将GUID压缩为64位用作登录密钥是否有风险? [英] Is it a risk squishing GUID to 64bits to use as a login key?

问题描述

在询问之前，我搜索了SO和

Before asking i searched SO and found this answer which essentially says GUID are predictable and thus should never be used for anything random. But from my understanding i disagree. However this question is about squishing a GUID

据我了解，GUID由部分MAC地址，时间和随机数组成.我不知道GUID的哪个部分是什么，但是此函数本质上将其用作2个64位int并将它们异或.我目前将结果用作1)想要重置密码的人的重置密钥. 2)登录密钥.登录时，它将在db和cookie中设置密钥.每次您访问该站点时，它都会检查cookie是否与数据库中的userid和loginkey匹配.

From my understanding a GUID is made of part MAC address, time and random number. I dont know what part of the GUID is what but this function essentially uses it as 2 64bit ints and XOR them together. I currently use the result as 1) A reset key for people who want to reset their password. 2) Login key. When you login it sets the key in the db and cookie. Everytime you visit the site it checks to see if the cookie matches the userid and loginkey with the databases.

这安全吗?对我来说，感觉很随意.字节不用于加密事物，即使您知道一个人登录到100毫秒时我也怀疑它能猜到(记住，检查是通过网络连接，而不是直接检查数据库，在这种情况下，您/可以看到该值了

Is this secure? To me it feels random enough. The bytes aren't use to encrypt things and even if you know when a person logged in down to the 100milliseconds i doubt it can guess it (keep in mind checking is via network connection, not checking the DB directly in which case you have/can see the value already)

这种用法有问题吗?

public static Int64 GuidInt64(bool noZero=true)
{
    Int64 randNum;
    do
    {
        var g = Guid.NewGuid();
        var buf = g.ToByteArray();
        var l0 = BitConverter.ToInt64(buf, 0);
        var l1 = BitConverter.ToInt64(buf, 8);
        randNum = l0 ^ l1;
    } while (noZero && randNum == 0);
    return randNum;
}

推荐答案

足够安全"是相对的，并且根据您所保护的数据的敏感程度以及受到攻击的可能性而有所不同.

"Secure enough" is relative, and varies based on how sensitive the data is that you're protecting, and the likelihood of an attack.

在银行系统上，我会有所怀疑，但在StackOverflow这样的网站上，那里的敏感数据不多，或者身份被盗(垃圾信誉除外)无法完成很多工作，我会说它足够安全.

On a banking system I'd have doubts, but on a site like StackOverflow, where there's not much sensitive data or not much that can be done with a stolen identity (except trash a reputation) I'd say it's secure enough.

这全都归结为风险和合理减轻风险.

It all boils down to risk and reasonable mitigation of the risk.

这就是说，由于现有的加密算法很多，最好还是使用单向哈希来存储用户名和密码或其他类似的安全密钥.

That said, with so many good, existing encryption algorithms, it's still better to use a one-way hash to store username and password, or other similar security keys.

这篇关于将GUID压缩为64位用作登录密钥是否有风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！