Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How predictable is NEWSEQUENTIALID?

Tags:

sql

guid

sql-server

primary-key

newsequentialid

According to Microsoft's documentation on NEWSEQUENTIALID, the output of NEWSEQUENTIALID is predictable. But how predictable is predictable? Say I have a GUID that was generated by NEWSEQUENTIALID, how hard would it be to:

  • Calculate the next value?
  • Calculate the previous value?
  • Calculate the first value?
  • Calculate the first value, even without knowing any GUID's at all?
  • Calculate the amount of rows? E.g. when using integers, /order?id=842 tells me that there are 842 orders in the application.

Below is some background information about what I am doing and what the various tradeoffs are.

One of the security benefits of using GUID's over integers as primary keys is that GUID's are hard to guess. E.g. say a hacker sees a URL like /user?id=845 he might try to access /user?id=0, since it is probable that the first user in the database is an administrative user. Moreover, a hacker can iterate over /user?id=0..1..2 to quickly gather all users.

Similarly, a privacy downside of integers is that they leak information. /order?id=482 tells me that the web shop has had 482 orders since its implementation.

Unfortunately, using GUID's as primary keys has well-known performance downsides. To this end, SQL Server introduced the NEWSEQUENTIALID function. In this question, I would like to learn how predictable the output of NEWSEQUENTIALID is.

like image 749
Martin Devillers Avatar asked Jun 11 '14 08:06

Martin Devillers

2 Answers

In most cases, the next newsequentialid can be predicted by taking the current value and adding one to the first hex pair.

In other words:

1E29E599-45F1-E311-80CA-00155D008B1C

is followed by

1F29E599-45F1-E311-80CA-00155D008B1C

is followed by

2029E599-45F1-E311-80CA-00155D008B1C

Occasionally, the sequence will restart from a new value.

So, it's very predictable

NewSequentialID is a wrapper around the windows function UuidCreateSequential

like image 188
podiluska Avatar answered Sep 22 '22 12:09

podiluska

The underlying OS function is UuidCreateSequential. The value is derived from one of your network cards MAC address and a per-os-boot incremental value. See RFC4122. SQL Server does some byte-shuffling to make the result sort properly. So the value is highly predictable, in a sense. Specifically, if you know a value you can immediately predict a range of similar value.

However one cannot predict the equivalent of id=0, nor can it predict that 52DE358F-45F1-E311-93EA-00269E58F20D means the store sold at least 482 items.

The only 'approved' random generation is CRYPT_GEN_RANDOM (which wraps CryptGenRandom) but that is obviously a horrible key candidate.

like image 45
Remus Rusanu Avatar answered Sep 18 '22 12:09

Remus Rusanu
Sign in to Comment

Related questions

invalid character when running liquibase script
MySQL alter table and convert data from text to datetime
ORDER BY AND CASE IN SQL SERVER
ENUM and types creation in SQLite
Retrieve output parameter of SQL statement
Return Top N rows for each group (Vertica/vsql)
Android: how to query SQLiteDatabase with non-string selection args?
SQL: Combine multiple columns into one for sorting (output only)
How to display only date in GridView when pulling data from a DB? C#
Any difference between union all corresponding and outer union corresponding?
What are the merits of using numeric row IDs in MySQL?
Increment File Name Before Extension By 1 in the Database
Postgis SQL for nearest neighbors
What does %% in PL/pgSQL mean?
MySQL - different behaviour for = "" and != "" with regards to null
Why is concatenating SQL strings a bad idea?
Postgres JOIN implementation
how to set default value for text type in mysql
Create an empty array in an SQL query using PostgreSQL instead of an array with NULL inside
How to access context after each Entity Framework db migration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!