Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this a cryptographically strong Guid?

Tags:

c#

guid

random

I'm looking at using a Guid as a random anonymous visitor identifier for a website (stored both as a cookie client-size, and in a db server-side), and I wanted a cryptographically strong way of generating Guids (so as to minimize the chance of collisions).

For the record, there are 16 bytes (or 128 bits) in a Guid.

This is what I have in mind:

/// <summary>
/// Generate a cryptographically strong Guid
/// </summary>
/// <returns>a random Guid</returns>
private Guid GenerateNewGuid()
{
    byte[] guidBytes = new byte[16]; // Guids are 16 bytes long
    RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
    random.GetBytes(guidBytes);
    return new Guid(guidBytes);
}

Is there a better way to do this?

Edit: This will be used for two purposes, a unique Id for a visitor, and a transaction Id for purchases (which will briefly be the token needed for viewing/updating sensitive information).

like image 284
Christopher Stevenson Avatar asked Dec 10 '13 23:12

Christopher Stevenson


People also ask

Is a GUID cryptographically secure?

The random GUIDs you create with the Guid. NewGuid method are not known to be cryptographically secure. Thus, it's theoretically possible for a user to predict a GUID value that you generate for another user or task and use this to exploit weaknesses in your system.

Is a GUID a good password?

For example, one person wondered whether it was okay to use the first eight characters of a GUID as a temporary account password. This is a really bad idea. GUIDs are designed for uniqueness, not for security.

Can you guess a GUID?

GUIDs are guaranteed to be unique and that's about it. Not guaranteed to be be random or difficult to guess.

Are GUIDs random?

Definitely not random. Similarly, the person who wanted to use a GUID for password generation would find that the passwords are totally predictable if you know what time the GUID was generated and which computer generated the GUID (which you can get by looking at the final six bytes from some other password-GUID).


1 Answers

In answer to the OP's actual question whether this is cryptographically strong, the answer is yes since it is created directly from RNGCryptoServiceProvider. However the currently accepted answer provides a solution that is most definitely not cryptographically secure as per this SO answer:

Is Microsoft's GUID generator cryptographically secure.

Whether this is the correct approach architecturally due to theoretical lack of uniqueness (easily checked with a db lookup) is another concern.

like image 71
James Westgate Avatar answered Oct 23 '22 02:10

James Westgate