There is quite some controversial information floating around the web of what is the difference between SecRandomCopyBytes and /dev/random or /dev/urandom. And there difference on OSX or IOS.
https://github.com/briansmith/ring/pull/398
https://stackoverflow.com/questions/5832941/how-good-is-secrandomcopybytes
http://serverascode.com/2014/03/04/yarrow.html
https://stackoverflow.com/questions/3170500/random-number-generator-dev-random
There are countless more, the earliest I found was
http://www.metzdowd.com/pipermail/cryptography/2003-August/005419.html
I suppose that there have been quite some changes since this earliest mail from 2003 and I would like to clarify some of it.
As a developer, it is easy to make mistakes and as much as I trust in Apple to make sane choices for there random number generator there
are still some questions that the documentation can't answer. I also wonder why some of the answers were supposedly removed: Following the last StackOverflow link I posted, there is a note that reads:
The "discussion" part of the documentation of SecRandomCopyBytes reads:
This function reads from /dev/random to obtain an array of cryptographically-secure random bytes. For more information on the /dev/random random-number generator, see the manual page for random(4).
But that comment is not to be found on the linked documentation, note the post was from Feb 13th, 2017.
Regarding all of these confusing bits of information, it would be really helpful to clear a few questions:
1. What source of randomness is used by /dev/random | /dev/urandom and SecRandomCopyBytes ( using
const SecRandomRef kSecRandomDefault)
2. Is there a difference between the ios and osx implementation (random data from accelerometers, gyroscopes, are there general implementation differences)
3. Is there some information about the Yarrow implementation, where is it used and how many bits of entropy does it provide.
It would also be helpful to add those things to the documentation.
I have read various different bits of information from so many sources, by now I have no idea what to believe anymore.