Shifting Some distance flung from UUIDs

Whenever you happen to’d like an unguessable random string (for a session cookie or access token, as an instance), it will possibly be tempting to reach for a random UUIDwhich appears to be like to be like like this:


Here’s a 128-bit price formatted as 36 hexadecimal digits separated by hyphens. In Java and most other programming languages, these are very easy to generate:

import java.util.UUID;

String id=UUID.randomUUID().toString();

Below the hood this uses a cryptographically stable pseudorandom number generator (CSPRNG), so the IDs generated are gorgeous unusual. Nevertheless, there are some downsides to the usage of random UUIDs that achieve them less purposeful than they first seem. In this trace I will picture them and what I suggest the usage of as a substitute.

How random is a UUID anyway?

As stated on the Wikipedia entryof the 128 bits in a random UUID, 6 are mounted variant and version bits leaving 122 bits of actual random. 122 bits is aloof quite quite of random, nonetheless is it if truth be told enough? Whenever you happen to are generating OAuth 2 access tokens, then the spec says no:

The possibility of an attacker guessing generated tokens (and other
credentials no longer supposed for dealing with by cease-users) MUST be no longer as a lot as
or equal to 2^(-128) and SHOULD be no longer as a lot as or equal to 2^(-160).

Properly, despite the undeniable truth that the attacker handiest makes a single bet, the probability of guessing a 122-bit random price can never be no longer as a lot as 2-122so strictly speaking a random UUID is in violation of the spec. Nevertheless does it if truth be told topic?

To determine how long it will fetch an attacker to bet a sound token/cookie, we want to fetch into consideration a vary of factors:

  • How immediate can the attacker achieve guesses? An attacker that can strive tens of millions of candidate tokens per second can fetch a match considerable faster than somebody who can handiest strive a hundred. We are going to have the choice to name this charge (in guesses per second) A.
  • How many bits of randomness are in every token? A 128-bit random token is extra complex to bet than a 64-bit token. We are going to have the choice to trace the selection of random bits B.
  • How many tokens are first charge at any given time? Whenever you happen to’ve gotten issued a million lively session cookies then an attacker can strive and bet any of them, making their job more straightforward than if there turned into once accurate one. Such batch attacks are in total no longer infamous. We are going to have the choice to trace the selection of first charge tokens in circulation at any one time S.

Given these parameters, OWASP give a arrangement for calculating how long it may possibly perhaps non-public to fetch an attacker to bet a random token as:


Let’s drag in some numbers and gawk what we salvage. Nevertheless what are affordable numbers? Properly, for security we in total want to push the numbers neatly beyond what we predict is de facto seemingly to be if truth be told obvious. So what is de facto seemingly now?

After we fetch into consideration how mercurial a neatly resourced attacker may possibly perhaps possibly perhaps also bet a token, we are able to employ the Bitcoin hash charge as an cheap upper-certain approximation. Quite lots of persons are investing so a lot of time and money into generating random hashes, and we are able to gawk this as roughly the same to our attacker’s task. After I looked relieve in February (you’d gawk how long my blog queue is!), the most charge turned into once round 24293141000000000000 hashes per second, or round 264.

That’s a gorgeous vulgar number. It’s somewhat now possibly no longer that somebody would enlighten that quantity of useful resource at breaking your pains’s session tokens, and you’d employ charge limiting and other ways. Nevertheless it’s price thinking about the extremes. Despite all the pieces, right here is clearly seemingly with contemporary abilities and may possibly perhaps possibly perhaps fair handiest enhance over time.

How many tokens may possibly perhaps possibly perhaps also we have got in circulation at any time? Again, it’s purposeful to fetch into consideration extremes. Let’s reveal your extensively successful service disorders access tokens to every IoT (Web of Issues) procedure within the enviornment, at a charge of 1 million tokens per second. As you’ve gotten a deep instinctive belief within the safety of these gadgets (what may possibly perhaps possibly perhaps also slouch tainted?), you give every token a 2-year validity duration. At a height that you just may possibly perhaps possibly then non-public round 63 trillion (246) tokens in circulation.

If we drag these figures into the equation from sooner than, we are able to gawk how long our 122-bit UUID will steal out:


That comes out as … 2048 seconds. Or quite no longer as a lot as 35 minutes. Oh.

OK, so these vulgar numbers see gorgeous unpleasant, nonetheless they’re additionally quite vulgar. The Bitcoin community utilize nice sums of money (undoubtedly within the tens of tens of millions of greenbacks) every year to salvage that extra or less output. Additionally, making an are attempting out every bet possibly requires if truth be told making a request to one of your servers, so that you just’re quite inclined to seek that level of visitors – reveal by your servers melting a hole thru the backside of your datacentre. Whenever you happen to think you tend to entice this extra or less attention then you’d also want to in moderation fetch into consideration which aspect of the Mossad/no longer-Mossad threat divide you are dwelling on and possibly take a look at your cell phone isn’t a part of Uranium.

All right here is to divulge that whilst you’ve gotten deployed random UUIDs in production, don’t alarm! Whereas I’d suggest that you just growth to one thing higher (gawk below) at some level, plugging extra seemingly numbers into the equation can non-public to aloof reassure you that you just’re no longer inclined to be at possibility at this time. An attacker would aloof want to make investments if truth be told intensive time and money into launching such an assault.

Other nits

The borderline acceptable level of entropy in a random UUID is my major assert with them, nonetheless there are others too. In the accepted string kind, they’re quite inefficient. The gallop-separated hexadecimal structure takes 36 characters to symbolize 16 bytes of facts. That’s a 125% expansion, which is gorgeous gruesome. Base64-encoding would as a substitute employ accurate 24 characters, and accurate 22 if we fetch away the padding, main to accurate 37.5% expansion.

Lastly, a particular criticism of Java’s random UUID implementation is that internally it uses a single shared SecureRandom occasion to generate the random bits. Looking on the backend configured, this may possibly perhaps possibly perhaps also fair compose a lock which is able to alter into closely contended whilst you are generating mountainous numbers of random tokens, specifically whilst you are the usage of the procedure blocking entropy offer (don’t achieve that, employ /dev/urandom). By rolling your salvage token era you’d employ a thread-local or pool of SecureRandom cases to lead particular of such contention. (NB – the NativePRNG uses a shared static lock internally, so this doesn’t assist if so, nonetheless it undoubtedly additionally holds the lock for shorter crucial sections so is less inclined to the assert).

What can non-public to aloof we employ as a substitute?

My recommendation is to employ a 160-bit (20 byte) random price that is then URL-safe base64-encoded. The URL-safe base64 variant may possibly perhaps possibly perhaps also be damaged-down gorgeous considerable wherever, and is moderately compact. In Java:

import;import java.util.Base64;public class SecureRandomString {    private static final SecureRandom random=new SecureRandom();    private static final Base64.Encoder encoder=Base64.getUrlEncoder().withoutPadding();    public static String generate() {        byte[] buffer=new byte[20];        random.nextBytes(buffer);        return encoder.encodeToString(buffer);    }}

This produces output values like the following:


Here’s both shorter than a UUID and additionally extra stable having 160 bits of entropy. I will additionally achieve the SecureRandom staunch into a ThreadLocal if I desire.

So how long wouldn’t it fetch our vulgar attacker to search out a 160-bit random token? Spherical 17.9 million years. By tweaking the structure of our tokens accurate a bit of we are able to pass from demanding about attacker capabilities and resources to interior peace and happiness. It’s to this level beyond the realm of seemingly that we are able to quit demanding.

Why no longer slouch additional? Why no longer 256 bits? That may possibly perhaps possibly push the assault prices into considerable extra absurd territory. I fetch that 160 bits is a sweet set apart of lustrous security while aloof having a compact string illustration.

Author: Neil Madden

Security Architect at ForgeRock. Experienced procedure engineer with a PhD in computer science. Drawn to application security, applied cryptography, logic programming and realizing agents.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button