OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Scott (chrishostorlando.com)
Date: Wed Feb 06 2002 - 10:13:21 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Interesting. I've seen the same behavior when generating GUIDs from ASP but
    from SQL 7.0 I get:

    7D62E3A7-E808-4AA5-B1C4-2F71DD64442A
    3C2E0FCC-912E-4000-A351-19E60AEE1D00
    B627455F-5674-4BA0-8439-64086618FA68
    3B4D1DC5-9474-4F1F-9B24-A790C159E29D

    Using the following SQL:

    SET NOCOUNT ON
    DECLARE COUNTER NUMERIC
    SELECT COUNTER = 1
    WHILE (COUNTER < 5)
    BEGIN
            SELECT NEWID()
            SELECT COUNTER = COUNTER +1
    END

    Chris

    > -----Original Message-----
    > From: Neil [mailto:webapp1geekshanty.com]
    > Sent: Wednesday, February 06, 2002 10:04 AM
    > To: Innes Fisher
    > Cc: webappsecsecurityfocus.com
    > Subject: Re: SQL GUID as a session authentication token
    >
    >
    > GUID's created using NEWID() are *not* a secure identifier. They are
    > unique, but extremely predictable and should not be used as an
    > authentication method.
    >
    > SELECT NEWID() (done 5 times)
    > B41B2D23-1923-11D6-90EC-00E0291DE14E
    > B41B2D24-1923-11D6-90EC-00E0291DE14E
    > B41B2D25-1923-11D6-90EC-00E0291DE14E
    > B41B2D26-1923-11D6-90EC-00E0291DE14E
    > B41B2D27-1923-11D6-90EC-00E0291DE14E
    > ^^
    >
    > As you can see, most of the GUID is the same each time. From what I
    > remember, the GUID is based in part on your MAC address and then an
    > ever increasing number. This is even worse because the value isn't
    > seeded based on time! To get the last connection you simply modify
    > the GUID counter part down a number or 2 and you now have a valid
    > identifier.
    >
    > In short, GUID's are about as predictable as they come and should not
    > be used as an identifier for a security token.
    >
    > Hope this helps,
    >
    > Neil
    >
    >
    > On 02-06 (08:14), Innes Fisher wrote:
    >
    > >
    > >
    > > I'm reviewing the security design on a web app which
    > > uses a GUID generated by a backend MS SQL
    > > database as the session token for the authenticated
    > > user.
    > >
    > > While using GUIDs will theoretically guarantee
    > > uniqueness of the tokens, I have serious reservations
    > > about it being used in this way. If GUIDs can be
    > > predicted in advance it would be possible to appear to
    > > be an authenticated user.
    > >
    > > How predictable are GUIDs and has anyone seen
    > > them used in this way before?
    > >
    > > Is this as crazy as I think?
    > >
    > > Thanks,
    > > Innes
    > >
    >
    >