GUID 经常用于为 Web 应用程序创建会话密钥。我一直想知道这种做法的安全性。由于 GUID 是根据来自机器的信息、时间以及其他一些因素生成的,因此很难猜测未来可能出现的 GUID。假设您启动了 1000 个或 10000 个新会话,以获得正在生成的 GUID 的良好数据集。这是否会使生成可能用于另一个会话的 GUID 变得更容易。您甚至不必猜测特定的 GUID,只需继续尝试可能在特定时间段内生成的 GUID。
Kibbee
问问题
10508 次
6 回答
22
包含 MAC 地址和时间的 V1 GUID 可以通过第三组数字的第一个位置的数字“1”来标识,例如 {2f1e4fc0-81fd-11da-9156-00036a0f876a}。
据我了解,他们并没有真正隐藏它。
V4 GUID 使用后一种算法,它是一个伪随机数。它们在相同的位置有一个“4”,例如 {38a52be4-9352-453e-af97-5c3b448652f0}。更具体地说,“data3”位模式在第一种情况下为 0001xxxxxxxxxxxx,在第二种情况下为 0100xxxxxxxxxxxx。WinAPI GUID 生成器的密码分析表明,由于 V4 GUID 的序列是伪随机的,给定初始状态,可以预测函数 UuidCreate 1返回的多达下 250 000 个 GUID。这就是为什么不应在密码学中使用 GUID,例如,作为随机密钥。
于 2009-03-13T16:13:50.403 回答
12
GUIDs are guaranteed to be unique and that's about it. Not guaranteed to be be random or difficult to guess.
TO answer you question, at least for the V1 GUID generation algorithm if you know the algorithm, MAC address and the time of the creation you could probably generate a set of GUIDs one of which would be one that was actually generated. And the MAC address if it's a V1 GUID can be determined from sample GUIDs from the same machine.
Additional tidbit from wikipedia:
The OSF-specified algorithm for generating new GUIDs has been widely criticized. In these (V1) GUIDs, the user's network card MAC address is used as a base for the last group of GUID digits, which means, for example, that a document can be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa worm. Most of the other digits are based on the time while generating the GUID.
于 2009-03-13T16:26:53.773 回答
10
.NET Web 应用程序调用 Guid.NewGuid() 来创建一个 GUID,然后最终调用CoCreateGuid() COM 函数在堆栈更深的几个帧中。
从 MSDN 库:
The CoCreateGuid function calls the RPC function UuidCreate, which creates a GUID, a globally unique 128-bit integer. Use the CoCreateGuid function when you need an absolutely unique number that you will use as a persistent identifier in a distributed environment.To a very high degree of certainty, this function returns a unique value – no other invocation, on the same or any other system (networked or not), should return the same value.
And if you check the page on UuidCreate:
The UuidCreate function generates a UUID that cannot be traced to the ethernet/token ring address of the computer on which it was generated. It also cannot be associated with other UUIDs created on the same computer.
The last contains sentence is the answer to your question. So I would say, it is pretty hard to guess unless there is a bug in Microsoft's implementation.
于 2009-03-13T16:22:18.057 回答
5
如果有人继续使用连续的 GUID 流访问服务器,那将更像是拒绝服务攻击。
有人猜测 GUID 的可能性几乎为零。
于 2009-03-13T16:15:20.023 回答
1
依靠。如果 GUID 设置合理,例如使用加盐的安全哈希并且您有很多位,则很难。如果 GUID 短而明显,则说明它很弱。
由于这可能会产生服务器负载,您可能希望采取措施阻止某人创建 10000 个新会话。
于 2009-03-13T16:14:08.280 回答
1
"GUIDs are guaranteed to be unique and that's about it". GUIDs are not garanteed to be unique. At least the ones generated by CoCreateGuid: "To a very high degree of certainty, this function returns a unique value – no other invocation, on the same or any other system (networked or not), should return the same value."
于 2011-04-29T19:10:53.063 回答