3

I have an application which uses UUID as an authentication. The UUID is stored as KeyChain inside my iOS application. When I post the UUID, I use https. Is there any way to obtain the password, unless you have physical or remote access to the device? Is this approach strongly discouraged?

This question addresses the use the UUID as input in a text field, while my question is to use UUID as authentication after a login complete state. If you type it in a text field, the user has to know the UUID. (Talking about my application) First of all, the user does not know his/hers UUID. Second of all, the UUID is encrypted inside KeyChain.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Test tester
  • 31
  • 1
  • 3
  • No. UUID generation is designed with conflict avoidance first and foremost, but they are somewhat predictable, having a consistent device and time-based components. – nbering Jul 28 '18 at 00:04
  • So I should not use this approach, but real authentication instead? – Test tester Jul 28 '18 at 00:05
  • The UUID is made in PHP, how is it predictable? – Test tester Jul 28 '18 at 00:07
  • It depends what you are trying to protect and what the user experience you’re looking for is. If you are only trying to identify the device and not the user, a secure random string generated by the server and stored on the device during first use would probably be better than a UUID. – nbering Jul 28 '18 at 00:08
  • I should probably write a full answer but I’m on a mobile device right now which makes research hard. The UUID spec includes a portion of your mac address and a time-based component. These allow some degree of predictability, especially if your are generating a lot of UUIDs in a short period of time. – nbering Jul 28 '18 at 00:10
  • 1
    UUIDs are intended to solve the problem of conflicting identifiers in distributed systems, not provide secure randomness for encryption or authentication. – nbering Jul 28 '18 at 00:14
  • I have a login page, where you type password and username. After that, I have no form for authentication inside my PHP scripts, except for UUID. I know I should use some sort of authentication after the login script, so I thought the UUID would be secure enough. I am not sure, but I believe the KeyChain made by Apple encrypts the stored values. – Test tester Jul 28 '18 at 00:17
  • There are several different versions of UUID, and none of them are _required_ to be secure (unguessable). So no, this is not a good idea. – AndrolGenhald Jul 28 '18 at 00:21
  • Ok, what approach should I use? – Test tester Jul 28 '18 at 00:22
  • @Testtester: If your code will be used in a production environment, you should use an authentication framework that is both popular and built by experts. – Brian Jul 30 '18 at 16:47

1 Answers1

6

No, you should not use UUIDs as authentication tokens.

UUIDs are designed to be unique, not to be random or unpredictable. See wikipedia for a list of methods used to generate UUIDs. Let's take, for example,

Version 1 (date-time and MAC address)

Version 1 concatenates the 48-bit MAC address of the "node" (that is, the computer generating the UUID), with a 60-bit timestamp, being the number of 100-nanosecond intervals since midnight 15 October 1582.

If I was an attacker trying to predict the next UUID your server will generate, well once I've seen one one of your UUIDs then I know your MAC address, then I sync my system clock close to yours and I have a high chance of predicting your UUIDs. Your UUIDs are giving you ... maybe the equivalent of a 3 digit PIN's worth of security.

Now, you're proposing to use this as a super secret value that only the server and the logged in user know...

I could make some specific suggestions to improve your scheme, but you could probably benefit from doing some broad ground-up reading about "web authentication" and "session management". Here's a good primer to get you started:

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Community
  • 1
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    Good answer. I note that type 4 guids are random but not guaranteed to be crypto strength so again, an attacker who knows one type 4 guid can enumerate the space of likely subsequent or previous guids generated. – Eric Lippert Jul 28 '18 at 15:37
  • If I am not mistaken, UUIDs generated using a cryptographically strong pseudo random number generator can be used as authentication tokens (see the link to the question this is marked a duplicate of). – Behrang Jun 06 '19 at 06:06