June 17, 1998
COUNTERPANE INTRODUCES STRONGER PRNG SOLUTION
New Yarrow Cryptographic Algorithm Eliminates Weak Link in Many Security Implementations
MINNEAPOLIS, MN, June 17, 1998. Counterpane Systems today introduced a new cryptographic algorithm which replaces a little-known but critical component that has weakened existing information security systems. This new pseudo-random number generator (PRNG), named Yarrow, is the result of several years' extensive research by the Counterpane team into the design and use of PRNGs. Yarrow renders information security systems far less vulnerable to attacks.
The pseudo-random number generator (PRNG) is a critical part of an overall information security solution. PRNGs are cryptographic algorithms used by information security systems to generate numbers that must appear random in cryptographic systems. For example, PRNGs are used to generate cryptographic keys, initialization vectors, unique digital signature parameters, and other values.
Although PRNGs are used everywhere in security system design, almost no one questions their security. In 1995, a group of Berkeley graduate students broke the security offered in the Netscape Navigator browser. The results of this attack were widely publicized, but few people realized that it was an attack on the PRNG that enabled Netscape's system to be compromised.
"The PRNG is now an identified single point of failure for many of today's cryptographic systems," stated Bruce Schneier, Counterpane's President. "An attack on a PRNG can make irrelevant the careful selection of good algorithms and protocols in many of the security systems on which we depend," warned Schneier.
Over the past several years, Schneier and his team at Counterpane have done extensive research on the use of PRNGs and have cryptanalyzed dozens of PRNGs. From this intensive research, the team found that many security systems being used today use poorly designed PRNGs, or use PRNGs in ways that make certain types of attacks easier. They also discovered that there is very little documentation available to help system designers choose and use PRNGs wisely.
The Counterpane team applied the results of their years of research as well as their expertise in cryptography to the design of Yarrow, a new PRNG superior to the past ad hoc PRNGs which have been easily compromised. Yarrow is based on solid cryptographic principles and it is a complete solution--there is no need to do any further work.
Yarrow was extensively beta-tested with clients of Counterpane Systems. According to Ron Martinez, CEO of Transactor Networks, Inc. in San Francisco, California, "Bruce and his team helped us through a complex array of cryptographic issues." Continued Martinez, "We were able to create important solutions that gave us a major lead over the competition."
The first implementation of Yarrow is in a software driver for Windows 3.1, Windows 95, and NT. It will be followed with a version for the Macintosh and eventually a UNIX version as well. Yarrow is poised for easy adoption into next generation encryption schemes. Counterpane is releasing Yarrow copyright-free, at no charge, in the public domain for general business use. In addition, Yarrow, like all PRNGs, is not subject to U.S. export law restrictions.
Counterpane Systems is a Minneapolis, MN-based consulting firm providing expert consulting in cryptography and computer security issues. The firm has consulted for clients on five continents. Counterpane's president, Bruce Schneier, invented the Blowfish encryption algorithm, which remains unbroken after almost four years of public testing. Blowfish has been incorporated into dozens of products, including Symantec's Your Eyes Only and McAfee's PCCrypto. Schneier is also the author of five books on cryptography and computer security, including Applied Cryptography, the definitive work in this field. He has written dozens of magazine articles, presented papers at major international conferences, and lectured widely on cryptography, computer security, and privacy.
- 30 -
All trademarks are the property of their respective owners
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc..