OneKey App random number security testing

This article provides a security testing report on the randomness of mnemonic generation in the OneKey App (software wallet), encompassing all supported operating systems by OneKey App (macOS, Windows, Android, iOS) and its respective clients (Desktop & Extension).

Conclusion

The OneKey App employs platform-specific cryptographically strong random number APIs recommended by development guidelines across Windows, macOS, iOS, and Android clients, as well as the Chrome extension. Internal testing confirms compliance with NIST SP 800-22 and FIPS 140-2 random number security standards.

  • On Chrome-based platforms (Windows, macOS), the secure pseudo-random number API crypto.getRandomValuesprovided by Chrome is utilized to generate cryptographically strong pseudo-random numbers.
  • On React Native-based Android and iOS platforms, the system-provided secure random interfacesSecureRandomandSecRandomCopyBytesare respectively called.
⚠️ Note: Although OneKey App strictly adheres to security development guidelines, the security of the random number generation can also be affected by the operating system/hardware implementation of the user's device.

Security Testing

NIST SP 800-22 FIPS 140-2

NIST SP 800-22 (National Institute of Standards and Technology Special Publication 800-22) is a document published by the National Institute of Standards and Technology (NIST) of the United States, primarily involving a statistical test suite for testing Pseudo-Random Number Generators (PRNG). It provides a set of statistical tests to evaluate the randomness and quality of bit sequences generated by random number generators.

Project

Parameters

Segment Length

1024000

Test Items

1 (All 15 tests)

Block Frequency Test - block length(M)

20480

NonOverlapping Template Test - block length(m)

10

Overlapping Template Test - block length(m)

10

Approximate Entropy Test - block length(m)

10

Serial Test - block length(m)

16

Linear Complexity Test - block length(M)

5000

bitstreams

20(20*1024000bits = 20480000bits = 20MB)

 

Windows

System: Win10 22H2; Hardware: i7-13700h

  • Desktop Client
    • The Windows desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-windows-desktop-wini713.txt (Available in the attachment)
  • Browser Extension
    • The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-windows-ext-wini713.txt (Available in the attachment)
macOS

System: Sonoma 14.6; Hardware: MacBook Pro 2020 13-inch M1

  • Desktop Client
    • The macOS desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-macOS-desktop-macm1p.txt (Available in the attachment)
  • Browser Extension
    • The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-macOS-ext-macm1p.txt (Available in the attachment)
Android

System hyperOS 1.0.4.0; Hardware Xiaomi 10s snapdragon870

  • Android Client
    • The Android client for OneKey App, being a React Native application, relies on native APIs. On Android, the system APISecureRandomis invoked whencrypto.getRandomValuesis called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-android-app-andsm870.txt (Available in the attachment)
iOS

System: IOS 17.5; Hardware: iPhoneX A11

  • iOS Client
    • The iOS client for OneKey App, being a React Native application, relies on native APIs. On iOS, the system APISecRandomCopyBytesis invoked whencrypto.getRandomValuesis called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValuesis called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements.
    • Results: NIST SP 800-22-iOS-app-x.txt (Available in the attachment)

Results Attachments

Was this article helpful?
0 out of 0 found this helpful