tags:

views:

67

answers:

2
+2  Q: 

Security wise how do i use GUID properly?

I read an answer about guid and it was fairly interesting. It seems that GUID is based on time and v1 uses a MAC address with v4 using a RNG.

From the wiki

Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random; given full knowledge of the internal state, it is possible to predict previous and subsequent values.

Do i need to worry about this? say when generating cookie data for users? or password reset keys?

My question is how do i use GUID properly and how do i prevent creating the same GUID (say via two threads on same machine created during same millisecond) and how do i use it in a way it wont reveal previous keys. I switch from using async RNG to sync RNG (locking between threads) to GUID and now i think there may be a problem with this.

+1  A: 

The answer is to use the random number based GUI.

The eaerlier schemes are effectly broken. Increases in processer speed you can now generate several hunded GUIDs based on the same millsecond tick. Virtualisation means you could be sharing the same MAC address with several insances of the OS. The rise of multiprocessor machines means two processes can be generating GUIDs on the same machine in the same clock tick.

While its still possible to generate duplicates using the random number based scheme the odds are about the same as winning the lottery on a particular planet in another galaxy.

James Anderson  2010-08-11 01:21:49
.NET implementation is using the 2nd one but my question is how do i use it correctly and how not to use it. What if i want to generate GUIds on my multicore computer or server. What about figuring out keys in the past.
acidzombie24  2010-08-11 01:26:08
+1  A: 

You don't need to worry about this.

You will not generate duplicate Guids with .Net.

If it was possible you would here complaints all over the place. All around the world people are churning out new Guids in .Net at unfathomable rates, speeds that you or I will never approach, and none of them have generated duplicates.

No need to worry about threading either. The Guid.NewGuid() call is guaranteed to be thread safe. Multi-core won't make a difference. Generate them as fast as you can on the fastest server you can find and you still won't have a problem.

Seriously, its just not something to worry about.

jwsample  2010-08-11 02:53:38

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security