How Random is System.Guid.NewGuid()?

Question

I know this may sounds like a pointless question, but hear me out...

I basically want to know if I can trust the GUID to generate a value which will be unique 100% of the time and impossible to predict.

I'm basically rolling my on login system for a website and want to know if the GUID is secure enough for session cookies.

Any background on how the GUID is generated would be much appreciated in evaluating the answers.

Thanks for the links to duplicate questions, however, my question is specific to the .Net framework.

Answer 1

Here's an excellent breakdown by Raymond Chen

Answer 2

GUIDs are, by definition, unique in all regards. There were, once upon a time, some GUID0-generation routines that were generating sequential GUIDs, but those were problems in... Win98, I think, and were hotfixed by Microsoft.

You should be able to trust a generated GUID to be unique and never repeated or regenerated.

(EDIT: Having said that, we all understand that a string of alphanumeric characters has a fixed number of permutations, if the string is fixed in length. But in the case of a GUID the number of permutations is economical*.)

(* Dammit, where's that XKCD where the proposes "astronomic" numbers aren't large enough?)

Answer 3

No fixed-length value can ever guarantee to be 100% unique (just call it enough times, give or take the universe ending ;-p) - but it can be very, very, very unlikely to duplicate.

Answer 4

I can't speak to the predictability of sequential numbers but it will be unique. I think you'd be better off using a random number generator from System.Security.Cryptography, though. Tie a random number with a monotonically increasing value (time) to generate your unique key and you can be sure that it is unique and not predictable.

Answer 5

I dunno about .NET, but the UUID algorithm is defined fairly precisely.

edit: if you look at the appropriate bits (see wikipedia entry), that should explain which version of UUID is being used.

edit 2: a red flag for your use of the word "secure", which tells me you're better off using a well-defined cryptographic method. For example, when generating session IDs on a server, why just not do something simple like apply an MD5 hash to the concatenation of an appropriate subset of the following: {client machine IP address, sequentially incremented counter, fixed secret constant of your choice, output from random number generator of your choice, etc.} ?

Answer 6

Assuming that System.Guid.NewGuid uses CoCreateGuid, it is not random at all. Historically, the algorithm used for creating guids was to incorporate the MAC address from a network adapter, in addition to some other things like the time. I'm not sure if the algorithm has changed. While it certainly is not random, it is guaranteed to be unique.

Answer 7

The documentation for System.Guid.NewGuid() makes no guarantees for randomness, so while the current implementation is based on a random number generator (it's version 4 of the algorithm, which was devised after privacy concerns arose from version 1 which used the MAC address; other system's like Apple's OS X still use version 1 of the algorithm).

So while you have a very high probabilty of System.Guid.NewGuid() generating a unique value, you can't make any assumptions about its predictability because that's not specified by the documentation.