[Issue 24877] New: Randomness in UUID generation is insufficient.

d-bugmail at puremagic.com d-bugmail at puremagic.com
Mon Nov 25 00:53:20 UTC 2024


https://issues.dlang.org/show_bug.cgi?id=24877

          Issue ID: 24877
           Summary: Randomness in UUID generation is insufficient.
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: phobos
          Assignee: nobody at puremagic.com
          Reporter: jdougan at acm.org

UUIDs generated by randomUUID() use the random numbers from std.random, granted
with an unpredictableSeed, but from a fundamentally insecure and low entropy
source.

As per the latest UUID RFC, RFC-8562, Section 8 this should at least have the
option of using an actual quality entropy source.

https://www.rfc-editor.org/rfc/rfc9562.html in section 8 says:

"Instead CSPRNG data SHOULD be selected from a source with sufficient entropy
to ensure guaranteed uniqueness among UUID generation."

--


More information about the Digitalmars-d-bugs mailing list