是微软的GUID生成加密安全 [英] Is Microsoft's GUID generator cryptographically secure
问题描述
我有搜索多个在线资源,但至今一直未能找到一个明确的答案对微软的GUID生成机制是否足够安全,以保证它的使用作为跨应用程序的唯一ID的问题。
I have searched multiple resources online, but so far have been unable to find a definitive answer to the question of whether Microsoft's GUID generation mechanism is secure enough to warrant it's use as a unique ID across an application.
要澄清一下,用足够安全,我的意思是问算法是否用于生成GUID有任何已知的弱点或漏洞,它可能减少的GUID 即有效的随机性导致碰撞的一些不可忽视的。如果没有,这是否意味着GUID是完全不可猜测,如果是,有一些方法,以种子的GUID发电机的功能,有效地提高了生成的GUID的随机性。
To clarify, by 'secure enough', I mean to ask whether the algorithm used to generate the GUID has any known weaknesses or vulnerability that could reduce the effective randomness of the GUID i.e. result in a non-negligible number of collisions. If no, does this mean the GUID is completely unguessable, and if yes, is there some way to seed the GUID generator function to effectively increase the randomness of the generated GUID.
莅临指导(的http:// msdn.microsoft.com/en-us/library/system.guid.aspx )是没有任何迹象表明用于产生该GUID的系统可以依靠是足够随机
Based on the information specified in MSDN guide here (http://msdn.microsoft.com/en-us/library/system.guid.aspx) is there any indication that the system used to generate the GUID can be relied upon to be sufficiently random.
谢谢!
推荐答案
没有。 GUID的目标是成为唯一,但密码安全意味着它是未predictable 。这些目标有时但不总是,对齐
No. The goal of the Guid is to be unique, but cryptographically secure implies that it is unpredictable. These goals sometimes, but not always, align.
如果你想加密保护,那么你应该使用类似<一个href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.rngcryptoserviceprovider.aspx"相对=nofollow> RNGCryptoServiceProvider
If you want cryptographically secure, then you should use something like RNGCryptoServiceProvider
另请参阅:
- How Random is System.Guid.NewGuid()? (Take two)
- How securely unguessable are GUIDs?
在上述两个环节的关键点是,微软的GUID是UUID的实现,和的 UUID规范表示,他们不应该被用来作为安全令牌:
The key point in both the above links is that Microsoft's Guid is an implementation of UUID, and the UUID spec indicates that they should not be used as security tokens:
不要假设的UUID是很难猜测;他们不应该被用作安全功能(标识符,其仅仅拥有授予访问权限),例如。一个predictable随机数源将加剧这种情况。
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
这篇关于是微软的GUID生成加密安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
