在Windows 2003上生成的GUID是否可以安全地用作会话ID? [英] Are GUIDs generated on Windows 2003 safe to use as session IDs?

问题描述

我的Web应用程序仅通过SSL运行，并在每个用户成功使用用户名和密码登录后为他们设置了时间限制的cookie.系统中最大的弱点是破坏了现有用户的Cookie.还有两个猜测会话ID的GUID.

My web application operates only over SSL and sets a time limited cookie for each user after they successfully login with a username and password. The biggest weaknesses in the system are one compromising an existing user's cookie. And two guessing a session ID GUID.

我知道第一个弱点的机制，但我想知道我是否需要担心攻击者有可能基于他们先前通过登录到已设置的帐户获得的GUID来猜测会话ID GUID的机会?在这种情况下，Web服务器是Windows 2003，并且使用.Net 3.5生成了GUID.

I know of mechanisms for the first weakness but I'm wondering how much I need to worry about the chance of an attacker guessing a session ID GUID based on a GUID they have previously obtained by logging into an account they have set up? The web server in this case is Windows 2003 and the GUIDs are being generated with .Net 3.5.

推荐答案

GUID并非旨在加密保护，而是唯一的.相当多的格式是可以预测的-48位MAC地址，如果您知道它是如何生成的，则时间戳是可以预测的，另外还有一些位可以处理时间戳冲突.技术上老练的攻击者很有可能对GUID进行反向工程.

GUIDs are not intended to be cryptographically secure, just unique. Quite a lot of the format is predictable - 48 bit MAC address, a timestamp that is somewhat predictable if you know how it's generated and another few bits to deal with timestamp collisions. A technically sophisiticated attacker has a pretty good chance of reverse engineering a GUID.

您确实需要使用加密方式安全的PRNG 来获得安全的会话密钥.

You really need a cryptographically secure PRNG for a secure session key.

这篇关于在Windows 2003上生成的GUID是否可以安全地用作会话ID?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！