Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

/dev/urandom and /dev/random are identical in every way, except that /dev/random blocks when the "entropy estimator" decides there "isn't enough entropy". However, due to the properties of the CSPRNG they use, such estimates have dubious value. Overall, you should always use /dev/urandom.

But definitely don't XOR the two.



Why does /dev/urandom use up the nice entropy of /dev/random when it doesn't provide any guarantees anyway?

Also, do you mean that/dev/urandom should be used even for cryptographic applications?


What do you mean by "use up the nice entropy"? You can use /dev/urandom for cryptographic applications (in fact _you should_).

Here's a nice article about it: http://www.2uo.de/myths-about-urandom/


I shall ready your link in full at a later time. For now, is there any problem with using /dev/random other than that it is blocking?


Yes, /dev/urandom is backed by a CSPRNG, and thus should be used even for cryptographic applications

The recent discussion about Ruby SecureRandom has some references about the subject: https://qht.co/item?id=11624890




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: