gen_random_uuid() produces a v4 UUID.

Taking the first 5 bytes of a v6 UUID (time) and last 5 (node) would be a bad random day.

Exercise extreme caution.

Having your security strategy rely on quirky behaviors of an implementation detail which might change is incredibly dangerous.

If you’re shopping for a CSPRNG, one of the items that should be very high on your list is being able to call the setSeed function multiple times and have the inputs compose instead of clobber each other.

You can send half-random input in and then send more half-random input in until you’re satisfied that the RNG has gotten a suitable amount of entropy. Do not chop, rearrange, hash, or bit shift the data trying to make it “stronger” the CSPRNG will do an infinitely better job of doing that for you. Just treat it like a Mr Fusion. Drop a can, a banana peel and the stale beer in and let it cook.

I gave a similar speech to a team trying to initialize SSL sessions on an embedded machine. “But what if we XOR…” No. Stahp.