What is the difference between a "nonce" and a "GUID"?

views:

104

answers:

+5 Q:

What is the difference between a "nonce" and a "GUID"?

This question here is about creating an authentication scheme. The accepted answer given by AviD states

Your use of a cryptographic nonce is also important, that many tend to skip over - e.g. "lets just use a GUID"...

Which leads me to my question. Why wouldn't you just use a GUID?

+2 A:

Nonces should be random (or at least non-guessable). GUIDs have quite a bit of non-randomness to them (I'm not sure how many bits of entropy are in a GUID).

Michael Burr 2010-07-11 03:14:38

There being varying definitions of what exactly constitutes a GUID and how they are generated, the hypothetical question "How many bits of entropy are in a GUID?" is almost worthless. Worse, I don't think any of the definitions set clear standards for the generation of randomness, so all the randomness in a GUID might, in theory, have come from seeding a PRNG with a coin flip.

Nicholas Knight 2010-07-11 03:51:39

+6 A:

Whenever you randomly generate a random number intended to be used in cryptography, you should be really sure that the number is really random. GUIDs tend to be generated based on values that can be discovered, guessed or inferred, such as current system time or a network card MAC address, and thus the nonce could potentially be guessed.

nlawalker 2010-07-11 03:15:45

ansaurus

tags:

views:

answers:

What is the difference between a "nonce" and a "GUID"?

related questions