Are there any inobvious ways of abusing GUIDs?

Question

GUIDs are typically used for uniquely identifying all kinds of entities - requests from external systems, files, whatever. Work like magic - you call a "GiveMeGuid()" (UuidCreate() on Windows) function - and a fresh new GUID is here at your service.

Given my code really calls that "GiveMeGuid()" function each time I need a new GUID is there any not so obvious way to misuse it?

Answer 1

Just found an answer to an old question: How deterministic Are .Net GUIDs?. Requoting it:

It's not a complete answer, but I can tell you that the 13th hex digit is always 4 because it denotes the version of the algorithm used to generate the GUID (id est, v4); also, and I quote Wikipedia:

Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to the next 250 000 GUIDs returned by the function UuidCreate. This is why GUIDs should not be used in cryptography, e.g., as random keys.

So, if you got lucky and get same seed, you'll break 250k mirrors in sequence. To quote another Wikipedia piece:

While each generated GUID is not guaranteed to be unique, the total number of unique keys (2¹²⁸ or 3.4×10³⁸) is so large that the probability of the same number being generated twice is extremely small.

Bottom line: maybe a misuse form it's to consider GUID always unique.

Answer 2

It depends. Some implementations of GUID generation are time dependant, so calling CreateGuid in quick succession MAY create clashing GUIDs.

edit: I now remember the problem. I was once working on some php code where the GUID generating function was reseeding the RNG with the system time each call. Don't do this.