Personally? Not at all, I do it for fun. On windows it's all you have because adding anything to the entropy pool BCryptGenRandom draws from is a no go, it was possible ten years ago, a simpler time. Now you have to do it yourself and xor different sources at the application layer if so concerned. On Linux it's trivial.
Cloudflare? Well, besides their obvious immediate needs, they are openly positioning themselves as an entropy provider for high security purposes, which requires good sources and throughput. What Intel or AMD is offering out of the box is not going to cut it by itself.
Not saying they're broken, they work fine for nearly all purposes, instead here positing that if your entire existence and everything you owned depended on it would you truly just use the inbuilt CPU RNG on your computer and call it day? It's a small amount of time to add additional sources and not lose your shirt/dignity.
"Entropy provider" is not a thing, nor is "good sources and throughput". I've been cagey about writing about this but this thread is now old so I'll just be direct (and boring): there is a misconception that running cryptography primitives somehow burns through entropy as if it were fuel. But that's not how it works at all. You need enough entropy to seed your CSPRNG, and enough to periodically re-seed it to have some safety margin against compromises, but in the interval in between, you have effectively limitless "entropy" to spend.
The lava lamps aren't doing anything for Cloudflare's security. They're a marketing gimmick. A very good one! They got articles like this written! I'm not begrudging them the win! But this is not in fact how you engineer cryptography.
And yet you rely on one daily. Random oracles will likely be big business one day. I'm happy CF has put forward their posture on this. It's a good thing for the internets.
> nor is "good sources and throughput"
So you can provide entropy with high quality guarantees at 10GB/s? Sign me up mate. What's your price?
> I've been cagey about writing about this but this thread is now old
Who the fuck cares? Is this thread about actual discussion of the issue at hand or petty HN posturing? Couldn't care less what influencers and randoms here think. Simply stating thoughts and experiences.
> there is a misconception that running cryptography primitives somehow burns through entropy
Certainly agree, that's not what I meant though. A broken seed is nearly always exploitable in practice. It doesn't matter in the slightest how strong your primitives are when they are deterministic.
> The lava lamps aren't doing anything for Cloudflare's security. They're a marketing gimmick. A very good one!
Yeah, of course it's marketing, but with purpose, exposing devs to this stuff is worthwhile, means to an end and all that. XOR'ing sources is as cryptograhpically strong as the best source provided, why not do it if you have much at stake and 20 mins to spare.
I don't think you're following. You can encrypt petabytes of data under a single AES key, which is essentially what you're doing when you generate random bytes. Work out the math to figure out how often you need to rekey.
Personally? Not at all, I do it for fun. On windows it's all you have because adding anything to the entropy pool BCryptGenRandom draws from is a no go, it was possible ten years ago, a simpler time. Now you have to do it yourself and xor different sources at the application layer if so concerned. On Linux it's trivial.
Cloudflare? Well, besides their obvious immediate needs, they are openly positioning themselves as an entropy provider for high security purposes, which requires good sources and throughput. What Intel or AMD is offering out of the box is not going to cut it by itself.
Not saying they're broken, they work fine for nearly all purposes, instead here positing that if your entire existence and everything you owned depended on it would you truly just use the inbuilt CPU RNG on your computer and call it day? It's a small amount of time to add additional sources and not lose your shirt/dignity.
https://www.cloudflare.com/en-gb/leagueofentropy/