23. 712. 3. 608. 45. 89. 11. 332. 841. 255. You want more? Cloudflare and pals are streaming 'em live from new RNG API

League of Entropy is the superhero gang you may or may not need

lava lamp

Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.

The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.

The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with randomness generators from EPFL's URand, UChile’s Seismic Girl, Kudelski Security’s ChaChaRand, and Protocol Labs’ InterplanetaryRand. The combined systems will funnel their random data into an open-source service called drand – aka a distributed randomness beacon – and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.

The idea, says Cloudflare, is to combine multiple sources of entropy to produce sequences of really random numbers, which is harder to do than you might think. Computer algorithms generally suck at generating truly random numbers unless they tap into the chaos of the universe, such as by measuring temperatures and vibrations to seed their number generators.

Without these natural effects, code can end up producing repeating and predictable numbers, which are far from random. Cloudflare uses the aforementioned lava lamps to introduce entropy into its cryptographic systems. Now the plan is to make it all public.

"Our founding members are contributing their individual high-entropy sources to provide a more random and unpredictable beacon to generate publicly verifiable random values every sixty seconds," said Cloudflare product manager Dina Kozlov in an announcement today.

man holding dice

Boffin: Dump hardware number generators for encryption and instead look within


"This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."

This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.

"With randomness beacons publicly generating and announcing random numbers, users should NOT be using the output for their secret keys, as these numbers are accessible by anyone," Kozlov explained.

"If an attacker can guess the random number that calculates a user's cryptographic key, they can crack their system and decrypt confidential information, which means that random numbers generated by that beacon are not safe for cryptographic encryption."

Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this. ®

Disclosure: The Register is a customer of Cloudflare.

Sponsored: Practical tips for Office 365 tenant-to-tenant migration


Biting the hand that feeds IT © 1998–2020