bakkot
commented
5 years ago I think this is a misunderstanding of how randomness is provided on modern systems. As I said in the other issue, that caveat from the manpages is misleading and has been removed and replaced with
The
/dev/randominterface is considered a legacy interface, and/dev/urandomis preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time
The node docs pertaining to the linked issue say something similar:
The
crypto.randomBytes()method will not complete until there is sufficient entropy available. This should normally never take longer than a few milliseconds. The only time when generating the random bytes may conceivably block for a longer period of time is right after boot, when the whole system is still low on entropy.
That caveat appears to have been incorrect in older versions of electron, but that issue has apparently since been fixed, and does not reflect a fundamental issue with providing good randomness synchronously.
As an aside, entropy doesn't really "become depleted" in any meaningful sense.
bcoe
broofa
I alluded to this in https://github.com/tc39/proposal-uuid/issues/31#issuecomment-541204786.
The issue here is that CSPRNGs require a certain amount of entropy, which is typically supplied from the underlying system (electrical noise, hamsters flipping coins... whatever) at a limited rate. If there is not enough entropy, or it becomes depleted, then either the random # source has to block until enough entropy is available, or produce values that aren't cryptographically secure. For example, from urandom Man page:
Also, this Real-world issue
Assuming this is a fundamental issue with any CSPRNG, then it may make sense to make this API async, so underlying implementations can insure RNG quality without blocking calls to this API.