tags:

views:

3436

answers:

7

I know this may sounds like a pointless question, but hear me out...

I basically want to know if I can trust the GUID to generate a value which will be unique 100% of the time and impossible to predict.

I'm basically rolling my on login system for a website and want to know if the GUID is secure enough for session cookies.

Any background on how the GUID is generated would be much appreciated in evaluating the answers.

Thanks for the links to duplicate questions, however, my question is specific to the .Net framework.

+10  A: 

Here's an excellent breakdown by Raymond Chen

John Sheehan
That link isn't working right now. Probably not your fault.
jcollum
@John: Is this the algorithm used in .NET?
GateKiller
I have accepted this answer on the assumption that this is how GUID's are generated in the .NET framework. Thanks John :)
GateKiller
I couldn't find proof, but Raymond is a Win32 genius and if you use Reflector to check out System.Guid, it eventually calls out of .NET (I think, I am not a Reflector Ninja).
John Sheehan
@John: you're correct. Eventually, it'll end up calling CoCreateGuid()
Shog9
So in conclusion, they are *not* very random. That is, consecutive guids from the same server will have a lot in common.
Michael Haren
This is not the algorithm used in .NET . This describes Version 1. .NET uses version 4 (see http://en.wikipedia.org/wiki/Universally_Unique_Identifier#Version_4_.28random.29 for a brief description of version 4)
awe
A: 

GUIDs are, by definition, unique in all regards. There were, once upon a time, some GUID0-generation routines that were generating sequential GUIDs, but those were problems in... Win98, I think, and were hotfixed by Microsoft.

You should be able to trust a generated GUID to be unique and never repeated or regenerated.

(EDIT: Having said that, we all understand that a string of alphanumeric characters has a fixed number of permutations, if the string is fixed in length. But in the case of a GUID the number of permutations is economical*.)

(* Dammit, where's that XKCD where the proposes "astronomic" numbers aren't large enough?)

JMD
How about "27" and, er, "27". Even when generated sensibly, they aren't really *guaranteed* to be unique - just that repeats are suitable unlikely enough.
Marc Gravell
+3  A: 

No fixed-length value can ever guarantee to be 100% unique (just call it enough times, give or take the universe ending ;-p) - but it can be very, very, very unlikely to duplicate.

Marc Gravell
+1  A: 

I can't speak to the predictability of sequential numbers but it will be unique. I think you'd be better off using a random number generator from System.Security.Cryptography, though. Tie a random number with a monotonically increasing value (time) to generate your unique key and you can be sure that it is unique and not predictable.

tvanfosson
+3  A: 

I dunno about .NET, but the UUID algorithm is defined fairly precisely.

edit: if you look at the appropriate bits (see wikipedia entry), that should explain which version of UUID is being used.

edit 2: a red flag for your use of the word "secure", which tells me you're better off using a well-defined cryptographic method. For example, when generating session IDs on a server, why just not do something simple like apply an MD5 hash to the concatenation of an appropriate subset of the following: {client machine IP address, sequentially incremented counter, fixed secret constant of your choice, output from random number generator of your choice, etc.} ?

Jason S
System.Guid in .Net is a 128-bit UUID
Tracker1
`System.Guid` in .Net uses Version 4 in the Wikipedia article you link to.
awe
+2  A: 

Assuming that System.Guid.NewGuid uses CoCreateGuid, it is not random at all. Historically, the algorithm used for creating guids was to incorporate the MAC address from a network adapter, in addition to some other things like the time. I'm not sure if the algorithm has changed. While it certainly is not random, it is guaranteed to be unique.

+2  A: 

The documentation for System.Guid.NewGuid() makes no guarantees for randomness, so while the current implementation is based on a random number generator (it's version 4 of the algorithm, which was devised after privacy concerns arose from version 1 which used the MAC address; other system's like Apple's OS X still use version 1 of the algorithm).

So while you have a very high probabilty of System.Guid.NewGuid() generating a unique value, you can't make any assumptions about its predictability because that's not specified by the documentation.

James Williams
Just for reference: A short description on how Version 4 is built up:http://en.wikipedia.org/wiki/Universally_Unique_Identifier#Version_4_.28random.29
awe