Guids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations — under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on Guid security along with details on how they are generated in the .NET framework. I couldn't find much information, but I did find that Eric Lippert from the C# team recently raised some concerns about the Guids on his blog. So I started digging around to see what more I could find out.
First of all a quick background. Microsoft's Guid is their implementation of the Universally Unique IDentifier (UUID) outlined in RFC 4122. UUIDs are 128 bits, and the Guid class generates version 4 UUIDs, meaning that all bits except those defining the version and variant of the UUID are "random." Please note that 4 bits are used for the version number, and two bits are used for the variant — so it's not a 128 bit random number, it's a 122 bit random number.
Jul 29, 2012
Subscribe to:
Posts (Atom)
Read other popular posts
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr... -
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win&qu... -
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see t... -
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20... -
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload the...
-
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim , @skradel , and @troyhunt . (Foll...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these ...