How Cloudflare Uses Lava Lamps To Encrypt the Internet

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.

Also known as LavaRand

[XXongo]

https://en.wikipedia.org/wiki/... [wikipedia.org] Lavarand was a hardware random number generator designed by Silicon Graphics that worked by taking pictures of the patterns made by the floating material in lava lamps, extracting random data from the pictures, and using the result to seed a pseudorandom number generator.[1] Although the secondary part of the random number generation uses a pseudorandom number generator, the full process essentially qualifies as a "true" random number generator due to the random seed that is used. However, its applicability is limited by its low bandwidth.

Re:

[MikeDataLink]

Lavarand was a hardware random number generator designed by Silicon Graphics that worked by taking pictures of the patterns made by the floating material in lava lamps

That's one of the first statements he made in the video.

Old news

[Flexagon]

And as the Wikipedia article states later, this technology dates to 1997, and includes a link to the patent from 1998. So this is not news.

Modernize: Replace lamp with GPU

[perpenso]

And as the Wikipedia article states later, this technology dates to 1997, and includes a link to the patent from 1998. So this is not news.

Fine, modernize the system. Replace the incandescent light bulb with a GPU mining cryptocurrency. :-)

Re:

[um... Lucas]

Well, the patent has either expired or is just about to. So the news is it'll soon be available to anyone.

Darn

[mapkinase]

It's older than /.

Re:

[AvitarX]

I remember reading about it in the 90s in an Economist column in the science section.

Re:

[whh3]

In this article [nytimes.com] from the NY Times, people from SGI say that they eventually gave up on the lava lamps and just took pictures of the lens cap which meant that they were essentially using electronic noise!

Fascinating!

I also recall that in the early 2000s Google was using this very technique. You could go online and view images of the lavalamps. Unfortunately I can't find any good references to it. Sorry!

Will

Re: Why not just a hardware random generator ?

[Anonymous Coward]

Women are completely unpredictable, just use them.

Re:

[DontBeAMoran]

You win the Internet for the rest of the day.

Enjoy.

Re:Why not just a hardware random generator ?

[corychristison]

I'd say it's a gimmick, if anything.

Truth is there are other/better/easier sources to generate entropy seeds from.

Re:

[Anonymous Coward]

Truth is there are other/better/easier sources to generate entropy seeds from.

I thought the same thing at first. Then realized that:
1. You really only need to generate a new seed very sporadically.
2. Insiders that can see the damn thing are unlikely to choose this as an attack path since they have so many far better ones.
3. You can actually SEE that the thing is working correctly, unlike a radioactive source.

All in all, it sounds like an OK solution, though it does have a gimmicky sort of look to it.

Re:Why not just a hardware random generator ?

[Hognoxious]

3. You can actually SEE that the thing is working correctly, unlike a radioactive source.

You can hear it. It makes a clicking sound. Have you never seen a movie?

Re:

[hey!]

Well, it isn't hard to build a simple circuit [makezine.com] that generates randomness from semiconductor junction noise, but pointing a video camera at a lava lamp is even easier and more within the skill set of an average software geek.

Re:

[hey!]

Yes, but we're not talking about design. We're talking about re-using existing design.

Only a complete fool would try to gin up his own pseudorandom number generator algorithm; you look a good one up in a book. We're not even talking about that here; we're talking about using somebody else's scheme.

Re:

[Wootery]

opinion discarded

From an AC? Now I've seen everything.

Re: Why not just a hardware random generator ?

[bickerdyke]

But ON a shelf. Not OFF the shelf.

But hey! It is working, easy to explain to anyone brighter than a box of darkness and most important: it's a really cool thing to show visitors on a tour through the office.

Come on, how many tech companies would show guests actual production hardware and even if, how often would it be some dull boxes in a Datacenter

Re:

[Anonymous Coward]

The lava lamp can’t be backdoored like that hardware can.

Apple's Lavarand wall would have both color and IR

[perpenso]

The lava lamp can’t be backdoored like that hardware can.

But the camera software can, and the image processing software can, etc.

Are the cameras visible color spectrum or IR? The former could be spoofed with a photo, no need to backdoor the software.

FWIW ... Apple's Lavarand wall would have both color and IR cameras. ;-)

Re:

[religionofpeas]

The former could be spoofed with a photo

No, because even a static photo will still have plenty of sensor noise. You could put the lens cap on, and it would work just as well.

Re: Why not just a hardware random generator ?

[Anonymous Coward]

Because there is no known general analytical solution to the Navier-Stokes equation. It is a hardware rng.

Looks like someone paid attention in physics class

[RightwingNutjob]

The universe is full of randomness that's hard to predict. The triumph of digital electronics is that they eliminate the randomness almost completely when abstracted up from electron/hole pairs in semiconductors to the realm of bits and bytes. That means you can't get randomness out of it, no matter how theoretically secure your algorithm--you need to go back to the messiness of physical space for that. Well done.

Re:

[TechyImmigrant]

The universe is full of randomness that's hard to predict. The triumph of digital electronics is that they eliminate the randomness almost completely when abstracted up from electron/hole pairs in semiconductors to the realm of bits and bytes. That means you can't get randomness out of it, no matter how theoretically secure your algorithm--you need to go back to the messiness of physical space for that. Well done.

That's what metastability is for. It's how the entropy source in your CPU works and it's a heck of a lot more efficient and fast than a bunch of lava lamps.

Re:Looks like someone paid attention in physics cl

[Waffle Iron]

it's a heck of a lot more efficient and fast than a bunch of lava lamps.

I made my lava lamp RNG much more efficient by installing LED bulbs in the lamps.

It's also much faster now. No matter how fast I read out bits, I get the same results.

Re: Looks like someone paid attention in physics c

[jecowa]

I trust the lava lamps to be random more than I trust the CPU.

Re:

[RightSaidFred99]

Then your trust is misplaced and foolish. You are trusting the CPU to take in all that data and analyze it and extract random data, but you won't trust it to do something they have had in hardware for ages. Serious derp levels going on with this lava lamp nonsense.

Lava lamps are VERY deterministic!

[Rick Schumann]

Have you ever watched a lava lamp for a while? Especially one that's been around for a while? They're incredibly deterministic.
I would think this would be a better source: http://random.irb.hr/ [random.irb.hr]

Re:

[93 Escort Wagon]

Yeah, my first thought was - this is more like a random number generator for which you know the salt.

Re:

[DontBeAMoran]

Did you watch the video? The total sum of all the inputs is extremely random.

Re:

[barbariccow]

No, but it doesn't matter. That's the beauty of using LIGHTS. They affect the parts of the picture which don't change, i.e. the bottom of lamps or the air between the lamps. Including dust and distortion, a high-res picture can provide a lot of entropy. Could even have multiple layers to it. Consider the bits in the raw picture are used modulus 64 to select one of 64 solid colours. Then, you create a diff map of that solid colour vs the pixel value as the final entropy bits. That simplistic example would ad

Re:

[barbariccow]

If it was monochromatic, sure. Consider 21 bits for each R-G-B (63 bits total). Now you have (20 million to the power of 64) - 1 possible values. PLENTY of room to seed an algorithm which can extrapolate to a very large keyspace.

Re:

[zm]

Have you ever watched a lava lamp for a while? Especially one that's been around for a while?

Yeah.. Entropy ain't what it used to be... Sigh.

Re:

[perpenso]

It depends on the sampling period. Once a second, yes, once an hour, no so much. :-)

Re:

[RPI Geek]

Even sampling at 1kHz (the actual rate that Cloudflare uses), the predictive errors propagate rather quickly.

For just one lamp, you would need impractically accurate information of the lamp at a known time to feed into an impractically accurate model of the thermal and fluid dynamics of the lamp to predict its state. Then you'd need to frequently update said impractically accurate information to correct for the drift over time due to other factors that affect the state of the lamp (outside heating/coolin

Re:

[viperidaenz]

yeah, get your random numbers fed from a plain-text source. Sure it's random, but if you want to use it for cryptography, it should problem remain secret.

Re:

[barbariccow]

They could create and deploy a safe truly-random generator, but couldn't do the tier-1 5 minute task of installing an SSL cert? They seem to not even CARE...

To enable high security, in future, SSL protocol shall be supported, i.e. all data shall be encrypted

Re:

[guruevi]

If you figured out fluid dynamics IN YOUR HEAD, you shouldn't be posting on /. Einstein.

Re:

[Wootery]

Either Cloudflare didn't notice that there's a superficial predictability to a lava-lamp, or you don't understand how their RNG leverages lava-lamps and chaotic fluid dynamics.

Which seems more likely?

bps?

[Cajun Hell]

I'm not saying it's a bad idea, but Cloudflare must need a lot. How many bps of entropy can you get per lava lamp?

Re:

[Luthair]

They most likely use it for seeds, its unlikely to change by enough from moment to moment. Maybe raises a question what happens if they need to seed many hosts at once.

Re:

[suutar]

seed one PRNG, pull out N values and use those as seeds for other stuff? Reseed often enough to avoid the PRNG's cycle and what you pull out should stay unpredictable.

Re:bps?

[AmiMoJo]

But why bother? You can use a simple quantum noise source made from a saturated silicon P-N junction (half a transistor) that puts up a few million bits per second. Balance and whiten them and you can easily get a 2 million truly random bits per second for parts costing a couple of Euros. I built one as a little hobby project.

Just using a microcontroller's built in termperature sensor I've managed to get close to 3Mb/sec. It all passes the standard tests (Diehard, NIST etc.)

Cloudflare's systems are just gimmicks. Interesting ones, but not serious.

Re:

[suutar]

oh, sure, you can use other methods to get the random bits to seed the PRNG. I was just trying to respond to the question of how they can seed a bunch of stuff at once given the effective bit rate of a wall of lava lamps.

Re:

[religionofpeas]

Or: seed one cryptographically secure RNG with 1024 bits of random state, and pull out as many values as you'd like.

Re:

[suutar]

That's certainly one way to avoid the cycle time :)

Re:

[barbariccow]

The rate of output doesn't have to depend on the rate of input if you just store everything. So if you get 1 million bits per minute (just pulling a number out of the air), run it for a year before going into production, you already have 31557600 million (assuming 365.25 days in a year) bits ready to go before you start using. This would cover bursts, power outages, need to disable the system to change light bulbs, etc.

Re:

[barbariccow]

31557600 should be 525960, but the point remains ( I accidently used seconds in a day instead of minutes)

Next Version

[Zorro]

Pop Rocks based encryption!

Pseudo-Nerdery

[Anonymous Coward]

Lava lamps are giant blobs of cohesive good. Unpredictable as they are, their entropy is pretty low.

We had an old slashdotter on here a few years ago who made specialised RNG generating cards. They used unpredicatable random static noise and filters to generate extremely high quality random data. Apparently their cards were so good, they discovered flaws in some kind of "Die Hard" suite of statistical tests. I think the cards retailed for ~$30 IIRC.

That's nerdery. That's going the distance. Using lava lamps? That's hipster shit. Pseudo-nerdery. Someone who, for whatever direction their lives have taken them, thinks they're a nerd, but really they're at best a geek who can follow a cookbook. And most of the internet won't be able to tell the difference.

The real nerds don't get stories written about them anymore.

Re:

[TechyImmigrant]

Dieharder has a handful of suspect tests. You can safely ignore them.

What's worse is when the certification tests are broken. Here is this old slashdotter's evaluation: https://github.com/dj-on-githu... [github.com]

Re:Pseudo-Nerdery

[legoleg]

From way back in 2006, this looks like the guy you mention:

https://slashdot.org/comments.... [slashdot.org]

lava lamps really needed?

[supernova87a]

Is the lava lamp really the source of most of the randomness, or is it kind of a gimmick that people can say and understand? I mean, cmon, the noise in the camera itself is probably already enough, right? They're taking the Nth decimal place of some characteristic of the entire image -- the lava really isn't that important, is it?

Re:

[apoc.famine]

I'm guessing not. I was wondering why they didn't just point a webcam out the window. Capture enough busy highway, sky, and pedestrian areas combined with the noise from the camera, and you're probably accomplishing the same thing.

Re:

[TechyImmigrant]

Is the lava lamp really the source of most of the randomness, or is it kind of a gimmick that people can say and understand? I mean, cmon, the noise in the camera itself is probably already enough, right? They're taking the Nth decimal place of some characteristic of the entire image -- the lava really isn't that important, is it?

You are correct to question this and your intuition is correct. The noise in the camera provides more entropy by a large margin. The better choice would be to put the cap back on the camera lens, so the gain is cranked up and the noise is maximized.

Patented

[Bruce Perens]

Lavarand is the subject of this patent [google.com] and I wonder if CloudFlare has a license? Insert comments on the frivolity of the patent and of the patent system below.

I suspect that the noise of the camera sensor contributes as much randomness as the lava lamp. And it's thermal or quantum noise, so probably a good random source.

Re:

[viperidaenz]

Patent expired on Jan 29th 2016

Re:

[Bruce Perens]

21 years already? Funny that I didn't even think of looking at that.

Re:

[guruevi]

We ARE getting old. The patent was filed about the time I first tried Debian and Red Hat from mailer CD's

Re:

[AvitarX]

Maybe it's new?

Re:

[DerekLyons]

Lavarand is the subject of this patent [google.com] and I wonder if CloudFlare has a license?

The filing date of the patent (the date it's effective from) is Jan 29, 1996. US patents are good for twenty years. As I write this, it's Nov 8th 2017.

I'll let you do the math.

Obligatory Dilbert

[DontBeAMoran]

http://dilbert.com/strip/2001-... [dilbert.com]

Re:

[Gavagai80]

Obligatory XKCD: https://xkcd.com/221/ [xkcd.com]

Re:

[DontBeAMoran]

RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.

Another possible source

[93 Escort Wagon]

Just have me hit a golf ball off the tee - there's no way you can predict where that sucker's gonna land.

Re:

[fisted]

I think you're on to something! If you use a graphene drone to find out where the golf ball ends up, with some AI and blockchain -- damn that's gonna be huge!

... but are they Chinese-made Lava Lamps?

[jtara]

See subject.

..and in Singapore, they use a radioactive source.

[tgibson]

Like from Caesium atoms?

Re:

[Chatterton]

Think a little about it. Does your camera is at exactly the same place? Did your camera CMOS chip have exactly the same defects as the one they use? Do you take your still images at exactly the same time? And there is so much parameters that make your easy hack not so easy. The easy hack would be to put some kind of spying apparatus behind their camera that send the information back to you, not putting another camera.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[atisss]

That would also be more secure, as it can't be observed and intercepted.
There have been several cases when flaw found in PRNG affects the security of resulting cryptographic key.
If you want secure key, you need secret random seed, not one that can be publicly observed and replayed/repeated

Re:

[religionofpeas]

There have been several cases when flaw found in PRNG affects the security of resulting cryptographic key.

You can simply avoid this by using a PRNG based on a reputable and secure encryption algorithm. No need to do fancy stuff. Take a simple counter, counting 1, 2, 3, 4, 5... and feed that stream into an AES-256 block cipher.

Lava Lamp Randomness

[Neuronwelder]

Makes you wonder if it could detect someone breaking into a video line.

But this book of random numbers gets 4 stars

[billrp]

https://www.amazon.com/Million... [amazon.com]

No such thing as random

[bug1]

Random == An unrecognised pattern

Earthquake!

[mnemotronic]

Power failure!
Seed = 00000000000000000000000000000000000000000000000000000

saw it on Star Trek: Discovery

[cstacy]

In one scene, you see an open panel beneath the Communications Officer's station, and sure enough there is a lava lamp there. Freeze frame and you can see the mounting plate where it says "Crypto Source". OK, I made that up. But it's not as stupid as the starship being teleported by interfacing a crewman's DNA with mushroom spores that connect to the infinite mushverse reality plane. And based on what the writers are obviously smoking, both the spore drive and the lava lamp are at least internally consi

nerd bait

[Anonymous Coward]

If I were a cryptographer, I think I would literally jerk off at the idea of predicting future states of lava lamps to crack a large % of the world's encryption.

Re:

[account_deleted]

Comment removed based on user account deletion