Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Rapid Security Responses
- Operating system integrity
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Random number generation
Cryptographic pseudorandom number generators (CPRNGs) are an important building block for secure software. To this end, Apple provides a trusted software CPRNG running in the iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernels. It’s responsible for aggregating raw entropy from the system and providing secure random numbers to consumers in both the kernel and user space.
Entropy sources
The kernel CPRNG is seeded from multiple entropy sources during boot and over the lifetime of the device. These include (contingent on availability):
The Secure Enclave hardware TRNG
Timing-based jitter collected during boot
Entropy collected from hardware interrupts
A seed file used to persist entropy across boots
Intel random instructions—for example, RDSEED and RDRAND (only on an Intel-based Mac)
The kernel CPRNG
The kernel CPRNG is a Fortuna-derived design targeting a 256-bit security level. It provides high-quality random numbers to user-space consumers using the following APIs:
The
getentropy
(2) system callThe random device (/dev/random)
The kernel CPRNG accepts user-supplied entropy through writes to the random device.