We're using .NET's Guid.NewGuid()
to generate activation codes and API keys currently. I wonder if that poses a security problem since their algorithm is open.
.NET Guid uses Win32 CoCreateGuid
and I don't know its internals (possibly MAC address + timestamp?). Can someone derive a second GUID out of the first one, or can he hit it with some smart guesses or is the randomness good enough so search space becomes too big?
Generating random keys have the problem of collision, they need a double check before adding to a database. That's why we stuck with GUIDs but I'm unsure about their security for these purposes.
Here are the 4 consecutive UUIDGEN outputs:
c44dc549-5d92-4330-b451-b29a87848993 d56d4c8d-bfba-4b95-8332-e86d7f204c1c 63cdf958-9d5a-4b63-ae65-74e4237888ea 6fd09369-0fbd-456d-9c06-27fef4c8eca5
Here are 4 of them by Guid.NewGuid()
:
See Question&Answers more detail:os0652b193-64c6-4c5e-ad06-9990e1ee3791 374b6313-34a0-4c28-b336-bb2ecd879d0f 3c5a345f-3865-4420-a62c-1cdfd2defed9 5b09d7dc-8546-4ccf-9c85-de0bf4f43bf0