GUID 是(临时)加密的好密钥吗?
我正在生成一个加密密钥,以使用 Rijndael (AES) 加密算法 加密一些敏感数据。我使用 guid 作为密钥生成器。这些键足够“强大”吗?
注意:仅敏感20分钟。
I'm generating an encryption key to encrypt some sensitive data with the Rijndael (AES) encryption algoritm. I'm using a guid as key generator. Are these keys "strong" enough?
Note: it is only sensitive for 20 minutes.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不会。GUID 密钥是可以预测的,至少是由 .NET / WinAPI 生成的密钥。另请记住,GUID 甚至不具有真正的 128 位随机性,因为版本号是固定的。首先,这给了你一个非常弱的密钥。
更糟糕的是,GUID 算法的多个版本都存在可预测性问题。关键是 GUID 不是随机创建的,而是遵循一定的规则,使得 GUID 实际上不可能发生冲突。
正如评论中所讨论的,GUID V1 存在隐私问题(或者,相反,密钥较弱),因为使用 MAC 地址来生成它们。使用 GUID V4,仍然有方法根据下面的(俄语)来源来预测序列。
幸运的是,.NET 具有加密功能强大的随机生成器。
RNGCryptoServiceProvider是您的朋友:您可能需要参考:
如何在 C# 中生成加密安全的伪随机数? -- 显示替代方案,并在评论中给出了维基百科的链接:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
在那里,它被声明(根据维基百科,该页面是俄语的)可以预测之前和未来生成的数字:
http://www.gotdotnet.ru/blogs/denish/1965/
No. The GUID keys can be predicted, at least those generated by .NET / WinAPI. Also keep in mind that the GUID does not even have a true 128bit randomness, because the version number is fixed. This gives you a very weak key in the first place.
To make matters worse, several versions of the GUID algorithm suffer from predictability. The point is that GUIDs are not created at random, but they follow certain rules to make it practically impossible for GUIDs to collide.
As discussed in the comments, GUID V1 suffered from privacy issues (or, the other way around, weaker keys) because the MAC address was used to generate them. With GUID V4, there are still ways to predict the sequence according to the (russian) source below.
Fortunately, .NET has cryptographically strong random generators on board. The
RNGCryptoServiceProvideris your friend:You might want to refer to:
How can I generate a cryptographically secure pseudorandom number in C#? -- shows alternatives and in a comment, the link to Wikipedia is given:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
In there, it is claimed (according to wikipedia, the page is in Russian)that one can predict previous and future numbers generated:
http://www.gotdotnet.ru/blogs/denish/1965/
不,GUID 不具有加密安全性。它们遵循极其可预测且有据可查的模式,并且就真正安全的密钥而言,它们相当短。但更重要的是,您这样做是在滥用 GUID。这不是它们的设计目的。它们是全球唯一的标识符。您得到的唯一保证是它们每个都是独一无二的。经验丰富的黑客会将 GUID 逆向工程变成小菜一碟。
使用
System.Security.Cryptography< 提供的函数相反,/code> 命名空间。这就是它们的设计目的。阅读加密安全伪随机数生成器。No, GUIDs are not cryptographically secure. They follow an extremely predictable and well-documented pattern, and they're fairly short as far as truly secure keys go. But more to the point, you're misusing GUIDs by doing this. This is not what they were designed for. They're globally unique identifiers. The only guarantee you get is that each of them is unique. A sophisticated hacker will make child's play of reverse engineering a GUID.
Use the functions provided by the
System.Security.Cryptographynamespace, instead. That's what they're designed for. Read up on cryptographically secure pseudo-random number generators.我不会使用 GUID 作为加密数据的密钥。看看 UUID 协议的一些实现:UUID 它们可以在计算时预测是唯一的,而不是随机的。我个人会研究使用 System.Security.Cryptography 命名空间来获取诸如“TripleDESCryptoServiceProvider”之类的对象来获取敏感数据。
I would not use a GUID for the key to encrypt data. Look at some of the implementations of the UUID protocol: UUID they can be predicted as they're computed to be unique, not random. I'd look into the using System.Security.Cryptography namespace for objects like "TripleDESCryptoServiceProvider" for sensitive data personally.
考虑使用这个或等效的随机字符串生成器:http: //msdn.microsoft.com/en-us/library/aa379942%28VS.85%29.aspx
Consider using this, or an equivalent random string generator: http://msdn.microsoft.com/en-us/library/aa379942%28VS.85%29.aspx