Where does Random in PyCrypto module get its random bytes from?

Question

During WinAPI programming with C++, I noticed that we can call the function CryptGenRandom to generate random bytes in context of the Windows CryptoAPI. If we drill down to system details, these bytes are actually generated from the advapi32.dll on Windows.

In Python, we have two ways that I know of to generate random bytes that can be used for cryptography:

• from Crypto.Random import get_random_bytes
• from secrets import token_bytes

I would like to know if these modules deep down somewhere still call the advapi32.dllon Windows to generate the needed random bytes. Or, do they have a way of generating random bytes that is completely independent of Windows dynamic libraries (or DLLs)?

Answer 1

A bit of a dive down into the code (where you would have hoped for documentation) and you'll find that both seem to rely on os.urandom, which in turn relies on CryptGenRandom, according to the documentation:

On Windows, it will use CryptGenRandom().

Now that in turn will generally use the Microsoft CSP, and what that uses depends on the system.

Generally you want to rely on the OS entropy, as it is tricky to gain enough entropy for specific runtimes. Nowadays these RNG's are pretty trustworthy resources and relatively fast as well, so it often doesn't make much sense to implement a CSPRNG let alone an entropy source into a library of a high level language.