[Issue 24877] New: Randomness in UUID generation is insufficient.
d-bugmail at puremagic.com
d-bugmail at puremagic.com
Mon Nov 25 00:53:20 UTC 2024
https://issues.dlang.org/show_bug.cgi?id=24877
Issue ID: 24877
Summary: Randomness in UUID generation is insufficient.
Product: D
Version: D2
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P1
Component: phobos
Assignee: nobody at puremagic.com
Reporter: jdougan at acm.org
UUIDs generated by randomUUID() use the random numbers from std.random, granted
with an unpredictableSeed, but from a fundamentally insecure and low entropy
source.
As per the latest UUID RFC, RFC-8562, Section 8 this should at least have the
option of using an actual quality entropy source.
https://www.rfc-editor.org/rfc/rfc9562.html in section 8 says:
"Instead CSPRNG data SHOULD be selected from a source with sufficient entropy
to ensure guaranteed uniqueness among UUID generation."
--
More information about the Digitalmars-d-bugs
mailing list