How Cloudflare Uses Lava Lamps To Encrypt the Internet

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.

Also known as LavaRand

[XXongo]

https://en.wikipedia.org/wiki/... Lavarand was a hardware random number generator designed by Silicon Graphics that worked by taking pictures of the patterns made by the floating material in lava lamps, extracting random data from the pictures, and using the result to seed a pseudorandom number generator.[1] Although the secondary part of the random number generation uses a pseudorandom number generator, the full process essentially qualifies as a "true" random number generator due to the random seed that is used. However, its applicability is limited by its low bandwidth.

Re:Also known as LavaRand

[MikeDataLink]

Lavarand was a hardware random number generator designed by Silicon Graphics that worked by taking pictures of the patterns made by the floating material in lava lamps

That's one of the first statements he made in the video.

Re:Also known as LavaRand

[AvitarX]

I remember reading about it in the 90s in an Economist column in the science section.

Re:Also known as LavaRand

[whh3]

In this article from the NY Times, people from SGI say that they eventually gave up on the lava lamps and just took pictures of the lens cap which meant that they were essentially using electronic noise!

Fascinating!

I also recall that in the early 2000s Google was using this very technique. You could go online and view images of the lavalamps. Unfortunately I can't find any good references to it. Sorry!

Will

Looks like someone paid attention in physics class

[RightwingNutjob]

The universe is full of randomness that's hard to predict. The triumph of digital electronics is that they eliminate the randomness almost completely when abstracted up from electron/hole pairs in semiconductors to the realm of bits and bytes. That means you can't get randomness out of it, no matter how theoretically secure your algorithm--you need to go back to the messiness of physical space for that. Well done.

Re: Why not just a hardware random generator ?

Women are completely unpredictable, just use them.

Lava lamps are VERY deterministic!

[Rick+Schumann]

Have you ever watched a lava lamp for a while? Especially one that's been around for a while? They're incredibly deterministic.
I would think this would be a better source: http://random.irb.hr/

Re:Lava lamps are VERY deterministic!

[93+Escort+Wagon]

Yeah, my first thought was - this is more like a random number generator for which you know the salt.

Re:Lava lamps are VERY deterministic!

[DontBeAMoran]

Did you watch the video? The total sum of all the inputs is extremely random.

Re:Lava lamps are VERY deterministic!

[zm]

Have you ever watched a lava lamp for a while? Especially one that's been around for a while?

Yeah.. Entropy ain't what it used to be... Sigh.

Re:Lava lamps are VERY deterministic!

[perpenso]

It depends on the sampling period. Once a second, yes, once an hour, no so much. :-)

Re:Lava lamps are VERY deterministic!

[viperidaenz]

yeah, get your random numbers fed from a plain-text source. Sure it's random, but if you want to use it for cryptography, it should problem remain secret.

Re:Lava lamps are VERY deterministic!

[barbariccow]

They could create and deploy a safe truly-random generator, but couldn't do the tier-1 5 minute task of installing an SSL cert? They seem to not even CARE...

To enable high security, in future, SSL protocol shall be supported, i.e. all data shall be encrypted

Re:Lava lamps are VERY deterministic!

[barbariccow]

No, but it doesn't matter. That's the beauty of using LIGHTS. They affect the parts of the picture which don't change, i.e. the bottom of lamps or the air between the lamps. Including dust and distortion, a high-res picture can provide a lot of entropy. Could even have multiple layers to it. Consider the bits in the raw picture are used modulus 64 to select one of 64 solid colours. Then, you create a diff map of that solid colour vs the pixel value as the final entropy bits. That simplistic example would add a measure of change to even the parts of the picture which could never be covered by dust, are not affected by the light source at the camera resolution used, etc.

Re:Lava lamps are VERY deterministic!

[barbariccow]

If it was monochromatic, sure. Consider 21 bits for each R-G-B (63 bits total). Now you have (20 million to the power of 64) - 1 possible values. PLENTY of room to seed an algorithm which can extrapolate to a very large keyspace.

Re:Lava lamps are VERY deterministic!

[guruevi]

If you figured out fluid dynamics IN YOUR HEAD, you shouldn't be posting on /. Einstein.

Re:Lava lamps are VERY deterministic!

[Wootery]

Either Cloudflare didn't notice that there's a superficial predictability to a lava-lamp, or you don't understand how their RNG leverages lava-lamps and chaotic fluid dynamics.

Which seems more likely?

Re:Lava lamps are VERY deterministic!

[RPI+Geek]

Even sampling at 1kHz (the actual rate that Cloudflare uses), the predictive errors propagate rather quickly.

For just one lamp, you would need impractically accurate information of the lamp at a known time to feed into an impractically accurate model of the thermal and fluid dynamics of the lamp to predict its state. Then you'd need to frequently update said impractically accurate information to correct for the drift over time due to other factors that affect the state of the lamp (outside heating/cooling, vibrations, power source fluctuations, etc) or else you'd need to be able to factor those variables into your model.

Good luck with that.

bps?

[Cajun+Hell]

I'm not saying it's a bad idea, but Cloudflare must need a lot. How many bps of entropy can you get per lava lamp?

Re:bps?

[Luthair]

They most likely use it for seeds, its unlikely to change by enough from moment to moment. Maybe raises a question what happens if they need to seed many hosts at once.

Re:bps?

[suutar]

seed one PRNG, pull out N values and use those as seeds for other stuff? Reseed often enough to avoid the PRNG's cycle and what you pull out should stay unpredictable.

Re:bps?

[barbariccow]

The rate of output doesn't have to depend on the rate of input if you just store everything. So if you get 1 million bits per minute (just pulling a number out of the air), run it for a year before going into production, you already have 31557600 million (assuming 365.25 days in a year) bits ready to go before you start using. This would cover bursts, power outages, need to disable the system to change light bulbs, etc.

Re:bps?

[barbariccow]

31557600 should be 525960, but the point remains ( I accidently used seconds in a day instead of minutes)

Re:bps?

[AmiMoJo]

But why bother? You can use a simple quantum noise source made from a saturated silicon P-N junction (half a transistor) that puts up a few million bits per second. Balance and whiten them and you can easily get a 2 million truly random bits per second for parts costing a couple of Euros. I built one as a little hobby project.

Just using a microcontroller's built in termperature sensor I've managed to get close to 3Mb/sec. It all passes the standard tests (Diehard, NIST etc.)

Cloudflare's systems are just gimmicks. Interesting ones, but not serious.

Re:bps?

[religionofpeas]

Or: seed one cryptographically secure RNG with 1024 bits of random state, and pull out as many values as you'd like.

Re:bps?

[suutar]

That's certainly one way to avoid the cycle time :)

Re:bps?

[suutar]

oh, sure, you can use other methods to get the random bits to seed the PRNG. I was just trying to respond to the question of how they can seed a bunch of stuff at once given the effective bit rate of a wall of lava lamps.

Next Version

[Zorro]

Pop Rocks based encryption!

Pseudo-Nerdery

Lava lamps are giant blobs of cohesive good. Unpredictable as they are, their entropy is pretty low.

We had an old slashdotter on here a few years ago who made specialised RNG generating cards. They used unpredicatable random static noise and filters to generate extremely high quality random data. Apparently their cards were so good, they discovered flaws in some kind of "Die Hard" suite of statistical tests. I think the cards retailed for ~$30 IIRC.

That's nerdery. That's going the distance. Using lava lamps? That's hipster shit. Pseudo-nerdery. Someone who, for whatever direction their lives have taken them, thinks they're a nerd, but really they're at best a geek who can follow a cookbook. And most of the internet won't be able to tell the difference.

The real nerds don't get stories written about them anymore.

Re:Pseudo-Nerdery

[TechyImmigrant]

Dieharder has a handful of suspect tests. You can safely ignore them.

What's worse is when the certification tests are broken. Here is this old slashdotter's evaluation: https://github.com/dj-on-githu...

Re:Pseudo-Nerdery

[legoleg]

From way back in 2006, this looks like the guy you mention:

https://slashdot.org/comments....

Re:Why not just a hardware random generator ?

[corychristison]

I'd say it's a gimmick, if anything.

Truth is there are other/better/easier sources to generate entropy seeds from.

lava lamps really needed?

[supernova87a]

Is the lava lamp really the source of most of the randomness, or is it kind of a gimmick that people can say and understand? I mean, cmon, the noise in the camera itself is probably already enough, right? They're taking the Nth decimal place of some characteristic of the entire image -- the lava really isn't that important, is it?

Re:lava lamps really needed?

[apoc.famine]

I'm guessing not. I was wondering why they didn't just point a webcam out the window. Capture enough busy highway, sky, and pedestrian areas combined with the noise from the camera, and you're probably accomplishing the same thing.

Re:lava lamps really needed?

[TechyImmigrant]

Is the lava lamp really the source of most of the randomness, or is it kind of a gimmick that people can say and understand? I mean, cmon, the noise in the camera itself is probably already enough, right? They're taking the Nth decimal place of some characteristic of the entire image -- the lava really isn't that important, is it?

You are correct to question this and your intuition is correct. The noise in the camera provides more entropy by a large margin. The better choice would be to put the cap back on the camera lens, so the gain is cranked up and the noise is maximized.

Patented

[Bruce+Perens]

Lavarand is the subject of this patent and I wonder if CloudFlare has a license? Insert comments on the frivolity of the patent and of the patent system below.

I suspect that the noise of the camera sensor contributes as much randomness as the lava lamp. And it's thermal or quantum noise, so probably a good random source.

Re:Patented

[viperidaenz]

Patent expired on Jan 29th 2016

Re:Patented

[AvitarX]

Maybe it's new?

Re:Patented

[Bruce+Perens]

21 years already? Funny that I didn't even think of looking at that.

Re:Patented

[guruevi]

We ARE getting old. The patent was filed about the time I first tried Debian and Red Hat from mailer CD's

Re:Patented

[DerekLyons]

Lavarand is the subject of this patent and I wonder if CloudFlare has a license?

The filing date of the patent (the date it's effective from) is Jan 29, 1996. US patents are good for twenty years. As I write this, it's Nov 8th 2017.

I'll let you do the math.

Re:Why not just a hardware random generator ?

The lava lamp can’t be backdoored like that hardware can.

Re:Looks like someone paid attention in physics cl

[TechyImmigrant]

The universe is full of randomness that's hard to predict. The triumph of digital electronics is that they eliminate the randomness almost completely when abstracted up from electron/hole pairs in semiconductors to the realm of bits and bytes. That means you can't get randomness out of it, no matter how theoretically secure your algorithm--you need to go back to the messiness of physical space for that. Well done.

That's what metastability is for. It's how the entropy source in your CPU works and it's a heck of a lot more efficient and fast than a bunch of lava lamps.

Obligatory Dilbert

[DontBeAMoran]

http://dilbert.com/strip/2001-...

Re:Obligatory Dilbert

[Gavagai80]

Obligatory XKCD: https://xkcd.com/221/

Re:Obligatory Dilbert

[DontBeAMoran]

RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.

Another possible source

[93+Escort+Wagon]

Just have me hit a golf ball off the tee - there's no way you can predict where that sucker's gonna land.

Re:Another possible source

[fisted]

I think you're on to something! If you use a graphene drone to find out where the golf ball ends up, with some AI and blockchain -- damn that's gonna be huge!

Re:Looks like someone paid attention in physics cl

[Waffle+Iron]

it's a heck of a lot more efficient and fast than a bunch of lava lamps.

I made my lava lamp RNG much more efficient by installing LED bulbs in the lamps.

It's also much faster now. No matter how fast I read out bits, I get the same results.

Old news

[Flexagon]

And as the Wikipedia article states later, this technology dates to 1997, and includes a link to the patent from 1998. So this is not news.

Re:Old news

[um...+Lucas]

Well, the patent has either expired or is just about to. So the news is it'll soon be available to anyone.

... but are they Chinese-made Lava Lamps?

[jtara]

See subject.

Re: Why not just a hardware random generator ?

[bickerdyke]

But ON a shelf. Not OFF the shelf.

But hey! It is working, easy to explain to anyone brighter than a box of darkness and most important: it's a really cool thing to show visitors on a tour through the office.

Come on, how many tech companies would show guests actual production hardware and even if, how often would it be some dull boxes in a Datacenter

..and in Singapore, they use a radioactive source.

[tgibson]

Like from Caesium atoms?

Darn

[mapkinase]

It's older than /.

Apple's Lavarand wall would have both color and IR

[perpenso]

The lava lamp can’t be backdoored like that hardware can.

But the camera software can, and the image processing software can, etc.

Are the cameras visible color spectrum or IR? The former could be spoofed with a photo, no need to backdoor the software.

FWIW ... Apple's Lavarand wall would have both color and IR cameras. ;-)

Re:Why not just a hardware random generator ?

Truth is there are other/better/easier sources to generate entropy seeds from.

I thought the same thing at first. Then realized that:
1. You really only need to generate a new seed very sporadically.
2. Insiders that can see the damn thing are unlikely to choose this as an attack path since they have so many far better ones.
3. You can actually SEE that the thing is working correctly, unlike a radioactive source.

All in all, it sounds like an OK solution, though it does have a gimmicky sort of look to it.

Mostly PR gimmick.

[CptLoRes]

They probably would have gotten as good randomness just from putting the cameras in a dark room and using the analog noise in the camera sensors.

Re:Mostly PR gimmick.

[atisss]

That would also be more secure, as it can't be observed and intercepted.
There have been several cases when flaw found in PRNG affects the security of resulting cryptographic key.
If you want secure key, you need secret random seed, not one that can be publicly observed and replayed/repeated

Re:Mostly PR gimmick.

[religionofpeas]

There have been several cases when flaw found in PRNG affects the security of resulting cryptographic key.

You can simply avoid this by using a PRNG based on a reputable and secure encryption algorithm. No need to do fancy stuff. Take a simple counter, counting 1, 2, 3, 4, 5... and feed that stream into an AES-256 block cipher.

Modernize: Replace lamp with GPU

[perpenso]

And as the Wikipedia article states later, this technology dates to 1997, and includes a link to the patent from 1998. So this is not news.

Fine, modernize the system. Replace the incandescent light bulb with a GPU mining cryptocurrency. :-)

Lava Lamp Randomness

[Neuronwelder]

Makes you wonder if it could detect someone breaking into a video line.

Re: Why not just a hardware random generator ?

Because there is no known general analytical solution to the Navier-Stokes equation. It is a hardware rng.

But this book of random numbers gets 4 stars

[billrp]

https://www.amazon.com/Million...

Re:Why not just a hardware random generator ?

[Hognoxious]

3. You can actually SEE that the thing is working correctly, unlike a radioactive source.

You can hear it. It makes a clicking sound. Have you never seen a movie?

Re:Why not just a hardware random generator ?

[hey!]

Well, it isn't hard to build a simple circuit that generates randomness from semiconductor junction noise, but pointing a video camera at a lava lamp is even easier and more within the skill set of an average software geek.

No such thing as random

[bug1]

Random == An unrecognised pattern

Earthquake!

[mnemotronic]

Power failure!
Seed = 00000000000000000000000000000000000000000000000000000

Re:Why not just a hardware random generator ?

[hey!]

Yes, but we're not talking about design. We're talking about re-using existing design.

Only a complete fool would try to gin up his own pseudorandom number generator algorithm; you look a good one up in a book. We're not even talking about that here; we're talking about using somebody else's scheme.

nerd bait

If I were a cryptographer, I think I would literally jerk off at the idea of predicting future states of lava lamps to crack a large % of the world's encryption.

Re: Looks like someone paid attention in physics c

[jecowa]

I trust the lava lamps to be random more than I trust the CPU.

Re: Looks like someone paid attention in physics c

[RightSaidFred99]

Then your trust is misplaced and foolish. You are trusting the CPU to take in all that data and analyze it and extract random data, but you won't trust it to do something they have had in hardware for ages. Serious derp levels going on with this lava lamp nonsense.

Re:Easy Hack

[Chatterton]

Think a little about it. Does your camera is at exactly the same place? Did your camera CMOS chip have exactly the same defects as the one they use? Do you take your still images at exactly the same time? And there is so much parameters that make your easy hack not so easy. The easy hack would be to put some kind of spying apparatus behind their camera that send the information back to you, not putting another camera.

Re:Apple's Lavarand wall would have both color and

[religionofpeas]

The former could be spoofed with a photo

No, because even a static photo will still have plenty of sensor noise. You could put the lens cap on, and it would work just as well.

Re:Why not just a hardware random generator ?

[Wootery]

opinion discarded

From an AC? Now I've seen everything.

US 5732138 A

[Ash-Fox]

Are they licensed for US 5732138 A patent usage?