The Futility of Lava Lamps: What Random Means
loup-vaillant.fr35 points by birdculture 2 days ago
35 points by birdculture 2 days ago
article has a section dedicated to "how to obtain starting seed" with a list of examples and somehow fails to include wall of lava lamps in said list of examples
As far as cryptographic security theater goes, it's hard for me to get angry about lava lamps.
I don't remember their initial post about the lava lamps, but I had assumed that was a marketing gimmick more than anything... a neat visual way to convey what entropy is in a way normal humans can comprehend.
It's certainly not a scalable solution for entropy, and there are so many ways for it to fail as a sole source, as well.
I'm dead sure they aren't using them for anything.
This is SF. If they were really used for anything, a random dude in a black hoodie and white SUV can just smash the glass and take down the internet, and the SF police wouldn't do a thing.
Smashing the glass wouldn't make it less effective. The sensor itself has noise, and the camera output is fed into an HMAC with a key based on the current nanosecond before being combined with a traditional entropy source before it ever went anywhere. Even then, it was only used as a seed for the entropy pool on the actual server.
If you look up videos on YouTube, you'll see that they allow visitors to stand between the lava lamps and the cameras (sometimes even entire groups!). And I've always wondered: doesn't that reduce entropy, since people usually wear monotone clothing? And if the lamps are so important, why would they allow that? Maybe the lamps do contribute something, but their system most likely already generates enough entropy with or without the lamps...
It also depends on how often samples are taken. If it only occurs every hour, Fred in his white shirt is highly unlikely to be standing in the exact same spot still.
Remember, these are only seed values, a pseudorandom number generator will run indefinitely, but from what I understand, CF re-runs these periodically with different seed values, to stop people finding the pattern.
It's been quite a while since I first heard about it, but IIRC they were seeding cryptographic PRNGs with entropy from multiple sources, one of which was allegedly this art installation.
Seeding PRNGs with sufficiently unpredictable data was a real security concern for a while. New cloud instances have a small entropy pool space for attackers to enumerate due to lack of a real source of randomness. (See the Debian/OpenSSL issue for what can happen when your entropy pool is too small/predictable)
One fun fact about XOR is that anything XOR'd with a uniform random distribution results in a uniform random distribution, so there isn't any harm in mixing additional non-attacker-controlled entropy sources in as long as at least one of them is sufficiently unpredictable. The lava lamps provide a potentially hard-to-predict source of entropy for this, but if it's not available then it certainly doesn't "take down the internet". They'll still use packet arrival timing, interrupt timing, etc to seed their CSPRNGs.
With a one-time pad being, as I understand it, the only really good encryption, I am surprised there is not a market for pairs of matched hard drives—the pair having the same "one time pad" stored on them (how you generate those numbers is left as an exercise for the company marketing them).
A simple app could be used by parties on both ends of the message—an app that relies on an associated drive to act as the pad.
If you become aware that one of the two matched drives has been compromised (stolen perhaps by an outside party), you destroy its partner.
(Perhaps too you can design the drive in such a way as to make it non-trivial to copy—you more or less need possession of the drive itself. That makes it unlikely for there to be a 3rd drive the two parties are unaware of.)
Conventional symmetric cryptography is already very secure and easy, even in the face of future threats like quantum computers. (Asymmetric cryptography is the type of cryptography that cryptographers spend more time worrying about.) It's relatively easy to whip up a secure symmetric encryption scheme if you have a hash function that meets certain security properties. The only real hard parts of symmetric cryptography are key management (making sure both ends of each conversation have the matching keys ready to use), and one time pads only make that harder by making the keys very large and stateful. I think there are few use-cases where the potentially increased security makes up for the more difficult key management.
One time pads are the only solution that is secure from an information theoretic perspective. In practice, however, that is not important. You would essentially be securing yourself against a weapon that no one has, and most experts think cannot actually exist.
Surely if you were that security conscious you'd never trust some third party to put the keys on the drives and not keep a copy for themselves - you'd just buy two regular drives and put the key on there yourself.
the reason why there isn't a market for such drives is that someone who needs that level of security rightfully wouldn't trust any entity to
1. generate truly random data, which is required for OTP to be perfect
2. not store a copy of the data to be handed over to bioluminescent individuals at the drop of a hat
I think that post quantum encryption methods might be in this category but I am not knowledgeable enough to say either way.
One issue though with making a one time pad trivial to copy - how do you authenticate that you are allowed to read? How do you know the client isn’t copying?
I've heard it said that such systems may be used by militaries, where they have an organizational structure naturally-suited to large keystream distribution.
Unlike e-commerce, it's no problem to physically send the proverbial officer handcuffed to a briefcase to the nuclear submarine before it submerges for 6 months.
Also the messages to be secured are, um, short and... infrequent.
> And if it is broken… then you’re screwed, sorry. See, both your encryption and your CSPRNG relies on a cipher. If either is broken, then so is your whole system.
Not necessarily. The CSPRNG state could in theory be leaked via sidechannels. Your cipher key could be leaked via sidechannels too, but symmetric encryption keys tend to be shorter lived.
[dead]