In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.

Abstract approved:

An enormous number of commercial applications (over 350 million copies) rely on the BSAFE and JSAFE toolkits from RSA Data Security to generate cryptographically strong pseudorandom numbers for keys, initialization vectors, challenges, etc. This paper describes the algorithms used by these toolkits, discusses their design, analyzes their resistance to various attacks, and presents results from statistical tests. The algorithms appear to be well suited for cryptographic applications. Introduction & Background The amazing feature of cryptography is that it reduces the problem of protecting a large amount of data to the problem of protecting a small amount of keying material. However, generating even a small amount of keying material is hard. The trouble is that gathering good randomness (bits that cannot be predicted or influenced by an attacker) can take several thousand milliseconds, which is unacceptable for most applications. The usual solution is to rely on a goo...

An enormous number of commercial applications (over 350 million copies) rely on the BSAFE and JSAFE toolkits from RSA Data Security to generate cryptographically strong pseudorandom numbers for keys, initialization vectors, challenges, etc. This paper describes the algorithms used by these toolkits, discusses their design, analyzes their resistance to various attacks, and presents results from statistical tests. The algorithms appear to be well suited for cryptographic applications. Introduction & Background The amazing feature of cryptography is that it reduces the problem of protecting a large amount of data to the problem of protecting a small amount of keying material. However, generating even a small amount of keying material is hard. The trouble is that gathering good randomness (bits that cannot be predicted or influenced by an attacker) can take several thousand milliseconds, which is unacceptable for most applications. The usual solution is to rely on a goo...

We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design principles used to develop Yarrow. We then discuss the ways that PRNGs can fail in practice, which motivates our discussion of the components of Yarrow and how they make Yarrow secure. Next, we de ne a speci c instance of a PRNG in the Yarrow family that makes use of available technology today. We conclude with a brief listing of open questions and intended improvements in future releases.