects use the same crypto libraries, it simplifies (substantially in some cases) cross-platform interoperability, since cryptographic verification involves the same protocols on both sides.
- Modularity: This could be the first common component/module and a step towards modular DLT platforms, which share common components. A successful crypto library encourages and pushes forward more modular activities.
- New Projects: It is easier for new projects to get off the ground if they have easy access to well-implemented, modular cryptographic abstractions.
Features and Plans
Currently, Ursa has two distinct modules: a library for modular, flexible, and standardized basic cryptographic algorithms, and a library for more exotic cryptography, including so-called “smart” signatures and zero knowledge primitives called zmix.
The first library is the “base crypto” library. Right now Hyperledger is focused on its shared modular signature library, but plans to extend this to allow easy modularization of all commonly used cryptographic primitives in Minicrypt. This (work in progress) has the implementation of several different signature schemes with a common API, allowing for blockchain builders to change signature schemes almost on-the-fly—or to use and support multiple signature schemes easily. Exact implementations and APIs have not been finalized, but Hyperledger notes that they are in progress.
There aren’t raw crypto implementations in this library, things here are stable and generally standardized, says Hyperledger — but wrappers for code come from existing libraries and also code generated by commonly used cryptography libraries such as the Apache Milagro Crypto Library (AMCL). The novelty here is the modularization and API, which enables blockchain platforms to easily use a wide variety of changeable cryptographic algorithms without having to understand or interact with the underlying mathematics.
In the future, Hyperledger expects other wrappings and modular code to go in this library. For instance, Hyperledger Indy makes use of aggregate signatures, a feature which the other platforms would also like available to them. There are also a variety of hash algorithms which provide different performance characteristics or support different signature schemes. Selecting vetted implementations and providing a common interface helps the Hyperledger community manage a growing crypto feature set in a responsible manner.
Our second initial subproject is zmix, which offers a generic way to create zero-knowledge proofs that prove statements about multiple cryptographic building blocks, including signatures, commitments, and verifiable encryption. The goal of zmix is to provide a single flexible and secure implementation to construct such zero-knowledge proofs. Zmix consists of C-callable code but there are also convenience wrappers for various programming languages.
Who Is Involved in Ursa?
On the more practical side, Ursa currently includes developers who work on the security aspects of Hyperledger Indy, Sawtooth, and Fabric. In addition, the Ursa project includes several cryptographers with an academic background in theoretical cryptography to ensure that all cryptographic algorithms meet the desired levels of security.
The goal of creating Ursa is to combine the efforts of all the security and cryptography experts in the Hyperledger community and move all of the projects forward.
With today’s launch of RSA Exchange Release R6, we’re very excited to deliver two new integrations in support of our mobility strategy. As we previewed at RSA Archer Summit 2018 in August:
RSA Exchange Release R6 also includes updated content for Australian Government Information Security Manual (ISM) to include Controls. Content library packages are available on the RSA Exchange Documentation & Downloads subspace.
All RSA Exchange offerings are available on RSA Link, along with implementation guides, demo videos, and installation guides where available. For existing RSA Archer customers, you can learn more about these new and updated offerings in upcoming Free Friday Tech Huddles.
|Update your feed preferences|
One of the best takeaways I got from attending the RSA® Archer Summit 2018 was the opportunity to listen to customers tell their deployment stories. I have put together a series of tips based on advice from several speakers who have been using the product for many years.
One speaker, a director of risk operations for a large retailer and a long-time user of RSA Archer, talked about the challenges of their initial deployment. Things didn’t start out very well initially – their first deployment was less than successful. They originally were running three different instances of RSA Archer. It broke easily and was implemented so poorly that it was hard to make changes, they told conference attendees. Plus the data quality was poor and none of these instances used a common data repository. As a result, it had a bad rap with the Information Security department. They had to reset and evaluate their environment. But now, their RSA Archer deployment is a different story, as you will see below.
Here are my top ten tips to ensure that your RSA Archer deployment won’t die on the vine.
1) First, know your stakeholders. When this large retailer began its project, they spent a lot of time analyzing who was eventually going to use RSA Archer. They researched and found their key influencers who had been passionate (both positive and negative) about the platform and what their initial impressions were about using the product. Then, they created a scale that went from defy to neutral to advocating for the platform. Next, they looked at what it would take to move each influencer in a more positive direction. Part of this stakeholder analysis included various business unit owners that would eventually benefit from using RSA Archer.
2) Make sure you look for influencers in non-obvious departments, too. The retailer wanted to woo their Chief Legal officer, even though they knew it would be a hard sell. This was because they face many regular legal situations, such as slip and fall accidents, or having to find someone who is fired so they can get their last paycheck. Sometimes, it would take weeks to track down this ex-employee. The IT Manager for the retail though showed how RSA Archer could speed things up and got their legal department on board.
Matt Hancock went into more detail in another session at the conference. He is the principal advisor for risk at Rio Tinto, an Australia mining company with more than 47,000 global employees. They matched their existing risk register with their organizational structure, to ensure that they were going after the right targets.
Matt Hancock of Rio Tinto, presenting at RSA Archer Summit 2018
3) Do a demo. Demos can help bring people together to understand how the product can be used, according to a security engineering manager at a consultant for a large DC-area government agency. Given their size, it is no surprise that data was kept in numerous silos and had no standard schemas whatsoever. RSA Archer can help to get everyone on the same page.
4) Understand your requirements and try to avoid creeping expansion. “Everyone had different requirements when we started with our RSA Archer project,” said the risk manager at the retailer. “As soon as people realized how quickly they could configure RSA Archer, that is when our requirements exploded,” said the government consultant. The trick was managing these expectations.
5) Centralize your RSA Archer governance team. Several IT managers mentioned this suggestion at different conference sessions, but I liked what the manager from Rio Tinto said in his session. Their governance committee is drawn from various organizations and complemented with additional teams to handle the delivery of RSA Archer applications. This team includes an architect, DevOps, reporting and data lead staffers. You might want to map out this structure too before deployment.
6) Build trust, listen to your users’ point of view and keep them frequently informed. This shouldn’t come as a surprise, but is still worth mentioning.
7) Use RSA Archer as a unifying force. “Before we started using RSA Archer, there wasn’t a lot of interaction between our risk assessment and audit teams. It has really brought us together,” said the government consultant. “Consistency is key. Just because your dashboard shows something is red is meaningless if you also show other shades of red. All alarms and exceptions should be treated the same,” said Hancock of Rio Tinto.
8) Understand your processes up front and get this right before you deploy. Part of this effort should create a taxonomy and strategy plan that will work corporate-wide. The retailer spent six months refining their processes before they ever touched any RSA Archer code. While that sounds like a lot of time, it eventually saved them a lot of grief down the road and avoided reworking their assumptions and wasted effort. Indeed, one person did nothing but process mapping with various stakeholders, according to their risk manager. Other presenters mentioned similar pre-planning time periods. “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right before we can build good systems,” said Hancock.
9) Explain how RSA Archer is going to help your various stakeholders in their daily work life. The retailer presented how RSA Archer would produce certifications and compliance reports with a lot less work than they were doing previously. The other presenters had similar stories about how they sold the benefits of the platform to their users.
10) Finally, simple is usually better. Streamline everything. Consolidate your risk technologies. Aim for more holistic reporting and better transparency.
In another session, Mat Bonderud who is the IT Risk Manager for FedEx, said, “Quantifying risk is a journey, not a destination. There are certain steps along the way. The important thing to remember is that you need actionable data-driven reporting that can stand up to criticism. If you produce a report that says it is raining on your house, you need to know how many raindrops are actually getting through your roof — that is the actionable number.”
Good luck on your journey towards more risk-based decision making.
|Update your feed preferences|
Eighteen months have already passed since the redesigned RSA Archer Navigator tool was launched on RSA Link. This tool introduced the ability to browse for RSA Archer content throughout RSA Link (e.g. documentation, downloads, advisories, knowledge base articles, training materials, videos and more) using a series of filters to locate exactly what you need.
With the RSA Archer Navigator tool, users can apply filters for Role, Expertise, Focus, Cost, Product, Version and Content Type, which will then display a list of content from across the entire website which can then be filtered even further as necessary to make it very easy to find relevant materials.
After the tool was so well-received by RSA Archer customers, the RSA NetWitness Platform, RSA Identity Governance & Lifecycle and RSA SecurID Access products followed suit and released Navigator tools for their content as well. Users of these four products can easily access the associated Navigator tool by clicking on the link below the search bar on the primary product community pages.
In order to make it even easier for users to locate the content they need, the RSA Link team is proud to announce that the RSA Navigator tools are now fully functional on your mobile devices. This means that even on mobile phones that view the website in portrait (i.e. vertical) mode, the tool will work the same way. (Previously the RSA Navigator tools only worked in landscape mode on mobile phones.)
You can locate the RSA Archer Navigator tool on your mobile device by going to the RSA Archer Suite page, expanding the Product Resources section and then clicking on the RSA Archer Navigator link. Alternatively, you can simply click on the magnifying glass icon and search for “Archer Navigator” and it will appear in the results.
Similar to the desktop version of the tool, you can then select the filter(s) you wish to apply and then click the View Results button to view the content that match the criteria.
We hope that this new improvement will assist RSA customers and partners with having an even better experience on RSA Link and that they will be able to quickly and easily find what they need regardless of how and from where they’re connecting.
More information about the RSA Archer Navigator tool can be found in the video and blog posts below.
|Update your feed preferences|