GUIDs
Robert Olson
olson at mcs.anl.gov
Wed Dec 18 09:12:17 CST 2002
I was making some implicit assumptions and skipping a step.
The full thought is that there are two requirements that need to be met in
different parts of the system: unique identifiers and random tokens.
GUIDs solve the unique identifier problem. However, the GUIDs as defined by
the GUID.py code might not be unique. IP addresses are not unique (think
machines behind NAT bridges using private IP address space). MS-style GUIDs
use the hardware address of the computer's network card to ensure
uniqueness. See
http://www1.ics.uci.edu/~ejw/authoring/uuid-guid/draft-leach-uuids-guids-01.txt
for a spec for them.
Random tokens, like the private ID, need to be created from
cryptographically strong random allocators. Otherwise, attacks can be based
on guessing the identifier based on knowledge of the system in use, the
APIs, etc. (cf. successful attacks on I think Netscape servers due to
insufficiently random tokens).
--bob
At 08:39 AM 12/17/2002 -0600, Ivan R. Judson wrote:
>Interesting, I was going to get rid of the requirement for the crypto stuff
>and just use the built-in python random number generator stuff. What
>disqualifies the built-in random number generator? The two applications I
>can think of: unique Id's and the address allocator don't seem to require
>cryptographically strong randomness, am I missing something?
>
>--Ivan
>
>PS -- besides if you read over the snippet below it makes your eyes cross.
>Those two definitions of random are either the same or not, but it's not
>clear from the mail :-)
>
> > > A globally-unique identifier made up of time and ip and 3
> > random digits:
> >
> > This might be unique, but it's definitely not random. There
More information about the ag-dev
mailing list