How do I generate a custom SID?

Question

I need to generate custom SIDs for users in my web application for use with Microsoft AzMan. What is the best way to do this? What do I need to know before doing this?

This is what I'm thinking, but I'm not sure if I'm missing something:

S-1-9-1234-{user_id + 1000}

S-{first revision}-{resource manager authority}-{domain (unique number for the specific app)}-{unique id for user}

UPDATE: Changed to resource manager authority because of David Crawford's blog entry: http://blogs.msdn.com/dc995/archive/2006/08/23/715021.aspx

Answer 1

It is not clear what attack you are attempting to defend against. If you want this value to be unpredictable then what you are missing is a Cryptogrpahic Nonce. The application ID and the UserId should be randomly generated large numbers. The idea behind David Crawford's token is that no 2 applications will ever generate the same id, which is a valid approach to generate a nonce for applications that are widely distributed.

The problem with using "user_id + 1000" is that it is trivial to predict.

To generate unique id that is also extremely difficult to predict (A Cryptogrpahic Nonce) you should do the following. First you should start with a very large randomly generated number, then append the current timestamp and pass it all to a message digest function such as md4. Md4 generates a number that is 2^128 in size and usually in base16. Keep in mind that collision generation does not compromise the integrity of a nonce, so md4 or md5 is perfectly acceptable from a secuirty perspective. Note, that there is a lot of disagreement over what the best random number generator is, but keep in mind that a random number generator can generate the same number twice, but the current time stamp is always unique for that execute frame.