Yesterday I was thinking about ways of generating random data . One method of doing this is to get the user to move the mouse or press keyboard keys at random. This got me thinking about the concept of a service which would allow an application developer to pull random values from a pool contributed to by a large number of users.
It would work something like this:
- The user installs the application
- The application captures key codes and mouse position co-ordinates over a period of time.
- All of the samples for that time period are aggregated in such a way that the resulting number could not be de-composed into the original values
- This aggregated value would be transmitted securely to a server where it would be further aggregated with values from different users and sample periods to form a “pool value” of which there would be several, each of which would expire after some amount of time.
- A developer could then query a service which would return a specified number of bytes taken from more than one pool value.
I don’t claim to know anything about cryptography, so it’s almost a certainty this is a terrible idea from a security standpoint for reasons I lack the requisite knowlege to have even considered, therefore I’ve no plans to build this but the idea of a web service where you can go get some pseudo-random data from a massive pool of contributors piqued my curiousity.
- As a user, would you be OK with a program sending values derived from your input?
- As a developer, would you ever use such a service?