Archived
TD0510: Obtaining random bytes for iOS/macOS
Publication Date
2020.03.03
Protection Profiles
PP_APP_v1.3
Other References
FCS_RBG_EXT.1
Issue Description
FCS_RBG_EXT.1 lists SecRandomCopyBytes and /dev/random as approved interfaces for obtaining random bytes from the iOS platform and /dev/random as the approved interface for macOS. Apple is transitioning to faster and more modern methods of generating random bytes. The new interface is CCRandomGenerateBytes in CommonRandom.c. This function calls CCRandomCopyBytes which calls ccDRBGGetRngState, which calls ccrng. ccrng.h defines the ccrng function as a function that returns a NIST SP800-90A CTR_DRBG(AES). Resolution
For FCS_RBG_EXT.1, the tests for iOS and macOS are modified as follows, with underlines indicating additions: For iOS: The evaluator shall verify that the application invokes either SecRandomCopyBytes, CCRandomGenerateBytes or CCRandomCopyBytes, or For macOS: The evaluator shall verify that the application invokes either CCRandomGenerateBytes or CCRandomCopyBytes, or collects random from /dev/random.
Justification
See issue description. |