javascript - Is there a better way than crypto.randomBytes to generate unique ids in performance-wise? - Stack Overflow

Node.js documentation strongly discourages the usage of crypto.randomBytes(). However as I read in an answer of StackOverflow, in all methods of random string generation such as using timestamps etc. the best way to achieve highest entropy is crypto.randomBytes().

I would like to use this uuid strategy to generate validation keys in my node.js system. Is there any other better way performance-wise?

Node.js documentation strongly discourages the usage of crypto.randomBytes(). However as I read in an answer of StackOverflow, in all methods of random string generation such as using timestamps etc. the best way to achieve highest entropy is crypto.randomBytes().

I would like to use this uuid strategy to generate validation keys in my node.js system. Is there any other better way performance-wise?

• javascript
• node.js

Share Follow edited Oct 3, 2018 at 22:02 pushkin 10.3k1616 gold badges6363 silver badges107107 bronze badges asked Oct 3, 2018 at 12:20 Mehmet Egemen AlbayrakMehmet Egemen Albayrak 11511 silver badge66 bronze badges 6

• performance wise? its always expensive on the CPU afaik – Nelson Owalo Commented Oct 3, 2018 at 12:25
• 1 Why do you need a high entropy for your unique ids? And shouldn't it be enough to seed a random generator from the high-entropy source? – Bergi Commented Oct 3, 2018 at 15:06
• Where exactly does the documentation strongly discourage the usage of it? – FINDarkside Commented Aug 12, 2019 at 10:48
• @FINDarkside as I remember nodejs/uk/docs/guides/dont-block-the-event-loop – Mehmet Egemen Albayrak Commented Aug 13, 2019 at 11:07
• 1 @FINDarkside as I remember it was discouraged because randomBytes blocks the I/O when there is not enough entropy. That's why on another page they say it is/should run by a worker thread, I don't remember which. The doc page with the claim was very old so maybe they changed it recently. – Mehmet Egemen Albayrak Commented Aug 14, 2019 at 15:21

 |  Show 1 more ment

1 Answer 1

Sorted by: Reset to default 4

If you want to use CSPRNG, not really.

Using uuid was suggested, but it simply calls crypto.randomBytes(16) and converts it to hex string. randomBytes blocking isn't really a problem, because it offers asynchronous api as well (second arg is callback). When generating such small amounts of data, using the sync api might be faster though.

Docs do still mention lack of entropy possibly causing longer block than usual. It should only be a problem right after boot though and even in that case blocking can be avoided by using the asynchronous api.

The crypto.randomBytes() method will not plete until there is sufficient entropy available. This should normally never take longer than a few milliseconds. The only time when generating the random bytes may conceivably block for a longer period of time is right after boot, when the whole system is still low on entropy.