是微软的GUID生成器加密安全 [英] Is Microsoft's GUID generator cryptographically secure
问题描述
我已经在线搜索了多个资源,但到目前为止,无法找到一个明确的答案,即微软的GUID生成机制是否足够安全,以保证它可以用作应用程序中的唯一ID。
I have searched multiple resources online, but so far have been unable to find a definitive answer to the question of whether Microsoft's GUID generation mechanism is secure enough to warrant it's use as a unique ID across an application.
为了澄清,通过足够安全,我的意思是问用于生成GUID的算法是否有任何已知的弱点或漏洞,可能会降低GUID的有效随机性 ie导致不可忽略的数量的冲突。如果不是,这是否意味着GUID是完全不可猜测的,如果是,是否有一些方法来种子GUID生成器函数以有效地增加生成的GUID的随机性。
To clarify, by 'secure enough', I mean to ask whether the algorithm used to generate the GUID has any known weaknesses or vulnerability that could reduce the effective randomness of the GUID i.e. result in a non-negligible number of collisions. If no, does this mean the GUID is completely unguessable, and if yes, is there some way to seed the GUID generator function to effectively increase the randomness of the generated GUID.
根据MSDN指南中指定的信息( http:// msdn。 microsoft.com/en-us/library/system.guid.aspx )是否有任何迹象表明用于生成GUID的系统可以依赖于足够随机。
Based on the information specified in MSDN guide here (http://msdn.microsoft.com/en-us/library/system.guid.aspx) is there any indication that the system used to generate the GUID can be relied upon to be sufficiently random.
谢谢!
推荐答案
否。 Guid的目标是独特,但加密安全意味着不可预测。
No. The goal of the Guid is to be unique, but cryptographically secure implies that it is unpredictable. These goals sometimes, but not always, align.
如果您希望加密安全,那么您应该使用 RNGCryptoServiceProvider
If you want cryptographically secure, then you should use something like RNGCryptoServiceProvider
另请参阅:
- How Random is System.Guid.NewGuid()? (Take two)
- How securely unguessable are GUIDs?
上述链接中的关键点是Microsoft的Guid是UUID的实现, UUID规范指示它们不应用作安全性令牌:
The key point in both the above links is that Microsoft's Guid is an implementation of UUID, and the UUID spec indicates that they should not be used as security tokens:
不要假设UUID很难猜到;它们不应当被用作安全能力(例如,仅拥有授予访问权的标识符)。可预测的随机数来源会加剧这种情况。
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
这篇关于是微软的GUID生成器加密安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
