Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
276 views
in Technique[技术] by (71.8m points)

c# - Is a GUID a good key for (temporary) encryption?

I'm generating an encryption key to encrypt some sensitive data with the Rijndael (AES) encryption algoritm. I'm using a guid as key generator. Are these keys "strong" enough?

Note: it is only sensitive for 20 minutes.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

No. The GUID keys can be predicted, at least those generated by .NET / WinAPI. Also keep in mind that the GUID does not even have a true 128bit randomness, because the version number is fixed. This gives you a very weak key in the first place.

To make matters worse, several versions of the GUID algorithm suffer from predictability. The point is that GUIDs are not created at random, but they follow certain rules to make it practically impossible for GUIDs to collide.

As discussed in the comments, GUID V1 suffered from privacy issues (or, the other way around, weaker keys) because the MAC address was used to generate them. With GUID V4, there are still ways to predict the sequence according to the (russian) source below.

Fortunately, .NET has cryptographically strong random generators on board. The RNGCryptoServiceProvider is your friend:

RNGCryptoServiceProvider _cryptoProvider = new RNGCryptoServiceProvider();
int fileLength = 8 * 1024;
var randomBytes = new byte[fileLength];
_cryptoProvider.GetBytes(randomBytes);

You might want to refer to:

How can I generate a cryptographically secure pseudorandom number in C#? -- shows alternatives and in a comment, the link to Wikipedia is given:

http://en.wikipedia.org/wiki/Globally_Unique_Identifier

In there, it is claimed (according to wikipedia, the page is in Russian)that one can predict previous and future numbers generated:

http://www.gotdotnet.ru/blogs/denish/1965/


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...