GUID 在为 Web 应用程序创建 session key 时被大量使用。我一直想知道这种做法的安全性。由于 GUID 是根据计算机的信息、时间以及其他一些因素生成的,因此猜测将来可能出现的 GUID 是多么困难。假设您启动了 1000 个或 10000 个新 session ,以获得正在生成的 GUID 的良好数据集。这会让生成可用于另一个 session 的 GUID 变得更容易吗?您甚至不必猜测特定的 GUID,而只需继续尝试可能在特定时间段生成的 GUID。
最佳答案
这是来自 Wikipedia 的一些内容(original source):
V1 GUIDs which contain a MAC address and time can be identified by the digit "1" in the first position of the third group of digits, for example {2f1e4fc0-81fd-11da-9156-00036a0f876a}.
根据我的理解,他们并没有真正隐藏它。
V4 GUIDs use the later algorithm, which is a pseudo-random number. These have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}. More specifically, the 'data3' bit pattern would be 0001xxxxxxxxxxxx in the first case, and 0100xxxxxxxxxxxx in the second. Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to next 250 000 GUIDs returned by the function UuidCreate1. This is why GUIDs should not be used in cryptography, e. g., as random keys.
关于security - 您能轻松猜出可能生成的 GUID 吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/643445/