9

I'm reading a lot about entropy on macOS...

I know it doesn't use Yarrow anymore as per this FIPS 140-02 doc a NIST compliant DRBG.

I read a lot:

https://github.com/briansmith/ring/pull/398 How can I measure (and increase) entropy on Mac OS X? https://stackoverflow.com/questions/5832941/how-good-is-secrandomcopybytes http://serverascode.com/2014/03/04/yarrow.html https://stackoverflow.com/questions/3170500/random-number-generator-dev-random https://stackoverflow.com/questions/42197958/secrandomcopybytes-provider-sha1prng-or-nativeprng-type-in-objc

Even mailed Craig F: https://apple.stackexchange.com/questions/362531/does-macos-still-use-yarrow-as-its-cryptographically-secure-pseudorandom-number

I see that SecRandomCopyBytes is now effectively using:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/corecrypto/ccdbrg/src/ccdrbg_nisthmac.c.auto.html

While /dev/urandom uses:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/prng/random.c.auto.html

I have much old code using /dev/urandom, on Catalina is it still valid to use /dev/urandom/ for key material, is it cryptographically secure?

I don't want to port everything to a macOS specific lib.

Even libsodium seems to use /dev/urandom, so I guess it's ok?

Woodstock
  • 679
  • 6
  • 20

1 Answers1

3

So, somewhat serendipitously, Apple released an updated platform security guide in December just gone (Dec 2019).

Which directly covers random number generation for cryptographic purposes:

Random number generation

Cryptographic pseudorandom number generators (CPRNGs) are an important building block for secure software. To this end, Apple provides a trusted software CPRNG running in the iOS, iPadOS, macOS, tvOS, and watchOS kernels. It’s responsible for aggregating raw entropy from the system and providing secure random numbers to consumers in both the kernel and user space.

Entropy sources

The kernel CPRNG is seeded from multiple entropy sources during boot and over the lifetime of the device. These include (contingent on availability):

* The Secure Enclave’s hardware RNG
* Timing-based jitter collected during boot
* Entropy collected from hardware interrupts
* A seed file used to persist entropy across boots
* Intel random instructions, i.e. RDSEED and RDRAND (macOS-only)

The Kernel CPRNG

The kernel CPRNG is a Fortuna-derived design targeting a 256-bit security level. It provides high-quality random numbers to user-space consumers using the following APIs:

* The getentropy(2) system call
* The random device, i.e. `/dev/random`

The kernel CPRNG accepts user-supplied entropy through writes to the random device.

So the answer is Yes, it is still valid to use /dev/urandom/ for generating key material on macOS Catalina (10.15.2 (19C57)).

This also ends my speculation on whether 160-bit Yarrow or 256-bit Fortuna was at the heart of the CSPRNG.

Community
  • 1
Woodstock
  • 679
  • 6
  • 20
  • Thanks for sharing! How did you [check](https://apple.stackexchange.com/questions/426240/how-to-check-if-kernel-is-using-fortuna-vs-yarrow) if macOS Catalina 10.15.2 is using Fortuna vs Yarrow? – sunknudsen Aug 25 '21 at 12:07
  • @sunknudsen As explained on OP's answer, >The kernel CPRNG is a Fortuna-derived design targeting a 256-bit security level. https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web See also https://apple.stackexchange.com/questions/362531/does-macos-still-use-yarrow-as-its-cryptographically-secure-pseudorandom-number – lamusique Sep 24 '22 at 23:57