是否有滥用GUID的明显方法? [英] Are there any inobvious ways of abusing GUIDs?

问题描述

GUID通常用于唯一地标识各种实体-来自外部系统的请求，文件等.像魔术一样工作-您调用"GiveMeGuid()"(在Windows上为UuidCreate())函数-并为您提供了全新的GUID.

GUIDs are typically used for uniquely identifying all kinds of entities - requests from external systems, files, whatever. Work like magic - you call a "GiveMeGuid()" (UuidCreate() on Windows) function - and a fresh new GUID is here at your service.

鉴于我的代码每次需要新的GUID时都会真正调用该函数"GiveMeGuid()"，有没有明显的方法可以滥用它?

Given my code really calls that "GiveMeGuid()" function each time I need a new GUID is there any not so obvious way to misuse it?

推荐答案

刚刚找到了一个老问题的答案:

Just found an answer to an old question: How deterministic Are .Net GUIDs?. Requoting it:

这不是一个完整的答案，但是我可以告诉你，第13个十六进制数字始终为4，因为它表示用于生成GUID的算法的版本(id est，v4)；也，我引用维基百科:

It's not a complete answer, but I can tell you that the 13th hex digit is always 4 because it denotes the version of the algorithm used to generate the GUID (id est, v4); also, and I quote Wikipedia:

对WinAPI GUID生成器的加密分析表明，由于V4 GUID的序列是伪随机的，因此在给定初始状态的情况下，最多可以预测函数UuidCreate返回的下一个25万个GUID.这就是为什么GUID不应该用于加密中(例如，用作随机密钥)的原因.

Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to the next 250 000 GUIDs returned by the function UuidCreate. This is why GUIDs should not be used in cryptography, e.g., as random keys.

因此，如果您幸运并得到相同的种子，则会依次破坏25万个镜像.引用另一个维基百科的文章:

So, if you got lucky and get same seed, you'll break 250k mirrors in sequence. To quote another Wikipedia piece:

虽然不能保证每个生成的GUID都是唯一的，但是唯一键的总数(2 ¹²⁸ 或3.4×10 ³⁸ )很大，以至于两次产生的相同数字非常小.

While each generated GUID is not guaranteed to be unique, the total number of unique keys (2¹²⁸ or 3.4×10³⁸) is so large that the probability of the same number being generated twice is extremely small.

底线:也许是误认为GUID 总是唯一.

Bottom line: maybe a misuse form it's to consider GUID always unique.

这篇关于是否有滥用GUID的明显方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！