9

We're using .NET's Guid.NewGuid() to generate activation codes and API keys currently. I wonder if that poses a security problem since their algorithm is open.

.NET Guid uses Win32 CoCreateGuid and I don't know its internals (possibly MAC address + timestamp?). Can someone derive a second GUID out of the first one, or can he hit it with some smart guesses or is the randomness good enough so search space becomes too big?

Generating random keys have the problem of collision, they need a double check before adding to a database. That's why we stuck with GUIDs but I'm unsure about their security for these purposes.

Here are the 4 consecutive UUIDGEN outputs:

c44dc549-5d92-4330-b451-b29a87848993
d56d4c8d-bfba-4b95-8332-e86d7f204c1c
63cdf958-9d5a-4b63-ae65-74e4237888ea
6fd09369-0fbd-456d-9c06-27fef4c8eca5

Here are 4 of them by Guid.NewGuid():

0652b193-64c6-4c5e-ad06-9990e1ee3791
374b6313-34a0-4c28-b336-bb2ecd879d0f
3c5a345f-3865-4420-a62c-1cdfd2defed9
5b09d7dc-8546-4ccf-9c85-de0bf4f43bf0
Tim S. Van Haren
  • 8,861
  • 2
  • 30
  • 34
Sedat Kapanoglu
  • 46,641
  • 25
  • 114
  • 148
  • 1
    The Wikipedia on guid is pretty good on guid algorithm: http://en.wikipedia.org/wiki/Globally_unique_identifier – Simon Mourier Dec 23 '10 at 09:51
  • 2
    possible duplicate of [How Random is System.Guid.NewGuid()?](http://stackoverflow.com/questions/467271/how-random-is-system-guid-newguid) – Cody Gray - on strike Dec 23 '10 at 10:06
  • 1
    Cody, it is similar but I'm not strictly looking for randomness per se. For instance GUID could be a VERY high percision timer and still be secure without being random. All I want to know is if the search space between consecutive GUIDs are broad and not-predictable enough for trivial brute force attacks. – Sedat Kapanoglu Dec 23 '10 at 13:09

3 Answers3

11

GUIDs are quite random, but they are not intended to be used as random numbers - their sole purpose is to uniquely identify entities, so they can be predictable.

Use System.Security.Cryptography.RandomNumberGenerator instead.

Community
  • 1
  • 1
sharptooth
  • 167,383
  • 100
  • 513
  • 979
2

Any key has a finite space and a sufficiently determined person/group can and will generate all combinations. What's important is not so much the key but how you organise it's validation and what it authorises. If you are operating the validation/authorisation entirely through the Guid then that's probably not appropriate as potentially all Guids are valid, you'd be better off with something like SeriousBit Elipter. If you are using an authentication mechanism that records that a particular Guid has been issued and that it has now been used for activation then Guid isn't such a bad choice as it's a pretty big key space.

Lazarus
  • 41,906
  • 4
  • 43
  • 54
1

There are multiple mechanisms for generating guids, some using MAC addresses and some just using pure random number generation. iirc the amc address should be obvious in the GUID if it's being used - it's not hashed out in any way.

edit: proviso, slightly lame answer, as here I'm talking about generic guid generation rather than a possible ms algo that does obfuscate it. am looking into it, will delete if it's not useful ..

Tim Barrass
  • 4,813
  • 2
  • 29
  • 55