不可预测的唯一标识符 [英] Unpredictable Unique Identifier

问题描述

对于我正在处理的应用程序，我需要生成一个会话令牌，该令牌必须具有以下属性:

For an application I am working on, I need to generate a session token which must have following properties:

• 至少对于应用程序而言，它应该是唯一的，全局上唯一的甚至更好
• 它应该是不可预测的
• 它应该不会太长，因为它必须在http请求标头中传递，所以越小越好

我当时正在考虑使用加密的随机数来适应Guid结构，但这可能是一个过大的杀伤力.是否有人知道/创建了适合所有这些属性的数据结构?

I was thinking about adapting a Guid structure with a cryptographic random number, but it may be an overkill. Anyone know/created a data structure that would fit all those properties?

推荐答案

在这一点上让我很清楚.所有回答使用GUID的答案都是错误的，您在任何情况下都不应这样做.

Let me be very clear on this point. All of the answers saying to use a GUID are deeply wrong and you should not under any circumstances do so.

GUID规范中没有任何内容要求攻击者不可预测.如果按块分配GUID，则允许其顺序排列；允许以非加密强度的随机性创建GUID；并且，可以根据有关世界的已知事实(例如您的MAC地址和当前时间)创建GUID.没有什么要求GUID是不可预测的.

There is nothing whatsoever in the specification for GUIDs that requires that they be unpredictable by attackers. GUIDs are allowed to be sequential if allocated in blocks, GUIDs are allowed to be created with non-crypto-strength randomness, and GUIDs are allowed to be created from known facts about the world, like your MAC address and the current time. Nothing whatsoever requires that GUIDs be unpredictable.

如果您需要不可预测的会话密钥，请使用加密强度随机数生成器生成一个以生成足够多的位.

If you need an unpredictable session key then generate one using a crypto strength random number generator to make sufficiently many bits.

更普遍的是:使用正确的工具完成工作，尤其是在涉及安全性的代码方面.GUID旨在确保两家公司不会意外地将相同的标识符赋予两个不同的接口.如果那是您的应用程序，请为其使用GUID.发明GUID的目的是防止良性实体发生事故，而不是保护无辜用户免受确定的攻击者的侵害. GUID就像停车标志-在那里防止意外碰撞，而不是防止攻击坦克.

More generally: use the right tool for the job particularly when it comes to security-impacting code. GUIDs were designed to make sure that two companies did not accidentally give the same identifier to two different interfaces. If that's your application, use a GUID for it. GUIDs were invented to prevent accidents by benign entities, not to protect innocent users against determined attackers. GUIDs are like stop signs -- there to prevent accidental collisions, not to protect against attacking tanks.

GUID并非旨在解决意外事故以外的任何问题，因此在任何情况下都不要使用它们来解决加密问题.使用专为解决您的问题而设计的密码库，该库由世界一流的专家实施.

GUIDs were not designed to solve any problem other than accident prevention, so do not under any circumstances use them to solve crypto problems. Use a crypto library specifically designed to solve your problem, and implemented by world-class experts.

这篇关于不可预测的唯一标识符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！