RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x and later

Token seed records are always encrypted whenever they are on media that is in the possession of RSA. However, there are times when token seeds are decrypted in memory so as to be encrypted for delivery to a specific customer.

RSA does not retain copies of customer token seed records indefinitely, even encrypted records. Therefore it is incumbent of the customer to follow decryption requirements and instructions carefully. The risk is that tokens, especially hardware (SID700) tokens, could become useless without the decrypted seed records imported into an Authentication Manager server.

To encrypt token seed records for a customer, RSA creates a key pair. RSA encrypts with one of the keys, and RSA delivers the other key to the customer. This is the only key that will decrypt the now encrypted token seed records.

There are two main procedures for decrypting the token seed media records so as to import them into Authentication Manager: 

• Download Decrypt; and 
• Protected Delivery Program for Government (PDP-G) 

The two procedures are essentially two ways to deliver the decrypt key to the customer.

1. Download Decrypt. The Download Decrypt method, as its name suggests, is where an authorized customer contact securely logs onto https://my.rsa.com and downloads that decrypt key. There are time limits as to how long this decrypt key is downloadable, as well as restrictions on who can download it. In order to successfully use this method, the authorized customer contact must have a Windows PC that can access https://my.rsa.com through customer firewall and this PC must also have a firewall exception to allow the download of .xml content to the PC. It is somewhat common that the first time a new customer attempts to download this decrypt key, RSA accepts their request because they logged in successfully, and RSA starts the download to the customer PC. After this point RSA considers the key downloaded and prevents any further downloads. This is a one-time download.

The problem arises when a customer firewall intercepts the decrypt key and encrypted seeds because they are .xml content. As far as RSA is concerned, the key material was successfully delivered to the customer. If the customer firewall provides no way to deliver this decrypt key and encrypted seed file to the end user, then there is no way to decrypt the token seeds. If this happens within a 150 day windows from creation of the encrypted token seed file, RSA can provide another decrypt download. But if customer does not correct their firewall rules for this PC, the same error will occur. If the 150 day limit is reached before successful decrypt download, the token seed records are no longer available for download.

2. Protected Delivery Program for Government (PDP-G). The PDP-G decrypt delivery does not involve secure downloads, it involves delivery of decrypt keys on what looks like a token or key fob with a USB port, but no tokencode display. This is a SID830 token, it has a smart card that contains the decrypt key. An authorized customer would receive at least two of these SID830 keys, which contain the same decrypt key. These SID830 keys should be protected at all times once received by the authorized customer.

With the PDP-G decrypt using SID830 key, it is required that the authorized customer Windows PC have administrator rights in order to install the RSA SecurID Token Record Decryption Utility.msi decryption utility. Once installed, the decryption utility will need access to the SID830 connected to a USB port as a CCID device. The decrypt utility will read the decrypt key from the SID830. The Decryption utility does not need to access the USB device as a file system, there is no file system on the SID830 keys.

1. Download Decrypt - aka PCP-C2
   1. Allow an authorized user contact PC access through firewall to https://my.rsa.com.
   2. Allow an exception to AV scan blocking .xml content download to the PC. 
   3. Download the encrypted token seed records.
   4. Download and run the RSASecurIDTokenRecordDecryptionUtility.exe against the encrypted token seed records.
   5. Protect the unencrypted (password protected) token seeds.
   6. Import the tokens into the Authentication Manager Security Console.
   7. Verify the token serial numbers from new batch of imported token seed records are available in the Authentication Manager Security Console.
   8. Protect and/or destroy any token seed media or files according to your company security guidelines.
2. Protected Delivery Program for Government (PDP-G)
   1. An authorized customer receives a package with two SID830 keys and a CD containing a decrypt installation utility (RSA SecurID Token Record Decryption Utility.msi).
   2. Activate your SID830 Decryption Keys via an email sent from the authorized customer contact to SecurID830Activation@rsa.com. The response will be both an email and phone call from RSA. Activation means RSA has verified that you are in possession of the only copies of the decrypt key, and RSA can now encrypt your seed with their copy of the encrypt key. 
   3. On a PC where the user has full admin rights, install the RSA SecurID Token Record Decryption Utility.msi and the SID830 driver, if necessary.
   4. Insert the SID830 into a USB port on the PC then run the decrypt utility.
   5. Protect the unencrypted (password protected) token seeds.
   6. Import them into the Authentication Manager Security Console.
   7. Import the tokens into the Authentication Manager Security Console.
   8. Verify the token serial numbers from new batch of imported token seed records are available in the Authentication Manager Security Console.
   9. Protect and/or destroy any token seed media or files according to your company security guidelines.

IMPORTANT NOTE: The process to complete the token decrypt steps can only be done once. If you get an error during the decryption process, please contact RSA Customer Support so our Customer Asset Management team can create a new set of token media for decryption. Be aware that this process can take up to 48 hours.

The default PIN for SID-830 is PIN_CODE - this is literal, "PIN_CODE" typed into the 
See 
What is the default PIN for the RSA SecurID 830 hardware token?
https://community.rsa.com/s/article/What-is-the-default-PIN-for-the-RSA-SecurID-830-hardware-token
If you forget your PIN, you cannot reset it. You have 8x attempts to guess the PIN before the SID-830 locks (become a little brick or paper weight - it becomes useless). If this happens you should revoke the SID-830 key.
See 
How do you unlock the SID830 PIN?
https://community.rsa.com/s/article/a57720-How-do-you-unlock-the-SID830-PIN
Also see RSA SecurID® Protected Delivery Program Best Practices Guide, section 'Revoke an RSA SecurID 830 Decryption Key', p.11

Related KB
Information on the RSA SecurID protected delivery program and how it will impact the token record media decryption process for customers
https://community.rsa.com/s/article/Information-on-the-RSA-SecurID-protected-delivery-program-and-how-it-will-impact-the-token-record-media-decryption-process-for-customers

has a dead URL link to the video that demonstrated the PDP-G process.

There was third decrypt method, a variation on the download decrypt method, which involves delivery of a scratch off decryption key, similar to a scratch off lottery ticket. Instead of downloading through https://my.rsa.com, the decrypt key is mailed with tamper evident scratch off cover on the decrypt key. This might be necessary if customer unable to get the Firewall AV Scan exception for their Windows PC. The program name is PDP-C1 fulfillment type. The PDP-C1 process was end of life in late 2024 due to security concerns.

The RSASecurIDTokenRecordDecryptionUtility.exe is the name of the download decrypt utility, notice no spaces in the file name and extension is .exe.

RSA SecurID Token Record Decryption Utility.msi is the name of the SID830 key decrypt from the PDP-G for Government, as called out in the RSA SecurID Token Record Decryption Guide (SecurID_Token_Record_Decryption_Utility_Guide.pdf) that comes with a token order. Look under the section labeled "Install the RSA SecurID Token Record Decryption Utility." This file is on the CD that came with the SID830 keys.
Note that there are spaces in the name and the extension is .msi not .exe.

If you try to use RSASecurIDTokenRecordDecryptionUtility.exe to decrypt PDP-G delivered token seeds with the SID830 keys you will get an error that says this it the wrong version of the utility. Please launch the RSA SecurID Token Record Decryption Utility.msi to proceed.