如何安全是在predictability方面的GUID? [英] How secure are GUIDs in terms of predictability?
问题描述
我们正在使用.NET的 Guid.NewGuid()来生成激活codeS和API密钥目前。我不知道这是否会带来安全问题,因为他们的算法是开放的。
.NET的Guid使用Win32的 CoCreateGuid ,我不知道它的内部(可能是MAC地址+时间戳?)。有人可以推导出第二个GUID列第一个,或可他打了一些聪明的猜测或者是随机性不够好,所以搜索空间变得太大了?
生成随机密钥已经碰撞的问题,它们需要加入到数据库之前的双重检查。这就是为什么我们坚持的GUID,但我不能确定他们为这些目的的安全性。
下面是4个连续输出的uuidgen:
c44dc549-5d92-4330-b451-b29a87848993 d56d4c8d-bfba-4b95-8332-e86d7f204c1c 63cdf958-9d5a-4b63-ae65-74e4237888ea 6fd09369-0fbd-456d-9c06-27fef4c8eca5
下面是其中4个由 Guid.NewGuid():
0652b193-64c6-4c5e-ad06-9990e1ee3791 374b6313-34a0-4c28-b336-bb2ecd879d0f 3c5a345f-3865-4420-A62C-1cdfd2defed9 5b09d7dc-8546-4ccf-9c85-de0bf4f43bf0
GUID是相当随机的,但它们不旨在被用作随机数 - 其唯一目的在于以唯一地标识的实体,因此它们可以是predictable。
<一个href="http://stackoverflow.com/questions/3307275/how-do-i-generate-a-set-of-random-strings-in-a-c-program-so-that-they-are-not-tr/3307305#3307305">Use System.Security.Cryptography.RandomNumberGenerator而是的。
We're using .NET's Guid.NewGuid() to generate activation codes and API keys currently. I wonder if that poses a security problem since their algorithm is open.
.NET Guid uses Win32 CoCreateGuid and I don't know its internals (possibly MAC address + timestamp?). Can someone derive a second GUID out of the first one, or can he hit it with some smart guesses or is the randomness good enough so search space becomes too big?
Generating random keys have the problem of collision, they need a double check before adding to a database. That's why we stuck with GUIDs but I'm unsure about their security for these purposes.
Here are the 4 consecutive UUIDGEN outputs:
c44dc549-5d92-4330-b451-b29a87848993 d56d4c8d-bfba-4b95-8332-e86d7f204c1c 63cdf958-9d5a-4b63-ae65-74e4237888ea 6fd09369-0fbd-456d-9c06-27fef4c8eca5
Here are 4 of them by Guid.NewGuid():
0652b193-64c6-4c5e-ad06-9990e1ee3791 374b6313-34a0-4c28-b336-bb2ecd879d0f 3c5a345f-3865-4420-a62c-1cdfd2defed9 5b09d7dc-8546-4ccf-9c85-de0bf4f43bf0
GUIDs are quite random, but they are not intended to be used as random numbers - their sole purpose is to uniquely identify entities, so they can be predictable.
Use System.Security.Cryptography.RandomNumberGenerator instead.
这篇关于如何安全是在predictability方面的GUID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
