[cbsmith]

I think I understand what you were getting at by "there is no such thing as running out of entropy". Would you say there is such thing as "not having adequate entropy"?

[tptacek]

Not really. A CSPRNG is either initialized properly or it isn't. Once it is, entropy has ceased to be a concern. The original LRNG design misapprehends the purpose of continuous "entropy collection", which is about post-compromise security (it's essentially a rekeying operation), and not about any kind of cryptographic exhaustion.

[cbsmith]

But /dev/urandom will provide you with random numbers even if initialization has not completed, whereas /dev/random will not.

[tptacek]

It's best to think of this as an OS/distro detail; if you can reasonably expect /dev/urandom to give you insecure bits, your distro has a vulnerability.

That said: today you'd just use some variant of getrandom.

[cbsmith]

> It's best to think of this as an OS/distro detail; if you can reasonably expect /dev/urandom to give you insecure bits, your distro has a vulnerability.

Isn't that more a function of hardware than software? The hardware random number generators on modern CPUs pretty much eliminate the need to worry about entropy...

[tptacek]

No, this has nothing at all to do with hardware; the state of play is the same on machines that don't have instructions like RDRAND.

[cbsmith]

I think I still don't understand. Can you explain why it is not a hypothetical problem on a deterministic virtual machine?