3

RFC 4122 defines UUIDs in quite some detail. There are currently 5 variants defined, all 128-bit but varying in how the bits are derived.

Why should one care about abiding by a particular variant; once the ID is created what reason would someone using the UUID have to need to know how it was constructed?

In particular, if I am going to use Variant 4 (completely random) it seems a waste to follow the RFC which reduces the random bits from 128 down to 122 (4b bits for variant, 2 bits reserved). Wouldn't I be better not following the RFC and using all 128bits for randomness?

Mike
  • 2,417
  • 1
  • 24
  • 33
  • If you don't follow the rules, then your ID may collide with one generated by one of the other algorithms. – Raymond Chen Nov 27 '12 at 20:06
  • Is that any different compared to having to deal with 2 sources of variant 4 IDs? I.e. the chance of a collision is no greater than 2 generated by the same variant. – Mike Nov 27 '12 at 22:26
  • 2
    Since some algorithms (e.g. v1) are deterministic, an attacker can force a GUID collision if your algorithm accidentally generates a GUID with "1" in the version field: They set the MAC address to match the last part of your GUID and wait for the time to match the beginning part. Then they click SUBMIT and boom, GUID collision, databases explode, money gets transferred to the Cayman Islands. Each algorithm is designed to avoid collisions with itself, but it has no way of preventing collisions with other algorithms. Just follow the rules. Don't try to be sneaky about those extra 6 bits. – Raymond Chen Nov 28 '12 at 01:02
  • That makes sense, thanks. Do you want to post this as an answer? – Mike Nov 28 '12 at 08:12

1 Answers1

5

If you don't follow the rules, then your ID may collide with one generated by one of the other algorithms.

Since some algorithms (e.g. v1) are deterministic, an attacker can force a GUID collision if your algorithm accidentally generates a GUID with "1" in the version field: They set the MAC address to match the last part of your GUID and wait for the time to match the beginning part. Then they click SUBMIT and boom, GUID collision, databases explode, money gets transferred to the Cayman Islands. Each algorithm is designed to avoid collisions with itself, but it has no way of preventing collisions with other algorithms. Just follow the rules. Don't try to be sneaky about those extra 6 bits.

Raymond Chen
  • 44,448
  • 11
  • 96
  • 135
  • Given that Version 1 UUIDs have 100-nanosecond clock resolution (assuming computer hardware does too) and a randomized clock sequence, that attack seems virtually impossible to me. – Basil Bourque Nov 14 '13 at 05:39