Microsoft 的 GUID 生成器在密码学上是否安全 [英] Is Microsoft's GUID generator cryptographically secure
问题描述
我已经在网上搜索了多个资源,但到目前为止,对于 Microsoft 的 GUID 生成机制是否足够安全以保证将其用作跨应用程序的唯一 ID 的问题,我无法找到明确的答案.
I have searched multiple resources online, but so far have been unable to find a definitive answer to the question of whether Microsoft's GUID generation mechanism is secure enough to warrant it's use as a unique ID across an application.
为了澄清,通过足够安全",我的意思是询问用于生成 GUID 的算法是否有任何已知的弱点或漏洞,可能会降低 GUID 的有效随机性即导致不可忽略的碰撞次数.如果不是,这是否意味着 GUID 完全不可猜测,如果是,是否有某种方法可以为 GUID 生成器函数播种以有效增加生成的 GUID 的随机性.
To clarify, by 'secure enough', I mean to ask whether the algorithm used to generate the GUID has any known weaknesses or vulnerability that could reduce the effective randomness of the GUID i.e. result in a non-negligible number of collisions. If no, does this mean the GUID is completely unguessable, and if yes, is there some way to seed the GUID generator function to effectively increase the randomness of the generated GUID.
基于此处 MSDN 指南中指定的信息 (http://msdn.microsoft.com/en-us/library/system.guid.aspx)是否有任何迹象表明可以依赖用于生成 GUID 的系统足够随机.
Based on the information specified in MSDN guide here (http://msdn.microsoft.com/en-us/library/system.guid.aspx) is there any indication that the system used to generate the GUID can be relied upon to be sufficiently random.
谢谢!
推荐答案
没有.Guid 的目标是唯一,但加密安全意味着它是不可预测的.这些目标有时(但并非总是)一致.
No. The goal of the Guid is to be unique, but cryptographically secure implies that it is unpredictable. These goals sometimes, but not always, align.
如果您想要加密安全,那么您应该使用类似 RNGCryptoServiceProvider
If you want cryptographically secure, then you should use something like RNGCryptoServiceProvider
另见:
以上两个链接的重点是微软的Guid是UUID的实现,UUID 规范表明它们不应用作安全令牌:
The key point in both the above links is that Microsoft's Guid is an implementation of UUID, and the UUID spec indicates that they should not be used as security tokens:
不要假设 UUID 很难猜;例如,它们不应该用作安全功能(仅拥有授予访问权限的标识符).一个可预测的随机数来源会加剧这种情况.
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
这篇关于Microsoft 的 GUID 生成器在密码学上是否安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
