Randomness in UUID generation is insufficient.

[dlangBugzillaToGithub]

jdougan reported this on 2024-11-25T00:53:20Z

Transfered from https://issues.dlang.org/show_bug.cgi?id=24877

Description

UUIDs generated by randomUUID() use the random numbers from std.random, granted with an unpredictableSeed, but from a fundamentally insecure and low entropy source.

As per the latest UUID RFC, RFC-8562, Section 8 this should at least have the option of using an actual quality entropy source.

https://www.rfc-editor.org/rfc/rfc9562.html in section 8 says:

"Instead CSPRNG data SHOULD be selected from a source with sufficient entropy to ensure guaranteed uniqueness among UUID generation."

[dlangBugzillaToGithub]

dfj1esp02 commented on 2024-11-25T09:49:06Z

There's an overload that accepts an RNG
---
UUID randomUUID(RNG)(ref RNG randomGen);
---

[dlangBugzillaToGithub]

jdougan commented on 2024-11-26T04:32:30Z

and no cryptographic streng RNG to use with it.

https://breakpoint.purrfect.fr/article/cracking_phobos_uuid.html

[trikko]

Adding here a link to my onw implementation of UUIDv4 and v7, if useful. https://gist.github.com/trikko/31d12ecafc76c7eba02edd81e5d1e8e8

[denizzzka]

It would be great to be able to manipulate with UUIDv7 with Phobos

[0xEAB]

#10748 should allow us to resolve the randomness issue.

Regarding support for UUIDv7, it might be worth opening a separate issue for that enhancement.

[denizzzka]

UUIDv7 randomness check failure: https://github.com/dlang/phobos/pull/10865 This makes UUIDv7 completely unusable