如何随机是System.Guid.NewGuid()? (取二) [英] How Random is System.Guid.NewGuid()? (Take two)
问题描述
在你开始标志着这是重复,读我。另一个问题有一个(最有可能)不正确接受的答案。
Before you start marking this as a duplicate, read me out. The other question has a (most likely) incorrect accepted answer.
我不知道该怎么.NET生成它的GUID,大概只有微软的做法,但有一个高的机会,它只是调用的 CoCreateGuid()。该函数不过是记录被调用 UuidCreate()。而算法创建一个UUID是 pretty的有据可查的。
I do not know how .NET generates its GUIDs, probably only Microsoft does, but there's a high chance it simply calls CoCreateGuid(). That function however is documented to be calling UuidCreate(). And the algorithms for creating an UUID are pretty well documented.
长话短说,是因为它可能会,似乎 System.Guid.NewGuid()确实使用的第4版的UUID生成算法的,因为所有的GUID它产生符合标准(见自己,我试了几百万的GUID,它们都匹配)。
Long story short, be as it may, it seems that System.Guid.NewGuid() indeed uses version 4 UUID generation algorithm, because all the GUIDs it generates matches the criteria (see for yourself, I tried a couple million GUIDs, they all matched).
在换句话说,这些GUID是的 几乎 的随机,除少数已知比特。
In other words, these GUIDs are almost random, except for a few known bits.
这则再次提出了一个问题 - 如何随机的是这个随机的?由于每一个善良的小程序员都知道,一个伪随机数的算法是只为随机其种子(即熵)。那么,什么是种子 UuidCreate()?如何ofter是PRNG重新播种?它是保密性强,或者我可以期待同样的GUID来开始涌出来,如果两台电脑不小心叫 System.Guid.NewGuid()在同一时间?并且可以在PRNG的状态来猜测,如果足够多的顺序生成的GUID聚集?
This then again raises the question - how random IS this random? As every good little programmer knows, a pseudo-random number algorithm is only as random as its seed (aka entropy). So what is the seed for UuidCreate()? How ofter is the PRNG re-seeded? Is it cryptographically strong, or can I expect the same GUIDs to start pouring out if two computers accidentally call System.Guid.NewGuid() at the same time? And can the state of the PRNG be guessed if sufficiently many sequentially generated GUIDs are gathered?
补充:为了澄清,我想看看我怎么能随便相信它是,因此 - 我在哪里可以使用它。所以,让我们建立一个粗略的随机性的规模在这里:
Added: To clarify, I'd like to find out how random can I trust it to be and thus - where can I use it. So, let's establish a rough "randomness" scale here:
- 基本随机性,以当前时间作为种子。可用在纸牌游戏,但没有其他人的碰撞太容易得到,甚至没有尝试洗牌。
- 在更先进的随意性,不仅使用的时间,但其他机器特定因素的种子。或许也仅接种一次,在系统启动时。这可用于在DB中产生的ID,因为重复是不太可能的。不过,这是不利于安全性,因为其结果可能是pdicted有足够的精力$ P $。
- Cryptograhpically随机的,使用设备噪声或随机种子等先进来源。再接种于每次调用或至少pretty的频繁。可用于会话ID,发放给不信任的政党,等等。
我来到这个问题的时候想,如果这将是确定使用它们作为数据库的ID,以及是否的 Guid.comb 算法的实现加上 System.Guid.NewGuid()(如NHibernate的做它)将是有缺陷或不。
I arrived at this question while thinking if it would be OK to use them as DB IDs, and whether the Guid.comb algorithm implementation together with System.Guid.NewGuid() (like NHibernate does it) would be flawed or not.
推荐答案
在接受答案的一个<一个href="http://stackoverflow.com/questions/917617/is-using-a-guid-a-valid-way-to-generate-a-random-string-of-characters-and-numbers">related问题状态:
The accepted answer to a related question states:
一个GUID不作担保约随机性,它使各地的独特性保证。如果你想随机性,可使用随机生成的字符串。
A GUID doesn't make guarantees about randomness, it makes guarantees around uniqueness. If you want randomness, use Random to generate a string.
还有什么是一个实现细节(和可能会发生变化)。
Anything else is an implementation detail (and might change).
更新:为了使我的观点更清晰:即使目前.NET 3.5的实现产生真正的随机GUID(这是不是这样),也不能保证,这将是在未来或案件如此的其他实现首创置业(如单声道,Silverlight中,CF等)
Update: To make my point clearer: Even if the current .NET 3.5 implementation produced a truly random guid (which is not the case) there is no guarantee that this would be the case in the future or true for other implementations of the BCL (e.g. Mono, Silverlight, CF, etc)
更新2:UUID的格式通过 RFC4122指定 。 第6 作出明确声明的安全性:
Update 2: The format of UUID is specified by RFC4122. Section 6 makes an explicit statement on security:
不要假设的UUID是很难猜测;它们不应该使用 作为安全功能(标识符,其仅仅拥有补助 访问),例如。一个predictable随机数源将 使局势恶化。
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
这篇关于如何随机是System.Guid.NewGuid()? (取二)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
