Today, Cloudflare announced the launch of a new public service called League of Entropy that will generate a stream of random numbers, which companies, government agencies, or lone developers can use as random input inside their applications.
The service might sound silly for a non-technical user, but random numbers are more important than most people think.
Random numbers are at the heart of modern cryptography, and having access to a source of randomness is crucial for the security of all our apps.
A predictable source of random numbers can compromise an application by allowing threat actors to mathematically determine cryptographic keys and passwords that have been generated for users, or at specific times.
For example, in the early 2010s, an Iowa man orchestrated one of the most complex heists of a public lottery in US history by tampering with a randomness beacon's algorithm that generated random numbers, allowing him to determine the winning numbers at precise times in the future.
Having the ability to access a secure random number beacon is crucial for the development of any secure application. Most software usually relies on the underlying device to provide this source of randomness, may it be an Android smartphone or something advanced such as a Linux server.
However, single-sourced beacons of entropy are dangerous, as devices can be compromised and the randomness source manipulated.
The League of Entropy is born
In the past, there have been efforts to launch and run distributed sources of randomness, all with various degrees of success.
Today, Cloudflare and its partners announced the launch of League of Entropy, a five-server network that will generate and make available secure streams of random numbers.
All five servers will generate their own part of a larger stream of random numbers and pool it together on a public service, available to everyone.
"This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers," Cloudflare said today.
"Even if one or two of the servers or their entropy sources were to be compromised, the rest will still ensure that the jointly-produced entropy is fully unpredictable and unbiasable."
Five servers located across the globe
Participating in this project are Cloudflare, Protocol Labs researcher Nicolas Gailly, University of Chile, École Polytechnique Fédérale de Lausanne (EPFL), and Kudelski Security.
The five organizations will run five servers, all with very different sources of entropy -- ranging from lava lamps to seismic shakes -- to form the collective League of Entropy network.
At launch-time, the League of Entropy service will be formed by:
- Cloudflare's LavaRand: LavaRand sources her high entropy from Cloudflare's wall of lava lamps at our San Francisco Headquarters. The unpredictable flow of "lava" inside the lamps is used as an input to a camera feed into a CSPRNG (Cryptographically Secure PseudoRandom Number Generator) that generates the random value.
- EPFL's URand: URand's power comes from the local randomness generator present on every computer at /dev/urandom. The randomness input is collected from inputs such as keyboard presses, mouse clicks, network traffic, etc. URand bundles these random inputs to produce a continuous stream of randomness.
- UChile's Seismic Girl: Seismic Girl extracts super verifiable randomness from five sources queried every minute. These sources include: seismic measurements of shakes and earthquakes in Chile; a stream from a local radio station; a selection of Twitter posts; data from the Ethereum blockchain; and their own off-the-shelf RNG card.
- Kudelski Security's ChaChaRand: ChaChaRand uses a CRNG (Cryptographic Random Number Generator) based on the ChaCha20 stream cipher.
- Protocol Labs' InterplanetaryRand: InterplanetaryRand uses the power of entropy to ensure protocol safety across space and time by using environmental noise and the Linux PRNG, supplemented by CPU-sourced randomness (RdRand).
Cloudflare hopes that the new service would be used for lotteries, signing election audits, blockchains, and by regular users alike, looking for a truly random and unique password.
A technical deep-dive into how the League of Entropy works is available on the Cloudflare blog. The new service isn't exclusive, and Cloudflare said that other organizations could join.
You can view the stream of random numbers on the League of Entropy home page.
Related cybersecurity coverage:
- Germany: Backdoor found in four smartphone models; 20,000 users infected
- Google expands Android's built-in security key to iOS devices
- For two hours, a large chunk of European mobile traffic was rerouted through China
- Ancient ICEFOG APT malware spotted again in new wave of attacks
- CBP says hackers stole license plate and travelers' photos
- A quarter of major CMSs use outdated MD5 as the default password hashing scheme
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET