在使用md5散列它之后使用java.util.UUID是一个不错的选择吗?
[英]is using the java.util.UUID after hashing it with md5 a good option?
问题描述
I saw this following code. 
我看到以下代码。
.
. // some code
.
String guid = NetworkUtil.md5(java.util.UUID.randomUUID().toString())
.
. // guid is being used
.
Is this a good approach, hashing a Version 4 UUID with MD5 ? 这是一个很好的方法,使用MD5 散列 版本4 UUID吗?
According to UUID specification, UUID itself is very good in uniqueness of the generated UUID's and chances of collision are very very very small. 根据UUID规范,UUID本身在生成的UUID的唯一性方面非常好,并且碰撞的可能性非常小。 So isn't this above piece of code actually reducing the quality of uniqueness by hashing it with MD5 which is an obsolete hashing mechanism now and prone to collisions and attacks. 因此,上面这段代码实际上并没有通过使用MD5对其进行散列来降低唯一性的质量,MD5现在是一种过时的散列机制,容易发生冲突和攻击。
2 个解决方案
解决方案1
4 已采纳 2016-04-02 06:36:50
Lets start with this: 让我们从这开始:
According to UUID specification, UUID itself is very good in uniqueness of the generated UUID's and chances of collision are very very very small.
Actually, it doesn't say that. 实际上,它并没有这么说。 It can't say that, because that does not make sense. 它不能说,因为那没有意义。
In fact, if the UUID spec says anything about the uniqueness of type 4 UUIDs it would say that they are only as good as the source of random numbers . 事实上,如果UUID规范说明了类型4 UUID的唯一性,那么它就会说它们只是随机数的来源 。 And that depends on the platform and the quality of the RNG & UUID implementations. 这取决于平台和RNG和UUID实施的质量。 If we can assume a perfect 1 source of random numbers, then the probability of any two (separately generated) UUIDs being the same is on in 2 122 ; 如果我们可以假设一个完美的1个随机数源,则任何两个(单独生成的)UUID相同的概率在2 122中开启; ie very, very small. 即非常非常小。 On the other hand, if you have a poor source of random numbers, the probability of pair-wise collision increases. 另一方面,如果您的随机数源较差,则成对碰撞的概率会增加。
So isn't this above piece of code actually reducing the quality of uniqueness by hashing it with MD5 which is an obsolete hashing mechanism now and prone to collisions and attacks.
Yes. 是。 But MD5 isn't the real problem. 但是MD5并不是真正的问题。
As @Doug Stevenson says, hashing a UUID does not reduce the chance of a collision. 正如@Doug Stevenson所说,哈希UUID并没有减少碰撞的可能性。 Not even for a hashing algorithm that has no known weakness. 甚至对于没有已知弱点的散列算法也是如此。 Whatever the algorithm, there is a chance that hashing UUIDs will increase the probability of collisions 2 . 无论算法是什么,散列UUID都有可能增加碰撞的概率2 。
So basically, there is no point in hashing a single UUID. 基本上,散列单个UUID没有意义。
However, if you required a token that had a smaller probability of collision than a type 4 UUID, you could concatenate N type 4 UUIDs into a single byte array, and then create a hash for the array. 但是,如果您需要比类型4 UUID具有更小碰撞概率的令牌,则可以将N类型4 UUID连接成单个字节数组,然后为该数组创建哈希。 If you have a (strong) M-bit hashing algorithm, and a perfect source of random numbers for your UUID generator, then the chance of collision should be roughly one in 2 min(M, 122 * N) . 如果你有一个(强)M位哈希算法,并且你的UUID生成器有一个完美的随机数源,那么碰撞的几率应该大约是2 分钟(M,122 * N) 。
1 - That is, a source of random bits where it is impossible for someone (an attacker) to predict the next bit in the sequence with anything other than 50% probability of being correct. 1 - 也就是说,一个随机位源,其中某人(攻击者)不可能用50%的正确概率预测序列中的下一位。
2 - This will happen if there are any two distinct UUIDs that have the same hash. 2 - 如果有任何两个具有相同散列的不同UUID,则会发生这种情况。 That is possible even for a strong hashing algorithm ... unless you defined that to be a criteria by which you measure strength. 即使对于强哈希算法,这也是可能的......除非您将其定义为衡量强度的标准。
解决方案2
3 2016-04-02 05:24:27
You can only make a probably-unique value worse by hashing it. 你只能通过散列它来使一个可能唯一的值变得更糟。 It cannot get any better or "more unique". 它不会变得更好或“更独特”。 So, there is nothing to be gained by hashing like this, other than getting it into a uniform format that could be used where a md5-hashed string is required. 因此,除了将它变成可以在需要md5-hashed字符串的情况下使用的统一格式之外,没有什么可以通过这样的散列获得。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.