GUIDs get used a lot in creating session keys for web applications. I've always wondered about the safety of this practice. Since the GUID is generated based on information from the machine, and the time, along with a few other factors, how hard is it to guess of likely GUIDs that will come up in the future. Let's say you started 1000, or 10000 new sessions, to get a good dataset of the GUIDs being generated. Would this make it any easier to generate a GUID that might be used for another session. You wouldn't even have to guess a specific GUID, but just keep on trying GUIDs that might be generated at a specific period of time.
If someone kept hitting a server with a continuous stream of GUIDs it would be more of a denial of service attack than anything else. The possibility of someone guessing a GUID is next to nil.
The odds of guessing any one GUID is 1 / 2^128. This assumes that each single byte of the GUID is truly random. To ensure that GUIDs are unique among hosts, most parts of a UUID are actually fixed (e.g. a MAC address).
Basically, a a GUID is generated using a combination of: The MAC address of the machine used to generate the GUID (so GUIDs generated on different machines are unique unless MAC addresses are re-used) Timestamp (so GUIDs generated at different times on the same machine are unique)
About 1 in 2^128. No, the computer doesn't keep track. But no, the chances of a duplicate GUID are so low as to not be relevant.
Here is some stuff from Wikipedia (original source):
V1 GUIDs which contain a MAC address and time can be identified by the digit "1" in the first position of the third group of digits, for example {2f1e4fc0-81fd-11da-9156-00036a0f876a}.
In my understanding, they don't really hide it.
V4 GUIDs use the later algorithm, which is a pseudo-random number. These have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}. More specifically, the 'data3' bit pattern would be 0001xxxxxxxxxxxx in the first case, and 0100xxxxxxxxxxxx in the second. Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to next 250 000 GUIDs returned by the function UuidCreate1. This is why GUIDs should not be used in cryptography, e. g., as random keys.
GUIDs are guaranteed to be unique and that's about it. Not guaranteed to be be random or difficult to guess.
TO answer you question, at least for the V1 GUID generation algorithm if you know the algorithm, MAC address and the time of the creation you could probably generate a set of GUIDs one of which would be one that was actually generated. And the MAC address if it's a V1 GUID can be determined from sample GUIDs from the same machine.
Additional tidbit from wikipedia:
The OSF-specified algorithm for generating new GUIDs has been widely criticized. In these (V1) GUIDs, the user's network card MAC address is used as a base for the last group of GUID digits, which means, for example, that a document can be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa worm. Most of the other digits are based on the time while generating the GUID.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With