-4

We are currently generating a unique token identifier using the Guid.NewGuid().ToString() strategy, i.e.

var token = Guid.NewGuid().ToString();

We would like to replace it with the following strategy:

var token = Base64UrlEncoder.Encode(RandomNumberGenerator.GetBytes(24));

Will this be unique enough to pass for an identifier?

rmukras
  • 11
  • 2
  • The chance of two randomly-generated 24-byte (192-bit) numbers being the same is 1 in 2^192, which is an extremely low chance. (Assuming the random number generator is sufficiently random; given that `RandomNumberGenerator` is cryptographically-secure, that should be random enough.) – Matthew Watson Aug 16 '23 at 12:58
  • 1
    Seems like an [XY question](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me. What is the problem you are trying to solve? – Zohar Peled Aug 16 '23 at 13:26
  • 1
    Given that a GUID is going to be unique enough for any practical purposes, why do you want to replace it with a random number? – Matthew Watson Aug 16 '23 at 14:01
  • 1
    (Note that current implementations of `Guid.NewGuid()` call a cryptographically-secure random number generator to generate the bits) – Matthew Watson Aug 16 '23 at 14:09
  • Thanks @MatthewWatson. That `Guid.NewGuid()` already calls a cryptographically secure random number generator is something I was not aware of. – rmukras Aug 16 '23 at 14:24
  • It didn't use to, but now [it calls `Interop.GetCryptographicallySecureRandomBytes()`](https://source.dot.net/#System.Private.CoreLib/src/libraries/System.Private.CoreLib/src/System/Guid.Unix.cs,b7fae6994c22c22e) (don't be fooled by the "Unix" namespace - it's used for Windows too) – Matthew Watson Aug 16 '23 at 14:38

0 Answers0