13

Is there a difference between ruby's SecureRandom.uuid (Ruby 1.9.3) and the UUID gem? Is the UUID gem the "old" way of doing things?

From the docs I gather that the gem is more "safe" to be a real unique UUID while SecureRandom.uuid is more of a random string which has a larger chance of not being unique. In addition UUID seems to allow a file-based persistence to assist with this.

So I was hoping to hear from some people with more insight than me into this.

Marcelo De Polli
  • 28,123
  • 4
  • 37
  • 47
Dmitriy Likhten
  • 143
  • 1
  • 7
  • The "larger chance" of being non-unique for is highly non-likely to strike in practice. I *think* that UUID gem is v1 uuids, and here is something vaguely related (but not an answer): http://stackoverflow.com/questions/703035/when-are-you-truly-forced-to-use-uuid-as-part-of-the-design/786541#786541 – Neil Slater May 20 '13 at 14:43
  • 2
    That actually answers the question quite well. The ruby version is v4, while the gem is v1. The probability of me running into two identical UUIDs using ruby's method is tiny. Using v1 is actually zero in my setup (unless I generated 256 exobytes of uuids). "Frankly, in a single application space without malicious actors, the extinction of all life on earth will occur long before you have a collision, even on a version 4 UUID, even if you're generating quite a few UUIDs per second." – Dmitriy Likhten May 20 '13 at 20:06
  • 1
    Also v1 UUID's rely on the uniqueness of MAC addresses. In a heavily virtualized world, you might be surprised that the uniqueness of a mac address of a virtual network adapter may not be as strong a guarantee as the random bits acquired from `OpenSSL::Random` – dbenhur May 20 '13 at 20:30
  • @dbenhur: How interesting. Thanks. Should this question be closed because it seems more of a conversation? – Dmitriy Likhten May 20 '13 at 21:34

1 Answers1

9

There are several methods of generating a UUID.

Wikipedia does a good job of listing them out.

http://en.wikipedia.org/wiki/Universally_unique_identifier

v4 UUIDs:

The key idea about random, is that is actually very hard to generate when relating to encryption. Most random number generators are a math formula that just need to LOOK random and that works fine for most applications. Many programs will use $pid | time, to generate a random seed.

Which, is not very promising... I know what time the request was generated and there are only 65,534 pids. I can figure out the random seed from that.

So, if you seed your UUIDv4 number generator at the exact same time (same second) with $pid | time() across 100 machines with the PID numbers, then you have (I guess) a 100/65536 chance of duplication. This could be done fairly easily like this

for MACH in `cat machine_list`; do ; ssh $MACH -c "restart something" & ; done

SecureRandom:

The code from SecureRandom, tries openssl, the /dev/urandom, then win32...

When reading from /dev/urandom, it's very random, but if there isn't enough chaos in the system, urandom will make stuff up to supply random data. When reading from /dev/random, its' VERY random, and if there isn't enough chaos, /dev/random will block.

UUID:

The UUID gem uses rand()

   r = [rand(0x100000000)].pack "N"

for the mac address.

UUID also does not supply v4 UUIDs :)

Practically, if I ever have a md5 or uuid collision I am buying a lottery ticket!

Hosam Aly
  • 41,555
  • 36
  • 141
  • 182
Daniel
  • 7,006
  • 7
  • 43
  • 49
  • 1
    While this is dealing with the Javascript random number generator, it's a very informative article on the issues of "random" UUID. https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d#.k2ah5kjq1 – Daniel Nov 22 '15 at 14:39