Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

We're using .NET's Guid.NewGuid() to generate activation codes and API keys currently. I wonder if that poses a security problem since their algorithm is open.

.NET Guid uses Win32 CoCreateGuid and I don't know its internals (possibly MAC address + timestamp?). Can someone derive a second GUID out of the first one, or can he hit it with some smart guesses or is the randomness good enough so search space becomes too big?

Generating random keys have the problem of collision, they need a double check before adding to a database. That's why we stuck with GUIDs but I'm unsure about their security for these purposes.

Here are the 4 consecutive UUIDGEN outputs:

c44dc549-5d92-4330-b451-b29a87848993
d56d4c8d-bfba-4b95-8332-e86d7f204c1c
63cdf958-9d5a-4b63-ae65-74e4237888ea
6fd09369-0fbd-456d-9c06-27fef4c8eca5

Here are 4 of them by Guid.NewGuid():

0652b193-64c6-4c5e-ad06-9990e1ee3791
374b6313-34a0-4c28-b336-bb2ecd879d0f
3c5a345f-3865-4420-a62c-1cdfd2defed9
5b09d7dc-8546-4ccf-9c85-de0bf4f43bf0
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
404 views
Welcome To Ask or Share your Answers For Others

1 Answer

GUIDs are quite random, but they are not intended to be used as random numbers - their sole purpose is to uniquely identify entities, so they can be predictable.

Use System.Security.Cryptography.RandomNumberGenerator instead.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...