Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unpredictable Unique Identifier

Tags:

c#

For an application I am working on, I need to generate a session token which must have following properties:

  • it should be unique for the application at least, globally unique would be even better
  • it should be unpredictable
  • it should not be too long, as it will have to be passed around in a http request header, so smaller is better

I was thinking about adapting a Guid structure with a cryptographic random number, but it may be an overkill. Anyone know/created a data structure that would fit all those properties?

like image 312
Kel Avatar asked Oct 11 '11 21:10

Kel


1 Answers

Let me be very clear on this point. All of the answers saying to use a GUID are deeply wrong and you should not under any circumstances do so.

There is nothing whatsoever in the specification for GUIDs that requires that they be unpredictable by attackers. GUIDs are allowed to be sequential if allocated in blocks, GUIDs are allowed to be created with non-crypto-strength randomness, and GUIDs are allowed to be created from known facts about the world, like your MAC address and the current time. Nothing whatsoever requires that GUIDs be unpredictable.

If you need an unpredictable session key then generate one using a crypto strength random number generator to make sufficiently many bits.

More generally: use the right tool for the job particularly when it comes to security-impacting code. GUIDs were designed to make sure that two companies did not accidentally give the same identifier to two different interfaces. If that's your application, use a GUID for it. GUIDs were invented to prevent accidents by benign entities, not to protect innocent users against determined attackers. GUIDs are like stop signs -- there to prevent accidental collisions, not to protect against attacking tanks.

GUIDs were not designed to solve any problem other than accident prevention, so do not under any circumstances use them to solve crypto problems. Use a crypto library specifically designed to solve your problem, and implemented by world-class experts.

like image 190
Eric Lippert Avatar answered Oct 04 '22 20:10

Eric Lippert