为什么MD5'UUID不是一个好主意? [英] Why is MD5'ing a UUID not a good idea?
问题描述
PHP有一个 uniqid()函数,用于生成UUID
在使用示例中,它显示以下内容:
$ token = md5(uniqid());
但在注释中,有人这样说:
从唯一ID生成MD5是
naive并且减少
唯一ID的大部分价值,以及在
MD5域上提供
有效(可攻击)限制。这是一个深深的
坏事。正确的
方法是使用
自己的唯一ID;它已经适用于
非碰撞。
为什么是真的,如果是这样?如果MD5哈希对于唯一的ID是(几乎)唯一的,那么从md5的uniqid有什么问题?
UUID是128位宽,并且具有其生成方式固有的唯一性。 MD5散列是128位宽,不能保证唯一性,只有很小的碰撞概率。 MD5哈希不小于UUID,因此它不会帮助存储。
如果你知道哈希是从UUID,它是更容易攻击,因为
如果您需要提供安全的令牌,那么您需要使用加密安全随机数生成器。(1)UUID不是设计为加密安全的,只能保证唯一。由唯一机器标识符(通常为MAC)和时间限定的单调递增序列仍然是完全有效的UUID,但是如果可以从令牌序列逆向工程单个UUID,则是高度可预测的。
$ b $加密安全PRNG的定义特性是给定迭代的结果不包含足够的信息来推断下一次迭代的值,即在生成器中存在一些隐藏状态这在数字中没有显示,并且不能通过检查来自PRNG的数字序列来推断。
如果你进入数论,你可以从一系列生成的值中找到猜测一些PRNG的内部状态的方法。 Mersenne Twister 是此类发电机的示例。它有隐藏状态,它用于获得其长期,但它不是加密安全 - 你可以采取一个相当小的数字序列,并使用它来推断内部状态。一旦你这样做,你可以使用它来攻击一个加密机制,这取决于保持该序列的秘密。
PHP has a uniqid() function which generates a UUID of sorts.
In the usage examples, it shows the following:
$token = md5(uniqid());
But in the comments, someone says this:
Generating an MD5 from a unique ID is naive and reduces much of the value of unique IDs, as well as providing significant (attackable) stricture on the MD5 domain. That's a deeply broken thing to do. The correct approach is to use the unique ID on its own; it's already geared for non-collision.
Why is this true, if so? If an MD5 hash is (almost) unique for a unique ID, then what is wrong from md5'ing a uniqid?
A UUID is 128 bits wide and has uniqueness inherent to the way it is generated. A MD5 hash is 128 bits wide and doesn't guarantee uniquess, only a low probablity of collision. The MD5 hash is no smaller than the UUID so it doesn't help with storage.
If you know the hash is from a UUID it is much easier to attack because the domain of valid UUIDs is actually fairly predictable if you know anything about the machine geneerating them.
If you needed to provide a secure token then you would need to use a cryptographically secure random number generator.(1) UUIDs are not designed to be cryptographically secure, only guaranteed unique. A monotonically increasing sequence bounded by unique machine identifiers (typically a MAC) and time is still a perfectly valid UUID but highly predictable if you can reverse engineer a single UUID from the sequence of tokens.
- The defining characteristic of a cryptographically secure PRNG is that the result of a given iteration does not contain enough information to infer the value of the next iteration - i.e. there is some hidden state in the generator that is not revealed in the number and cannot be inferred by examining a sequence of numbers from the PRNG.
If you get into number theory you can find ways to guess the internal state of some PRNGs from a sequence of generated values. Mersenne Twister is an example of such a generator. It has hidden state that it used to get its long period but it is not cryptographically secure - you can take a fairly small sequence of numbers and use that to infer the internal state. Once you've done this you can use it to attack a cryptographic mechanism that depends on keeping that sequence a secret.
这篇关于为什么MD5'UUID不是一个好主意?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
