Random Acts of Cryptography

For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.

PRNGs generate numbers based on a variety of factors, such as a user's mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key. PRNGs fail, insists Schneier, because hackers can intercept the entropy source and thus predict the output. His response is Yarrow, a new PRNG with an expanded source that creates a larger, less predictable pool. "We've added new randomness," says Schneier of Yarrow's unique entropy pool, "like radio noise, arrival times of network packets, and disk-drive latency. Even if the source is turned off," he says, "it still works."

Yarrow was released as Web freeware in June, a gesture, Schneier says, to help hasten the evolution of better PRNGs. But most attractive to encryption vendors is Yarrow's portability to Windows, Macintosh, or Unix. You can find Yarrow on the Web at www.counterpane.com/.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.