4

I'm coding GENERIC_WEB_SERVICE, which could potentially be running as multiple instances on multiple machines down the line. I'm using UUIDs as identifiers, and haven't settled yet on whether to use version 1 or version 4.

In this case, I have absolutely no idea what the implications are of exposing the MAC address by using version 1. I don't think I'm concerned about exposing the generation time.

So:

  • Are there potential issues?
  • I could apply an XOR mask over the portion of the UUID that represents the MAC address. The same mask would be used by every instance of the running service. Does this sufficiently handle aforementioned potential issues?
Nan L
  • 43
  • 3

1 Answers1

5

An UUID is meant, by construction, to be unique worldwide. Version 1 UUID achieve that in a context of cooperating entities. However, MAC addresses and current time are not exactly secret values; if someone observes several version 1 UUID produced by a given machine, he may succeed at predicting the value of future UUID produced by the same machine. Depending on what you use the UUID for, this may or may not be a problem. Note that hiding the MAC with a XOR mask or anything like that does not fix the issue.

Version 4 UUID use 122 bits from a cryptographically strong PRNG, which makes them unpredictable. That's stronger, and better. This ensures uniqueness even in the presence of hostile entities.

Summary: if unsure, use v4 UUID.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949