Yarrow algorithm - Revision history

A bit iffy: + short description

2024-10-13T07:18:45Z

+ short description

← Previous revision		Revision as of 07:18, 13 October 2024
Line 1:		Line 1:
			{{short description\|Random number generator}}
	{{More citations needed\|date=November 2015}}		{{More citations needed\|date=November 2015}}
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

Artoria2e5: cite 1999 report directly

2024-03-20T08:00:54Z

cite 1999 report directly

← Previous revision		Revision as of 08:00, 20 March 2024
Line 20:		Line 20:

	==Principles==		==Principles==
	Yarrow's main design principles are: resistance to attacks, easy use by programmers with no cryptography background, and reusability of existing building blocks. The former widely used designs such as [[ANSI X9.17]] and [[RSAREF 2.0 PRNG]] have loopholes that provide attack opportunities under some circumstances. Some of them are not designed with real-world attacks in mind. Yarrow also aims to provide easy integration, to enable system designers with little knowledge of PRNG functionality.		Yarrow's main design principles are: resistance to attacks, easy use by programmers with no cryptography background, and reusability of existing building blocks. The former widely used designs such as [[ANSI X9.17]] and [[RSAREF 2.0 PRNG]] have loopholes that provide attack opportunities under some circumstances. Some of them are not designed with real-world attacks in mind. Yarrow also aims to provide easy integration, to enable system designers with little knowledge of PRNG functionality.<ref name="report1999">{{cite journal \|last1=Kelsey \|first1=John \|last2=Schneier \|first2=Bruce \|last3=Ferguson \|first3=Niels \|title=Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator \|journal=Sixth Annual Workshop on Selected Areas in Cryptography \|date=August 1999 \|volume=1758 \|pages=13–33 \|doi=10.1007/3-540-46513-8_2 \|url=https://www.schneier.com/wp-content/uploads/2016/02/paper-yarrow.pdf}}</ref>

	==Design==		==Design==
Line 81:		Line 81:
	*Yarrow tries to avoid data-dependent execution paths. This is done to prevent [[side-channel attacks]] such as [[timing attacks]] and [[power analysis]]. This is an improvement compared to earlier PRNGs, for example RSAREF 2.0 PRNG, that will completely fall apart once additional information about the internal operations are no longer secured.		*Yarrow tries to avoid data-dependent execution paths. This is done to prevent [[side-channel attacks]] such as [[timing attacks]] and [[power analysis]]. This is an improvement compared to earlier PRNGs, for example RSAREF 2.0 PRNG, that will completely fall apart once additional information about the internal operations are no longer secured.
	*Yarrow uses cryptographic hash functions to process input samples, and then uses a secure update function to combine the samples with the existing key. This makes sure that the attacker cannot easily manipulate the input samples. PRNGs such as RSAREF 2.0 PRNG do not have the ability to resist this kind of chosen-input attack.		*Yarrow uses cryptographic hash functions to process input samples, and then uses a secure update function to combine the samples with the existing key. This makes sure that the attacker cannot easily manipulate the input samples. PRNGs such as RSAREF 2.0 PRNG do not have the ability to resist this kind of chosen-input attack.
	*Unlike ANSI X9.17 PRNG, Yarrow has the ability to recover from a key compromise. This means that even when the key is compromised, the attacker will not be able to predict future outputs forever. This is due to the reseeding mechanism of Yarrow.		*Unlike ANSI X9.17 PRNG, Yarrow has the ability to recover from a key compromise. This means that even when the key is compromised, the attacker will not be able to predict future outputs forever. This is due to the reseeding mechanism of Yarrow.<ref name="report1999"/>{{rp\|5}}
	*Yarrow has the entropy samples pool separated from the key, and only reseeds the key when the entropy pool content is completely unpredictable. {{anchor\|Iterative guessing attack}}This design prevents iterative guessing attacks, where an attacker with the key guesses the next sample and checks the result by observing the next output.		*Yarrow has the entropy samples pool separated from the key, and only reseeds the key when the entropy pool content is completely unpredictable. {{anchor\|Iterative guessing attack}}This design prevents iterative guessing attacks, where an attacker with the key guesses the next sample and checks the result by observing the next output.

	===Cons===		===Cons===
	*Yarrow depends on SHA-1, a hash that has been broken since Yarrow's publication and is no longer secure.<ref>{{Cite web \|last1=Stevens \|first1=Marc \|last2=Bursztein \|first2=Elie \|last3=Karpman \|first3=Pierre \|last4=Albertini \|first4=Ange \|last5=Markov \|first5=Yarik \|date=2017-02-23 \|title=SHAttered \|url=https://shattered.io/ \|access-date=2017-04-27 \|website=SHAttered}}</ref>		*Yarrow depends on SHA-1, a hash that has been broken (in terms of collision resistance) since Yarrow's publication and is no longer considered secure.<ref>{{Cite web \|last1=Stevens \|first1=Marc \|last2=Bursztein \|first2=Elie \|last3=Karpman \|first3=Pierre \|last4=Albertini \|first4=Ange \|last5=Markov \|first5=Yarik \|date=2017-02-23 \|title=SHAttered \|url=https://shattered.io/ \|access-date=2017-04-27 \|website=SHAttered}}</ref> However, there is no published attack that uses SHA-1 collisions to undermine Yarrow's randomness.
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)\|Fortuna]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)\|Fortuna]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
Line 95:		Line 95:
	==External links==		==External links==
	* [http://www.schneier.com/yarrow.html Yarrow algorithm page]		* [http://www.schneier.com/yarrow.html Yarrow algorithm page]
	* [http://www.schneier.com/paper-yarrow.html ''Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator'', J. Kelsey, B. Schneier, and N. Ferguson]
	* [https://freenet.googlecode.com/svn/trunk/freenet/src/freenet/crypt/Yarrow.java "Yarrow implementation in Java"]		* [https://freenet.googlecode.com/svn/trunk/freenet/src/freenet/crypt/Yarrow.java "Yarrow implementation in Java"]
	* [https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4 "Yarrow implementation in FreeBSD"]		* [https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4 "Yarrow implementation in FreeBSD"]

115.72.187.240: FIxed typo

2023-12-30T06:17:59Z

FIxed typo

← Previous revision		Revision as of 06:17, 30 December 2023
Line 1:		Line 1:
	{{More citations needed\|date=November 2015}}		{{More citations needed\|date=November 2015}}
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (~~CPRNG~~) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

	Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>		Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>

HeyElliott: MOS:CIRCA

2023-10-29T00:42:21Z

MOS:CIRCA

← Previous revision		Revision as of 00:42, 29 October 2023
Line 5:		Line 5:

	==Name==		==Name==
	The name ''Yarrow'' alludes to the use of the [[Achillea millefolium\|yarrow plant]] in the random generating process of [[I Ching divination]]. Since the [[Xia dynasty]] (c. 2070 to c. 1600 BCE), Chinese have used yarrow stalks for divination. Fortunetellers divide a set of 50 yarrow stalks into piles and use [[modular arithmetic]] recursively to generate two bits of random information<ref>		The name ''Yarrow'' alludes to the use of the [[Achillea millefolium\|yarrow plant]] in the random generating process of [[I Ching divination]]. Since the [[Xia dynasty]] ({{circa\|2070}} to {{circa\|1600 BCE}}), Chinese have used yarrow stalks for divination. Fortunetellers divide a set of 50 yarrow stalks into piles and use [[modular arithmetic]] recursively to generate two bits of random information<ref>
	{{cite web		{{cite web
	\| url = https://www.schneier.com/cryptography/yarrow/qa.html		\| url = https://www.schneier.com/cryptography/yarrow/qa.html

Charmquark: /* Pros and cons of Yarrow */ avoid parentheses in wikilinks; add pipe

2023-05-16T23:22:40Z

Pros and cons of Yarrow: avoid parentheses in wikilinks; add pipe

← Previous revision		Revision as of 23:22, 16 May 2023
Line 87:		Line 87:
	*Yarrow depends on SHA-1, a hash that has been broken since Yarrow's publication and is no longer secure.<ref>{{Cite web \|last1=Stevens \|first1=Marc \|last2=Bursztein \|first2=Elie \|last3=Karpman \|first3=Pierre \|last4=Albertini \|first4=Ange \|last5=Markov \|first5=Yarik \|date=2017-02-23 \|title=SHAttered \|url=https://shattered.io/ \|access-date=2017-04-27 \|website=SHAttered}}</ref>		*Yarrow depends on SHA-1, a hash that has been broken since Yarrow's publication and is no longer secure.<ref>{{Cite web \|last1=Stevens \|first1=Marc \|last2=Bursztein \|first2=Elie \|last3=Karpman \|first3=Pierre \|last4=Albertini \|first4=Ange \|last5=Markov \|first5=Yarik \|date=2017-02-23 \|title=SHAttered \|url=https://shattered.io/ \|access-date=2017-04-27 \|website=SHAttered}}</ref>
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)\|Fortuna]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
	*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.		*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.

Closed Limelike Curves: /* Cons */ This seems important enough that it should be moved up the list.

2023-01-19T01:41:47Z

Cons: This seems important enough that it should be moved up the list.

← Previous revision		Revision as of 01:41, 19 January 2023
Line 85:		Line 85:

	===Cons===		===Cons===
			*Yarrow depends on SHA-1, a hash that has been broken since Yarrow's publication and is no longer secure.<ref>{{Cite web \|last1=Stevens \|first1=Marc \|last2=Bursztein \|first2=Elie \|last3=Karpman \|first3=Pierre \|last4=Albertini \|first4=Ange \|last5=Markov \|first5=Yarik \|date=2017-02-23 \|title=SHAttered \|url=https://shattered.io/ \|access-date=2017-04-27 \|website=SHAttered}}</ref>
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
	*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.		*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.
	*Yarrow-160 uses SHA-1, which has widely been considered deprecated due to its first public collision.<ref>{{Cite web\|url=https://shattered.io/\|title=SHAttered\|last2=Bursztein\|first2=Elie\|date=2017-02-23\|website=SHAttered\|access-date=2017-04-27\|last3=Karpman\|first3=Pierre\|last4=Albertini\|first4=Ange\|last5=Markov\|first5=Yarik\|last1=Stevens\|first1=Marc}}</ref>

	==References==		==References==

Citation bot: Add: date. Removed parameters. | Use this bot. Report bugs. | Suggested by Smasongarrison | Linked from User:Smasongarrison/sandbox | #UCB_webform_linked 536/3850

2022-07-28T00:50:29Z

Add: date. Removed parameters. | Use this bot. Report bugs. | Suggested by Smasongarrison | Linked from User:Smasongarrison/sandbox | #UCB_webform_linked 536/3850

← Previous revision		Revision as of 00:50, 28 July 2022
Line 2:		Line 2:
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

	Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf ~~\|format=PDF~~ \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>		Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>

	==Name==		==Name==
Line 86:		Line 86:
	===Cons===		===Cons===
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf ~~\|format=PDF~~ \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|date=4 March 2004 \|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
	*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.		*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.
	*Yarrow-160 uses SHA-1, which has widely been considered deprecated due to its first public collision.<ref>{{Cite web\|url=https://shattered.io/\|title=SHAttered\|last2=Bursztein\|first2=Elie\|date=2017-02-23\|website=SHAttered\|access-date=2017-04-27\|last3=Karpman\|first3=Pierre\|last4=Albertini\|first4=Ange\|last5=Markov\|first5=Yarik\|last1=Stevens\|first1=Marc}}</ref>		*Yarrow-160 uses SHA-1, which has widely been considered deprecated due to its first public collision.<ref>{{Cite web\|url=https://shattered.io/\|title=SHAttered\|last2=Bursztein\|first2=Elie\|date=2017-02-23\|website=SHAttered\|access-date=2017-04-27\|last3=Karpman\|first3=Pierre\|last4=Albertini\|first4=Ange\|last5=Markov\|first5=Yarik\|last1=Stevens\|first1=Marc}}</ref>

Rsjaffe: clean up, typo(s) fixed: ’s → 's (2)

2021-08-15T22:00:53Z

clean up, typo(s) fixed: ’s → 's (2)

← Previous revision		Revision as of 22:00, 15 August 2021
Line 76:		Line 76:
	*Yarrow was created using an attack-oriented design process.		*Yarrow was created using an attack-oriented design process.
	*The [[entropy estimation]] of Yarrow is very conservative, thus preventing [[Brute force attack\|exhaustive search attacks]]. It is very common that PRNGs fail in real-world applications due to entropy overestimation and guessable starting points.		*The [[entropy estimation]] of Yarrow is very conservative, thus preventing [[Brute force attack\|exhaustive search attacks]]. It is very common that PRNGs fail in real-world applications due to entropy overestimation and guessable starting points.
	*The reseeding process of Yarrow is relatively computationally expensive, thus the cost of attempting to guess the ~~PRNG’s~~ key is higher.		*The reseeding process of Yarrow is relatively computationally expensive, thus the cost of attempting to guess the PRNG's key is higher.
	*Yarrow uses functions to simplify the management of seed files, thus the files are constantly updated.		*Yarrow uses functions to simplify the management of seed files, thus the files are constantly updated.
	*To handle [[cryptanalysis\|cryptanalytic]] attacks, Yarrow is designed to be based on a block cipher that is secured. The [[level of security]] of the generation mechanism depends on the block cipher.		*To handle [[cryptanalysis\|cryptanalytic]] attacks, Yarrow is designed to be based on a block cipher that is secured. The [[level of security]] of the generation mechanism depends on the block cipher.
Line 85:		Line 85:

	===Cons===		===Cons===
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on ~~Yarrow’s~~ outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|format=PDF \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|format=PDF \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
	*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.		*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.

Monkbot: Task 18 (cosmetic): eval 8 templates: del empty params (3×); hyphenate params (5×);

2021-01-21T04:09:30Z

Task 18 (cosmetic): eval 8 templates: del empty params (3×); hyphenate params (5×);

← Previous revision		Revision as of 04:09, 21 January 2021
Line 2:		Line 2:
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

	Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|~~accessdate~~=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|format=PDF \|title=iOS Security \|date=October 2012 \|website=Apple.com \|~~accessdate~~=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>		Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|format=PDF \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>

	==Name==		==Name==
Line 65:		Line 65:

	====Implementation of Yarrow-160====		====Implementation of Yarrow-160====
	Yarrow-160 has been implemented in [[Java (programming language)\|Java]], and for [[FreeBSD]]. The examples can be found in "An implementation of the Yarrow PRNG for FreeBSD"<ref>{{cite web\|url=https://www.usenix.org/legacy/events/bsdcon02/full_papers/murray/murray_html/\|title=An implementation of the Yarrow PRNG for FreeBSD\|~~publisher=\|accessdate~~=18 October 2016}}</ref> by Mark R. V. Murray.		Yarrow-160 has been implemented in [[Java (programming language)\|Java]], and for [[FreeBSD]]. The examples can be found in "An implementation of the Yarrow PRNG for FreeBSD"<ref>{{cite web\|url=https://www.usenix.org/legacy/events/bsdcon02/full_papers/murray/murray_html/\|title=An implementation of the Yarrow PRNG for FreeBSD\|access-date=18 October 2016}}</ref> by Mark R. V. Murray.

	==Pros and cons of Yarrow==		==Pros and cons of Yarrow==
Line 86:		Line 86:
	===Cons===		===Cons===
	*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow’s outputs. This problem cannot be solved by increasing entropy accumulation.		*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow’s outputs. This problem cannot be solved by increasing entropy accumulation.
	*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|format=PDF \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|~~accessdate~~=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject~~\|first=~~\|last=citadel\|~~publisher=\|accessdate~~=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.		*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web\|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf \|format=PDF \|title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note \|website=Silabs.com \|access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web\|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N\|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject\|last=citadel\|access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
	*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.		*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.
	*Yarrow-160 uses SHA-1, which has widely been considered deprecated due to its first public collision.<ref>{{Cite web\|url=https://shattered.io/\|title=SHAttered\|last2=Bursztein\|first2=Elie\|date=2017-02-23\|website=SHAttered\|access-date=2017-04-27\|last3=Karpman\|first3=Pierre\|last4=Albertini\|first4=Ange\|last5=Markov\|first5=Yarik\|last1=Stevens\|first1=Marc}}</ref>		*Yarrow-160 uses SHA-1, which has widely been considered deprecated due to its first public collision.<ref>{{Cite web\|url=https://shattered.io/\|title=SHAttered\|last2=Bursztein\|first2=Elie\|date=2017-02-23\|website=SHAttered\|access-date=2017-04-27\|last3=Karpman\|first3=Pierre\|last4=Albertini\|first4=Ange\|last5=Markov\|first5=Yarik\|last1=Stevens\|first1=Marc}}</ref>

Yobot: /* top */References after punctuation per WP:REFPUNCT, WP:CITEFOOT, WP:PAIC + other fixes

2021-01-14T21:25:39Z

top: References after punctuation per WP:REFPUNCT, WP:CITEFOOT, WP:PAIC + other fixes

← Previous revision		Revision as of 21:25, 14 January 2021
Line 1:		Line 1:
	{{~~Refimprove~~\|date=November 2015}}		{{More citations needed\|date=November 2015}}
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

	Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|accessdate=18 October 2016}}</ref>. Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|format=PDF \|title=iOS Security \|date=October 2012 \|website=Apple.com \|accessdate=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>.		Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|accessdate=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|format=PDF \|title=iOS Security \|date=October 2012 \|website=Apple.com \|accessdate=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>

	==Name==		==Name==

← Previous revision		Revision as of 07:18, 13 October 2024
Line 1:		Line 1:
			{{short description\|Random number generator}}
	{{More citations needed\|date=November 2015}}		{{More citations needed\|date=November 2015}}
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

← Previous revision		Revision as of 06:17, 30 December 2023
Line 1:		Line 1:
	{{More citations needed\|date=November 2015}}		{{More citations needed\|date=November 2015}}
	The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (~~CPRNG~~) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''		The '''Yarrow algorithm''' is a family of [[cryptographic pseudorandom number generator]]s (CSPRNG) devised by [[John Kelsey (cryptanalyst)\|John Kelsey]], [[Bruce Schneier]], and [[Niels Ferguson]] and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, [[Fortuna (PRNG)\|Fortuna]], is described in their book, ''Practical Cryptography''

	Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>		Yarrow was used in [[FreeBSD]], but is now superseded by Fortuna.<ref name=bsd>{{cite web\|url=https://svnweb.freebsd.org/base?view=revision&revision=284959\|title=[base] Revision 284959\|website=Svnweb.freebsd.org\|access-date=18 October 2016}}</ref> Yarrow was also incorporated in iOS<ref>{{cite web\|url=https://www.apple.com/br/ipad/business/docs/iOS_Security_Oct12.pdf \|title=iOS Security \|date=October 2012 \|website=Apple.com \|access-date=2016-10-21}}</ref> and [[macOS]] for their [[/dev/random]] devices, but Apple has switched to Fortuna since 2020 Q1.<ref>{{Cite web\|title=Random number generation\|url=https://support.apple.com/en-hk/guide/security/seca0c73a75b/web\|access-date=2020-10-26\|website=Apple Support\|language=en}}</ref>