Can some one please explain what algorithm produce these random bytes?
Is it a CSPRNG?

It’s a CSPRNG according to @Thom McGrath in his awesome article about storing passwords securely.

Thanks Albin for the link.
I client asked me for the algorithm behind this function. Maybe we can have some details of this function?

You know, I wanted to chime in here but bit my tongue. Then you had to drag me into it! :stuck_out_tongue:

So here’s the problem. When I wrote that, I was under the impression that it is a true CSPRNG because that is what I asked for when I filed the feature request. Here’s the excerpt from my API proposal:

[code]** Secure Random Number Generation **

Crypto.GenerateRandomBytes (ByteCount As Integer) As MemoryBlock
Not sure if the blocking or non-blocking module is correct. The difference is not synchronous vs asynchronous, the difference describes what to do if the entropy buffer does not have enough bytes. Blocking means the function will only return once the buffer has enough data, non-blocking means less secure numbers will be used to complete the missing bytes. The blocking version can take an indeterminate amount of time to complete, whereas non-blocking will always return almost immediately. Because of this, I usually use the non-blocking method on servers, and would be my recommendation for this API.[/code]

However, I do not know exactly what got implemented. The documentation DOES say the bytes come from /dev/urandom which is sufficient for a CSPRNG, but considering I did not write the code, I can’t say with 100% certainty that Xojo.Crypto.GenerateRandomBytes is a true CSPRNG or exactly what algorithm is being used. For all I know, the links I provided were ignored and something else was implemented instead. Only a current Xojo employee who can see the code will be able to answer these questions definitively.

OK, I hope to read an answer from a Xojo employee!

Ha! Thats what I do best. Draging people around :wink:
I do not have a recent enough version of Xojo to have this function. I use /dev/urandom instead. Thanks for making it clear that it’s a sufficient substitute.