NEWSEQUENTIALID的可预测性如何? [英] How predictable is NEWSEQUENTIALID?
问题描述
根据 Microsoft在NEWSEQUENTIALID
上的文档,其输出NEWSEQUENTIALID是可预测的.但是可预测性如何呢?假设我有一个NEWSEQUENTIALID
生成的GUID,那么要困难多少:
According to Microsoft's documentation on NEWSEQUENTIALID
, the output of NEWSEQUENTIALID is predictable. But how predictable is predictable? Say I have a GUID that was generated by NEWSEQUENTIALID
, how hard would it be to:
- 计算下一个值?
- 计算先前的值?
- 计算第一个值?
- 即使根本不知道任何GUID,也要计算第一个值?
- 计算行数?例如.使用整数时,
/order?id=842
告诉我应用程序中有842个订单.
- Calculate the next value?
- Calculate the previous value?
- Calculate the first value?
- Calculate the first value, even without knowing any GUID's at all?
- Calculate the amount of rows? E.g. when using integers,
/order?id=842
tells me that there are 842 orders in the application.
以下是有关我在做什么以及各种折衷方法的一些背景信息.
Below is some background information about what I am doing and what the various tradeoffs are.
使用GUID的整数而不是整数作为主键的安全性好处之一是,GUID很难猜测.例如.例如,黑客看到一个/user?id=845
之类的URL时,他可能会尝试访问/user?id=0
,因为数据库中的第一个用户很可能是管理用户.而且,黑客可以遍历/user?id=0..1..2
来快速收集所有用户.
One of the security benefits of using GUID's over integers as primary keys is that GUID's are hard to guess. E.g. say a hacker sees a URL like /user?id=845
he might try to access /user?id=0
, since it is probable that the first user in the database is an administrative user. Moreover, a hacker can iterate over /user?id=0..1..2
to quickly gather all users.
类似地,整数的 privacy 缺点是它们泄漏信息. /order?id=482
告诉我,网上商店自实施以来已有482个订单.
Similarly, a privacy downside of integers is that they leak information. /order?id=482
tells me that the web shop has had 482 orders since its implementation.
不幸的是,使用GUID作为主键具有众所周知的性能缺点.为此,SQL Server引入了NEWSEQUENTIALID
函数.在这个问题中,我想学习NEWSEQUENTIALID
的输出的可预测性.
Unfortunately, using GUID's as primary keys has well-known performance downsides. To this end, SQL Server introduced the NEWSEQUENTIALID
function. In this question, I would like to learn how predictable the output of NEWSEQUENTIALID
is.
推荐答案
底层操作系统功能为每个操作系统启动的增量值一个>.参见 RFC4122 . SQL Server做一些
The underlying OS function is UuidCreateSequential
. The value is derived from one of your network cards MAC address and a per-os-boot incremental value. See RFC4122. SQL Server does some byte-shuffling to make the result sort properly. So the value is highly predictable, in a sense. Specifically, if you know a value you can immediately predict a range of similar value.
但是,人们无法预测id=0
的等价物,也不能预测52DE358F-45F1-E311-93EA-00269E58F20D
意味着该商店至少出售了482件商品.
However one cannot predict the equivalent of id=0
, nor can it predict that 52DE358F-45F1-E311-93EA-00269E58F20D
means the store sold at least 482 items.
唯一经过批准"的随机生成是 CRYPT_GEN_RANDOM
(包裹 CryptGenRandom
),但这显然是一个可怕的关键候选人.
The only 'approved' random generation is CRYPT_GEN_RANDOM
(which wraps CryptGenRandom
) but that is obviously a horrible key candidate.
这篇关于NEWSEQUENTIALID的可预测性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!