Re: how secure is windows GUID generation?

dkelly_at_eoncc.com
Date: 08/17/05 

Date: 17 Aug 2005 10:12:01 -0700

> 8e1b73fd-4105-4627-8ced-876977f4c387
> cd225b65-893e-4d88-9fef-5902e4d32531
> 766dad05-a4f1-4b39-b259-da846e47df77

If you look at these, the lead few bits of the first digit in the
fourth group are the protocol variant, which in this case the bits are
10 = "the standard". (Older Windows might use the 110 = "Microsoft
backwards compatability" varient)

With the statndard format, the first nible of the third group is the
version. In this case it is 4, which specifies "random".

Version 4 of the UUID standard says are all remaining bits are random.
Thus, you have a random number of (32*8-6) bits.

You should note that all other versions of the UUID are very
structured, and will generate highly predictable numbers. I have no
idea of what versions of Microsoft will use this version of GUID, for
any machine the number must be:

XXXXXXXX-XXXX-4XXX-VXXX-XXXXXXXXXXXX With V=8/9/A/B

else it's no good for use as a random number.

No comment on the randomness/security of Microsoft's random number
generator.

There is an IETF document on this, look for UUIDs and GUIDs