« Cellular Automata Laboratory: Bootstrap Percolation | Main | Autour de la Lune: Web Edition Updated »

Sunday, June 18, 2017

HotBits: New Version with API Keys, Pseudorandom Generation

I have just posted a new version of the HotBits radioactive random number generator Web support software. There are no changes to the actual generation process or hardware, which remain as previously documented. All changes are to the proxy server, which obtains random data from the generators and delivers them to requesters over the Web.

API Keys

The first change is the phased introduction of API Keys, which requesters must use to obtain random data. Since the original introduction of HotBits in 1996, anybody has been able to request random data generated from radioactive decay over the Web, constrained only a quota limiting requests from an IP address to 12,208 bytes or 120 requests, whichever comes first, in any 24-hour period (the quota is applied by an aging algorithm measuring rate, and does not have a hard cutoff on day boundaries). The reason for the imposition of a quota is that the hardware generators produce only around 100 bytes per second, and it would be easy for a user to exhaust this capacity, either inadvertently or in order to wreck the service and deny it to others out of malice.

This policy worked well for more than twenty years, but with increasing blight in the Internet slum, more and more distributed denial of service attacks against HotBits have been mounted over recent months. These are conducted from a multitude of IP addresses, most of which make only one or a few requests, and thereby evade the quota. I do not know the motive for these attacks—probably it's just a nihilistic desire to wreck something provided for free to others; there's plenty of that around on the Internet—no good deed goes unpunished. In any case, this irresponsible behaviour of a few results, as it usually does, in making things inconvenient for the large majority of legitimate users.

Beginning on July 1st, 2017, requests for random data from HotBits will require an API Key, which is either entered in a box in the request page or via an “apikey=key” query field in a direct request URL. Requests without a valid API key will be rejected with an error message. HotBits users can apply for an API Key starting today, by using the:

HotBits API Key Request Form

API Keys are typically issued with two days of being requested. Once you receive your API Key, you can begin to use it immediately with the Request HotBits (API) test page. On July 1st, this will be come the standard request page and an API Key will be required for all requests.

Pseudorandom Data

When you visit the new request page, you'll notice a new option at the bottom: “Pseudorandom data?”. The most common application of genuine random data is to “seed” a pseudorandom number generator which can then produce a large volume of data which passes all of the statistical tests for randomness. HotBits now provides such data without the need for users to set up and validate their own generator. When you check the box, HotBits will return data from its own high quality internal pseudorandom number generator which is seeded from radioactively-generated data from the HotBIts hardware generator. Requests for pseudorandom data do not require an API key and are not subject to quota limitations. You can also request pseudorandom data by specifying “Pseudorandom” as an API Key. Pseudorandom data in the hexadecimal, C, password, and XML formats is identified as such in the result page returned.

The pseudorandom data returned by HotBits are generated with the Mersenne twister algorithm, using the MT19937-64 (64-bit) version. The generator is seeded with 2496 bytes of radioactively-generated random data from the HotBits generators. Because the Mersenne twister algorithm is not cryptographically secure, in that by observing a sufficiently large number of results it is possible to predict subsequent output, the pseudorandom data supplied by HotBits is produced by taking pairs of 64-bit results from Mersenne twister, comprising a 16 byte block, encrypting the block using the Advanced Encryption Standard (AES) with a 256 bit secret key also obtained from radioactively-generated HotBits data, then returning encrypted 16 byte blocks to fill the request. (Multiple blocks are generated if the request is more than 16 bytes, and if the request is not a multiple of 16 bytes, excess bytes from the last block are discarded.) A new AES encryption key is generated every 30 minutes, so even were a key to be disclosed, it would only enable decryption of data returned during the half hour window in which it was in use. Fourmilab makes no claim about the suitability of this pseudorandom data for cryptographic or any other use; that is up to you to determine based upon your own testing of the data and auditing of the algorithms and code used to generate it. Complete source code of the HotBits server, including the pseudorandom generator, will be posted when the new version enters production on July 1st, 2017. Statistical testing of the pseudorandom generator, including the downloadable data sets used in the tests, is currently available.

Posted at June 18, 2017 11:45