問題描述

我已經(jīng)在網(wǎng)上搜索了多個資源，但到目前為止，對于 Microsoft 的 GUID 生成機(jī)制是否足夠安全以保證將其用作跨應(yīng)用程序的唯一 ID 的問題，我無法找到明確的答案.

I have searched multiple resources online, but so far have been unable to find a definitive answer to the question of whether Microsoft's GUID generation mechanism is secure enough to warrant it's use as a unique ID across an application.

為了澄清，通過足夠安全"，我的意思是詢問用于生成 GUID 的算法是否有任何已知的弱點(diǎn)或漏洞，可能會降低 GUID 的有效隨機(jī)性即導(dǎo)致不可忽略的碰撞次數(shù).如果不是，這是否意味著 GUID 完全不可猜測，如果是，是否有某種方法可以為 GUID 生成器函數(shù)播種以有效增加生成的 GUID 的隨機(jī)性.

To clarify, by 'secure enough', I mean to ask whether the algorithm used to generate the GUID has any known weaknesses or vulnerability that could reduce the effective randomness of the GUID i.e. result in a non-negligible number of collisions. If no, does this mean the GUID is completely unguessable, and if yes, is there some way to seed the GUID generator function to effectively increase the randomness of the generated GUID.

基于此處 MSDN 指南中指定的信息 (http://msdn.microsoft.com/en-us/library/system.guid.aspx)是否有任何跡象表明可以依賴用于生成 GUID 的系統(tǒng)足夠隨機(jī).

Based on the information specified in MSDN guide here (http://msdn.microsoft.com/en-us/library/system.guid.aspx) is there any indication that the system used to generate the GUID can be relied upon to be sufficiently random.

謝謝！

推薦答案

沒有.Guid 的目標(biāo)是唯一，但加密安全意味著它是不可預(yù)測的.這些目標(biāo)有時(但并非總是)一致.

No. The goal of the Guid is to be unique, but cryptographically secure implies that it is unpredictable. These goals sometimes, but not always, align.

如果您想要加密安全，那么您應(yīng)該使用類似 RNGCryptoServiceProvider

If you want cryptographically secure, then you should use something like RNGCryptoServiceProvider

另見:

• System.Guid.NewGuid() 有多隨機(jī)?(拍兩張)
• GUID 的安全性如何?

以上兩個鏈接的重點(diǎn)是微軟的Guid是UUID的實(shí)現(xiàn)，UUID 規(guī)范表明它們不應(yīng)用作安全令牌:

The key point in both the above links is that Microsoft's Guid is an implementation of UUID, and the UUID spec indicates that they should not be used as security tokens:

不要假設(shè) UUID 很難猜；例如，它們不應(yīng)該用作安全功能(僅擁有授予訪問權(quán)限的標(biāo)識符).一個可預(yù)測的隨機(jī)數(shù)來源會加劇這種情況.

Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.

這篇關(guān)于Microsoft 的 GUID 生成器在密碼學(xué)上是否安全的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！