Phobos randomUUID is not suitable to generate secrets

Joseph Rushton Wakeling joseph.wakeling at webdrake.net
Wed Sep 2 16:49:30 UTC 2020


On Monday, 31 August 2020 at 07:49:24 UTC, Cym13 wrote:
> I obviously can't solve that conundrum on my own and there are 
> far too many projects impacted for me to take the time and 
> reach them all, so I've written an article showing how to 
> predict Phobos UUIDs in practice. I hope this shows that this 
> is a very practical and important issue that must be dealt 
> with, and the best way for that would be to generate 
> cryptographically secure UUIDs in Phobos.
>
> https://breakpoint.purrfect.fr/article/cracking_phobos_uuid.html
>
> tl;dr: At the moment predicting a future UUID takes only a few 
> thousand requests. It's nothing when it comes to things like 
> trying session cookies or password recovery tokens. If you are 
> a project manager, check whether you use randomUUID to generate 
> secrets and replace it by cryptographically secure UUID.

Thanks for highlighting the issue.  One query about your article 
-- you state:

> Phobos' randomUUID() follows these lines perfectly, using 
> non-secure randomness.

... but actually, the code example you posted doesn't inherently 
use non-secure randomness: it accepts any uniform RNG.  It's 
therefore the user's choice whether or not to provide an RNG that 
is cryptographically secure or not.

This by itself seems in line with the RFC as you describe it:

> Note that the RFC does not require the use of cryptographically
> secure random numbers, but it does warn against using UUIDs for
> sensitive values if normal randomness is used.

In other words, the code as written (and as posted in your 
article) gives the user the choice about what their requirements 
are.

There is however an issue about the overload that does not take 
an RNG as input, which defaults to using `rndGen` (the default 
RNG, which on most platforms is indeed the Mersenne Twister).

So it feels like fixing the issue is not about the implementation 
posted in your article, but about what RNG is used by default if 
the parameterless overload of `randomUUID` is called.

Or have I missed something?

A related issue is whether Phobos provides _any_ 
cryptographically secure RNG, whether of its own implementation 
or by access to some other API.


More information about the Digitalmars-d mailing list