Menu
Search

Forums

Forum Index

November 25
Gravatar of jdougan@acm.orgPosted by jdougan@acm.orgReply
jdougan@acm.org
Gravatar of jdougan@acm.org


Reply
https://issues.dlang.org/show_bug.cgi?id=24877

          Issue ID: 24877
           Summary: Randomness in UUID generation is insufficient.
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: phobos
          Assignee: nobody@puremagic.com
          Reporter: jdougan@acm.org

UUIDs generated by randomUUID() use the random numbers from std.random, granted with an unpredictableSeed, but from a fundamentally insecure and low entropy source.

As per the latest UUID RFC, RFC-8562, Section 8 this should at least have the option of using an actual quality entropy source.

https://www.rfc-editor.org/rfc/rfc9562.html in section 8 says:

"Instead CSPRNG data SHOULD be selected from a source with sufficient entropy to ensure guaranteed uniqueness among UUID generation."

--