How easily can you guess a GUID that might be generated?

Question

GUIDs get used a lot in creating session keys for web applications. I\'ve always wondered about the safety of this practice. Since the GUID is generated based on informati

Answer 1

Here is some stuff from Wikipedia (original source):

V1 GUIDs which contain a MAC address and time can be identified by the digit "1" in the first position of the third group of digits, for example {2f1e4fc0-81fd-11da-9156-00036a0f876a}.

In my understanding, they don't really hide it.

V4 GUIDs use the later algorithm, which is a pseudo-random number. These have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}. More specifically, the 'data3' bit pattern would be 0001xxxxxxxxxxxx in the first case, and 0100xxxxxxxxxxxx in the second. Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to next 250 000 GUIDs returned by the function UuidCreate1. This is why GUIDs should not be used in cryptography, e. g., as random keys.