Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Randomness in UUID generation is insufficient. #9881

Open
dlangBugzillaToGithub opened this issue Nov 25, 2024 · 2 comments
Open

Randomness in UUID generation is insufficient. #9881

dlangBugzillaToGithub opened this issue Nov 25, 2024 · 2 comments

Comments

@dlangBugzillaToGithub
Copy link

jdougan reported this on 2024-11-25T00:53:20Z

Transfered from https://issues.dlang.org/show_bug.cgi?id=24877

Description

UUIDs generated by randomUUID() use the random numbers from std.random, granted with an unpredictableSeed, but from a fundamentally insecure and low entropy source.

As per the latest UUID RFC, RFC-8562, Section 8 this should at least have the option of using an actual quality entropy source.

https://www.rfc-editor.org/rfc/rfc9562.html in section 8 says:

"Instead CSPRNG data SHOULD be selected from a source with sufficient entropy to ensure guaranteed uniqueness among UUID generation."
@dlangBugzillaToGithub
Copy link
Author

dfj1esp02 commented on 2024-11-25T09:49:06Z

There's an overload that accepts an RNG
---
UUID randomUUID(RNG)(ref RNG randomGen);
---

@dlangBugzillaToGithub
Copy link
Author

jdougan commented on 2024-11-26T04:32:30Z

and no cryptographic streng RNG to use with it.

https://breakpoint.purrfect.fr/article/cracking_phobos_uuid.html

@LightBender LightBender removed the P1 label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants