NEWSEQUENTIALID的可预测性如何? [英] How predictable is NEWSEQUENTIALID?
问题描述
根据 Microsoft在NEWSEQUENTIALID 上的文档,其输出NEWSEQUENTIALID是可预测的.但是可预测性如何呢?假设我有一个NEWSEQUENTIALID生成的GUID,那么要困难多少:
According to Microsoft's documentation on NEWSEQUENTIALID, the output of NEWSEQUENTIALID is predictable. But how predictable is predictable? Say I have a GUID that was generated by NEWSEQUENTIALID, how hard would it be to:
- 计算下一个值?
- 计算先前的值?
- 计算第一个值?
- 即使根本不知道任何GUID,也要计算第一个值?
- 计算行数?例如.使用整数时,
/order?id=842告诉我应用程序中有842个订单.
- Calculate the next value?
- Calculate the previous value?
- Calculate the first value?
- Calculate the first value, even without knowing any GUID's at all?
- Calculate the amount of rows? E.g. when using integers,
/order?id=842tells me that there are 842 orders in the application.
以下是有关我在做什么以及各种折衷方法的一些背景信息.
Below is some background information about what I am doing and what the various tradeoffs are.
使用GUID的整数而不是整数作为主键的安全性好处之一是,GUID很难猜测.例如.例如,黑客看到一个/user?id=845之类的URL时,他可能会尝试访问/user?id=0,因为数据库中的第一个用户很可能是管理用户.而且,黑客可以遍历/user?id=0..1..2来快速收集所有用户.
One of the security benefits of using GUID's over integers as primary keys is that GUID's are hard to guess. E.g. say a hacker sees a URL like /user?id=845 he might try to access /user?id=0, since it is probable that the first user in the database is an administrative user. Moreover, a hacker can iterate over /user?id=0..1..2 to quickly gather all users.
类似地,整数的 privacy 缺点是它们泄漏信息. /order?id=482告诉我,网上商店自实施以来已有482个订单.
Similarly, a privacy downside of integers is that they leak information. /order?id=482 tells me that the web shop has had 482 orders since its implementation.
不幸的是,使用GUID作为主键具有众所周知的性能缺点.为此,SQL Server引入了NEWSEQUENTIALID函数.在这个问题中,我想学习NEWSEQUENTIALID的输出的可预测性.
Unfortunately, using GUID's as primary keys has well-known performance downsides. To this end, SQL Server introduced the NEWSEQUENTIALID function. In this question, I would like to learn how predictable the output of NEWSEQUENTIALID is.
推荐答案
底层操作系统功能为每个操作系统启动的增量值.参见 RFC4122 . SQL Server做一些
The underlying OS function is UuidCreateSequential. The value is derived from one of your network cards MAC address and a per-os-boot incremental value. See RFC4122. SQL Server does some byte-shuffling to make the result sort properly. So the value is highly predictable, in a sense. Specifically, if you know a value you can immediately predict a range of similar value.
但是,人们无法预测id=0的等价物,也不能预测52DE358F-45F1-E311-93EA-00269E58F20D意味着该商店至少出售了482件商品.
However one cannot predict the equivalent of id=0, nor can it predict that 52DE358F-45F1-E311-93EA-00269E58F20D means the store sold at least 482 items.
唯一经过批准"的随机生成是 CRYPT_GEN_RANDOM (包裹 CryptGenRandom ),但这显然是一个可怕的关键候选人.
The only 'approved' random generation is CRYPT_GEN_RANDOM (which wraps CryptGenRandom) but that is obviously a horrible key candidate.
这篇关于NEWSEQUENTIALID的可预测性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
