GUID Behind the Scenes - guid

I am wondering, what goes into the creation of a GUID. I don't mean what is used to create a GUID in a specific language (NewID() in SQL Server, Guid.NewGuid() in C#), I mean when you call those methods/functions, what do they do to make the GUID?

Also, RFC 4122 (which is referenced in the Wikipedia article) describes how GUIDs should be built.

The details of GUIDs, including the algorithm used to generate them is described on wikipedia.

In short, it's not complicated at all. GUID (or UUID) Version 4 (current) is a partially random number, plain and simple (122 out of 128 bits are random, the rest are used for storing version and revision). The trick is that the possible values of this number are so many that the probability of a hit is for most practical purposes, zero.

Hash function. Its complicated.
http://en.wikipedia.org/wiki/GUID#Algorithm Knows more than I do.

A word of caution that a very great deal of what you read on the Internet about GUID creation may well be wrong, or at least out of date for your specific platform.
I once single-stepped through a heap of Windows code to settle an argument about GUID creation on WinXP. Unfortunately, it turned out that I was wrong (i.e. I lost the argument), but so was Larry Osterman, so I felt slightly better about it.

There are five official ways of generating GUID's (and certainly many more unofficial ones).
Version 1 is a time based GUID usually using MAC addresses of the primary network card of the using used to compute the GUID. This is normally not used due to privacy issues, but I do believe that Microsoft SQL Servers from 2005 and onwards use a modified version of this (claiming to be version 14), to create sequential GUID's useful for id's in a database to avoid fractioning of data blocks (NewSequentialId()).
Version 2 is DCE Security version. I have never found this kind of GUID, but I have not worked a lot with POSIX either and there seems to be a connection between version 2 GUID's and POSIX.
Version 3 is a "name based" version, meaning you can take a text and create a GUID representation of that, given a namespace. Version 3 uses a MD5 hashing algorithm. See also version 5.
Version 4 is basically a random number type GUID. The random number is of sequrity level, not just your average random number generator though. This is the version usually used in the world today. The C# Guid.NewGuid() uses this version, according to Microsoft documentation. Also the normal function for generating an uniqueidentifier in MS SQL Server (NewId()) generates a version 4 GUID.
Version 5 is just like version 3, but uses a SHA-3 hashing algorithm instead. The extended guid C# project uses the version 5 algorithm.
For one implementation of GUID making I'd recomend looking at the extended guid project. As many has pointed out the RFC 4122 gives a detailed description on how all five algorithms work. However, there are no guarantees all implementations are correct.

Related

Binary Protocol Serialization Frameworks

There are some great libraries out there for deserializing binary formats. I really like the declarative approach by kaitai and nom's approach which is using Rust.
However, I am not aware of any good approaches to serialize binary formats.
For example, you often have the case that you have to write your message length right into the message header, but actually you do not know your exact message length at this point because it depends on many fields which are downstream from the header. And you sometimes also have to deal with padding alignment which can be cumbersome.
Do you know any solutions for problems like these?
Please take a look at ASN.1 which has solved this problem many years ago, and is still continuing to be widely used in critical infrastructure in many different industries. It is independent of programming language and machine architecture so you can set up communication whether one peer is using C on a little-endian machine and the other is using Java or C# on a big-endian machine. Structure padding issues are easily handed by good quality tools for ASN.1. A good list of tools (both free and commercial) is available at the ASN.1 Tools page of the ITU-T ASN.1 Project.

Is SHA-Encryption already decrypted?

I went here http://shadecrypt.com/home and typed some sha results (encrpted already by sha512) and it gives back the real word.
Is it already decrypted?
Technically, it is incorrect to use the word "decryption" when talking about hash functions; "reversing" is a slightly better term.
The site you're linking to is basically an online Rainbow table and there's no harm in linking to it: one could trivially (sans storage costs) produce hash values for all [A-Za-z0-9]* character combinations and end up with basically the same result.
Speaking of SHA-1, Bruce Schneier considers it broken.

Using AES256 as "decryption" in MachineKey for SqlMembershipProvider

I'm creating custom registration forms for Forms Based Authentication for a SharePoint 2010 site, and storing passwords as 'Encrypted' in the aspnet_Membership database table.
My setting in web.config shows that the 'decryption' parameter is "AES". My boss is asking that I look to use AES256, as it's more secure, but I'm having trouble working out how to do this. I've been Googling and "stackoverflow-ing", but so far I've not been able to find that one post that either explains what I need to do, or where to look for good information.
My questions, I think, are:
is "AES256" a valid value for the "decryption" parameter of ?
if not, is simply generating a longer "decryptionkey" all that's required to make AES stonger? i.e. if I make my decryption key 64 characters long, would that constitute AES256?
if I'm totally off base with my current thinking, can anyone put me on track, or explain (or link to an explanation of) how to update my web.config to use AES256 rather than the default AES?
Just in case anyone wants to say "You should use Hashed".. been there, discussed that, decision made to use Encrypted. Just thought I'd get that out of the way :)
No, you can only use "AES" as the decryption parameter for the AES algorithm.
Yes, if you generate one that is 256 bits (64 bytes) long, you effectively have AES256. In reality, you could generate one that is 512 bits long, too. The longer this value is, the stronger the encryption.
No need. You seem to be understanding it.
Now, in .NET 4.0, they've enhanced this a bit, allowing SHA256 to be used for validation as well. See MSDN's documentation (archive.org snapshot) for details.

'Pre-prepared' statements in SQLite3?

Using SQLite in a memory-constrained embedded system with a fixed set of queries, it seems that code and data savings could be made if the queries could be 'pre-prepared'. That is, the prepared statement is produced by (an equivalent of) sqlite3_prepare_v2() at build time, and only _bind(), _step() etc need to be called at runtime, referencing one or more sqlite3_stmt* pointers that are effectively static data. The entire SQL parsing (and query planning?) engine could be eliminated from the target.
I realise that there is considerable complexity hidden behind the sqlite3_stmt* pointer, and that this is highly unlikely to be practical with the current sqlite3 implementation - but is the concept feasible?
This was discussed on the SQLite-users mailing list in 2006. At that time D. Richard Hipp supported a commercial version of SQLite that ran compiled statements on a stripped down target, which did not have any SQL parser. Perhaps you could check with hwaci to see if this product is still available.

How to identify encryption algorithm used in ciphertext?

Is there any ways to try to guess encryption algorithm used to encrypt the ciphertext?
Yes. There are some differences:
Is it a block cipher or not can be guessed from the length.
Block length
Entropy of the output (are all characters equally present? / can patterns be found?)
Recurrences (CBC or not...)
The entropy of the string is probably the best hint. A simple method to determine it is probably trying to compress it. Some methods can be found here: http://www.random.org/statistics/ They use them to make sure their numbers are as random as possible.
I've got no idea if it's really possible to determine the encryption using these methods.
Tools to see it:
PEiD with the Krypto Analyzer (KANAL) plugin
IDA Pro with the Findcrypt plugin
OllyDbg with the SnD Crypto Scanner
x3chun's Crypto Searcher
Keygener Assistant
Hash & Crypto Detector (HCD)
Draft Crypto Analyzer (DRACA)
but all to executables.
found here : http://fwhacking.blogspot.com.br/2011/03/bfcrypt-crypto-scanner.html
Quite often this information is readily available - in a good encryption scheme, only the key needs to be secret, not the algorithm used.
There are analyses you can can perform to test for particular encryptions, consult a textbook on cryptanalysis for details!
You can try fbcrypt which will scan for known hash & crypto signatures: http://fwhacking.blogspot.com/2011/03/bfcrypt-crypto-scanner.html
For now it supports MD5, CRC32, Blowfish, DES and SHA256, but more will be added soon. Anyway as the source is available you can also add your own.
It depends if you're talking about "raw encrypted data" (in that case you can use methods such as listed by "gs" in the other answer) or an encrypted file in some standard format (the most common are CMS/PKCS#7 and OpenPGP); in the latter case the encryption algorithm is explicitly indicated in the metadata contained in the very file.
For CMS you need an ASN.1 decoder such as command-line dumpasn1 program or my own web-based Javascript decoder while for OpenPGP you can use pgpdump.

Resources