Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Microsoft's GUID generator cryptographically secure

I have searched multiple resources online, but so far have been unable to find a definitive answer to the question of whether Microsoft's GUID generation mechanism is secure enough to warrant it's use as a unique ID across an application.

To clarify, by 'secure enough', I mean to ask whether the algorithm used to generate the GUID has any known weaknesses or vulnerability that could reduce the effective randomness of the GUID i.e. result in a non-negligible number of collisions. If no, does this mean the GUID is completely unguessable, and if yes, is there some way to seed the GUID generator function to effectively increase the randomness of the generated GUID.

Based on the information specified in MSDN guide here (http://msdn.microsoft.com/en-us/library/system.guid.aspx) is there any indication that the system used to generate the GUID can be relied upon to be sufficiently random.

Thanks!

like image 767
raTM Avatar asked Jul 01 '13 15:07

raTM


People also ask

Is a GUID cryptographically secure?

The random GUIDs you create with the Guid. NewGuid method are not known to be cryptographically secure. Thus, it's theoretically possible for a user to predict a GUID value that you generate for another user or task and use this to exploit weaknesses in your system.

Is it safe to use GUID?

For example, one person wondered whether it was okay to use the first eight characters of a GUID as a temporary account password. This is a really bad idea. GUIDs are designed for uniqueness, not for security.

How easy is it to guess a GUID?

Depends. It is hard if the GUIDs are set up sensibly, e.g. using salted secure hashes and you have plenty of bits. It is weak if the GUIDs are short and obvious.

How much entropy does a GUID have?

The generated GUID contains 122 bits of strong entropy. On non-Windows platforms, starting with . NET 6, this function calls the OS's underlying cryptographically secure pseudo-random number generator (CSPRNG) to generate 122 bits of strong entropy. In previous versions of .


1 Answers

I'm going to disagree with the accepted answer. While it's generally a bad idea to go against the advice of an RFC, in this case I was able to find MSDN documentation specifying that Microsoft indeed took the obvious, helpful route and tied a cryptographically-secure RNG into the generation of v4 GUIDs:

According to https://msdn.microsoft.com/en-us/library/system.guid.newguid(v=vs.110).aspx, .NET's GUID creation just wraps the Windows functions CoCreateGuid and UuidCreate. And according to http://download.microsoft.com/download/5/0/1/501ED102-E53F-4CE0-AA6B-B0F93629DDC6/Windows/%5BMS-WSO%5D.pdf, since Windows 2000 back in 1999,

"the random bits for all version 4 GUIDs built in Windows are obtained via the Windows CryptGenRandom cryptographic API or the equivalent, the same source that is used for generation of cryptographic keys"

So I'd say you could call them cryptographically secure -- at least to the extent of the 122 bits of entropy they provide.

like image 117
Jordan Rieger Avatar answered Sep 29 '22 12:09

Jordan Rieger