[英]Are boost UUIDs generated using default mt19937 RNG secure for session IDs?
I need to generate UUIDs for use as non-predictable / guessable session IDs. 我需要生成UUID用作不可预测/可猜测的会话ID。
This can easily be accomplished using boost's UUID library : 这可以使用boost的UUID库轻松实现:
boost::uuids::uuid newUUID()
{
static boost::uuids::random_generator gen;
return gen();
}
The returned UUID can easily be converted to a string. 返回的UUID可以轻松转换为字符串。
The above code is equivalent to: 上面的代码等效于:
boost::uuids::uuid newUUID()
{
static boost::uuids::basic_random_generator<boost::mt19937> gen;
return gen();
}
So we are using the Mersenne Twister 19937 pseudo random number generator. 因此,我们使用的是Mersenne Twister 19937伪随机数生成器。 It looks like boost takes the task of seeding it properly serious. 似乎boost需要认真对待播种任务。
However, I wonder if something important – security wise – is gained by using a non-deterministic RNG like boost::random_device instead, and also how it will impact the speed of UUID generation. 但是,我想知道是否通过使用非确定性RNG(例如boost :: random_device )获得了重要的信息(安全方面),以及它如何影响UUID的生成速度。
boost::uuids::uuid newUUID()
{
static boost::uuids::basic_random_generator<boost::random_device> gen;
return gen();
}
Advice from people with security insight is appreciated. 感谢有安全见识的人的建议。
MT is not a cryptographically secure RNG. MT不是加密安全的RNG。
boost::random_device
is guaranteed (by docs) to only exist if cruptographically secure and non-deterministic. (由文档保证) boost::random_device
仅在具有断层摄影安全性和不确定性的情况下存在。 Note that this is not true of std::random_device
. 请注意,对于std::random_device
并非如此。
For any serious application, you cannot trust a mere documented guarantee. 对于任何严肃的应用,您不能仅凭文件证明的担保就可以。 But for a small scale unimportant one it should do. 但是对于小规模的不重要的事情,应该这样做。
Writing your own cryptographically secure code or system is usually a bad idea. 编写自己的加密安全代码或系统通常不是一个好主意。 Describe how bad it is that someone defeat your system, as that really matters to how much effort you need to put into it. 描述某人打败您的系统有多糟糕,因为这实际上与您需要付出多少努力有关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.