tags:

views:

144

answers:

2
+2  Q: 

Are GUIDs generated on Windows 2003 safe to use as session IDs?

My web application operates only over SSL and sets a time limited cookie for each user after they successfully login with a username and password. The biggest weaknesses in the system are one compromising an existing user's cookie. And two guessing a session ID GUID.

I know of mechanisms for the first weakness but I'm wondering how much I need to worry about the chance of an attacker guessing a session ID GUID based on a GUID they have previously obtained by logging into an account they have set up? The web server in this case is Windows 2003 and the GUIDs are being generated with .Net 3.5.

A: 

.Net 3.5 GUIDs are virtually impossible to guess. The sheer number of GUIDs is enormous - there are more GUIDs than there are grains on sand in the universe, etc. They are not strictly 'guaranteed' to be unique (although apparently SQL NEWID is guaranteed to be unique)

If you want to test this for yourself, generate a few hundred million and then find duplicates (you won't find any).

Kirk Broadhurst  2009-09-09 05:31:10
GUIDS are easy to guess if yo have one. Et is even true that you can calculate all following GUIDs, because they are pseudorandom not random.
Thomas Maierhofer  2009-09-12 07:04:08
It's true that GUIDs are pseudorandom, but a computer can never generate true random values. I dispute that they are 'easy' to guess. Can you elaborate on your explanation that you can calculate all following GUIDs? (example or source)
Kirk Broadhurst  2009-09-12 07:52:42
+1  A: 

GUIDs are not intended to be cryptographically secure, just unique. Quite a lot of the format is predictable - 48 bit MAC address, a timestamp that is somewhat predictable if you know how it's generated and another few bits to deal with timestamp collisions. A technically sophisiticated attacker has a pretty good chance of reverse engineering a GUID.

You really need a cryptographically secure PRNG for a secure session key.

ConcernedOfTunbridgeWells  2009-09-09 05:59:49
The GUID Creation algorithm has changed. They don't use MAC adresses anymore. They are just 128Bit pseudorandom numbers. And they have a lot of security problems.
Thomas Maierhofer  2009-09-12 07:02:51
There is neither MAC address not timestamp in .net 3.5 guids.
Kirk Broadhurst  2009-09-12 07:48:23
Is a .net 3.5 GUID described by the vendor as being cryptographically secure?
ConcernedOfTunbridgeWells  2009-09-12 14:49:48

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security