Why use Entropy on Tap? | About our project

The short answer

There’s one component in any security framework that, despite its vital importance for the resilience of the system, gets little attention from integrators.

This component is a random number generator.

Most of security mechanisms that we use for securing our data flows – encryption, electronic signatures, authentication – rely heavily on random numbers to generate strong key material. Strong random numbers make the keys unpickable. Weak random numbers allow attackers to guess them.

It so happens that a lot of software solutions that should be using strong random generators opt for standard, vulnerable PRNGs provided with the toolchains they are using. Lack of awareness and cognitive ease are two common reasons for that, but that does not make it any easier. The fact is, lots of otherwise high-quality, safe software products make themselves vulnerable by using low-quality random number generators.

Entropy on Tap is a solution that looks to change that practice.

The long answer

This is a fairly long story that is best read with a cuppa. If you are a busy person (or don’t drink coffee/tea), scroll down to the executive summary.

The quality of random numbers that you use can have an enormous effect on the security of your IT project. History knows numerous cases where poor quality of random numbers resulted in compromise of otherwise extraordinarily resilient systems. Two well-known examples are the use by German cryptographers of their girlfriends’ initials as initial Enigma rotor values (no pun intended!), and similarly silly re-use by Soviet spies of unbreakable (unless re-used) one-time pads.

How can numbers be of poor quality, one might ask, if they are just, well, numbers? Is 20 worse than 33? Or 50 better than 51? The numbers, of course, are 100% equal in their relative quality, whatever your accountant, financial consultant, or numerologist may be telling you. The problem of quality is not about each particular number in a given group, but of a group as a whole.

Let’s play a little game. Consider this sequence of numbers:

1, 2, 3, 4, 5, 6, 7, 8, X.

What value, do you think, is X?

No doubt, even if you paid zero attention to your maths teacher, you are very likely to answer 9. This is because the sequence forms an arithmetic progression with a step of 1, and this is a concept that everyone of us – even those who skipped on all their maths classes – recognises from the very early age (one, two, three, four five, once I caught a fish alive)

Well done to you – and welcome to Level 2. What about this sequence:

1, 12, 2, 11, 3, 10, 4, 9, 5, 8, X, Y.

Slightly harder to crack, but still not the biggest challenge. The answer is 6 and 7, and the concept we are facing here is the same arithmetic progression. The only difference is that there’s two of them now, going towards each other in turns:

1, 12, 1+1, 12-1, 1+1+1, 12-1-1, …

Now let’s see if you can get to the bottom of this one:

1, 17, 12, 2, 19, 16, 10, 35, X.

Looks like a hard nut to crack, doesn’t it? It seems like a group of 100% arbitrary numbers. As it is quite unlikely that you will crack it any time soon, we’ll just go ahead and tell you the answer right away.

X equals 11.

How do we know that? Easy: there is a formula behind that sequence, and it is X = ((X + X) + 15) mod 37), starting with X =1. We invented this formula and used it to generate this sequence. And we can continue generating new and new numbers for as long as we want.

Continuing this sequence seems very easy now, now that you know the formula behind it, doesn’t it? 11, 0, 15, 8, 31. Simples!

Putting it into Practice

Now, consider you are looking to create a digital lottery and want a cheap and easy way to produce arbitrary ball numbers for each draw. The formula above seems to produce a decent distribution of numbers that look arbitrary and may be a good fit. Or will it? 

You will probably be fine for as long as the jackpot amount of your lottery roams in the area of a primary school fair raffle pot. Yet when it reaches a certain higher level (let’s call it the level worth fighting for), there is a probability that there comes up someone wanting to fight for it. Someone that will try to break the system, to cheat, to outsmart it. And that is where your formula will betray you.

Cracking formulas like this is an easy job. A smart enough undergrad who used at least one of his ears in their statistics and computer science classes will know how to recover the formula. You will never suspect that, but all your future jackpots will now have a new owner.

Thing is, most of random number generators provided by default in typical programming SDKs – such as most of C++ runtime libraries, PHP, or Python – are just as easy to crack as the above formula. They are good in providing evenly distributes series of numbers for scenarios that do not involve high stakes – research, gaming scenes, or sample testing – but can become an attractive attack target where big money, a critical resource, or a corporate secret is involved. And once they become an attack target, they would not stand for long.

The Importance of Entropy

The other property of a good random number generator is the quality of entropy that the generator builds its random output on. The generator cannot produce random data solely based on its formula, however powerful and secure that formula is. It needs to be constantly seeded from the outside, with as much unpredictable data as possible. In a way, the good generator not just generates the random data, but, rather, converts an incoming stream of random inputs into an outgoing stream of random numbers.

The quality of entropy is so important that the generators that do not collect such unpredictable data from external sources cannot be officially referred to as random number generators. Instead, they are called pseudo-random number generators. The outputs they produce are not entirely random, and with sufficient effort can be predicted or reproduced.

Most of the standard software-only generators pay little attention to gathering entropy, and, in their defence, there’s not many options available. The best they can do is collect various parameters of the system they are running on: the temperature of the hard drive and the CPU, the speeds of the fans, the amount of memory available. This information is not sufficient to produce large amounts of high-quality random inputs.

But the final hit is taken by scalable SaaS applications – the virtue of the modern IT design. And that is where the things turn really grave.

The Curse of the Cloud

Consider this: a typical cloud is a farm of thousands of identical virtual machines. Identical software running on identical hardware. For an application that is scaled across multiple such VMs, every instance ends up running in a boilerplate, cloned, virtualised container. These containers have no physical characteristics whatsoever – no varying fan speeds, no ambient noise, no those tiny discrepancies that make each physical system unique. Their CPUs always have the same temperature because, well, there is no physical CPUs.

It would come with little surprise if entropy gathered by those instances will come with very little randomness – and even if some of those instances end up generating the same random sequences!

To summarise, modern random number generation options are far from being perfect. Many standard software generators produce numbers of substandard quality (pun intended), and even those that can produce stronger sequences often struggle with gathering sufficient entropy for their formulas. Considering the vital role played by random numbers in modern data ecosystems, this presents enormous, yet hidden risk.

With Entropy on Tap, we are looking to fix it.

What can Entropy on Tap help me with?

Bulletproof randomness. Entropy on Tap is one of very few sources of strong randomness available purely in software form. Forget about weak formulas and scarce entropies of the default PRNGs.

Better than alternatives. The only alternative that provides random numbers of comparable quality are hardware generators, which are complex, bulky, and incredibly expensive.

Lightning-fast time-to-market. Entropy on Tap is super-easy to integrate. Our simple web API makes it usable with any modern toolchain.

Great value. Competitive, pay-as-you-go pricing allows for affordable service and predictable scaling.

Designed by smart engineers for smart businesses. Take a backstage tour.