[Opendnssec-develop] hsm-toolkit questions

John Dickinson jad at jadickinson.co.uk
Wed Mar 11 18:42:04 UTC 2009 

On 11 Mar 2009, at 18:22, John Dickinson wrote:

>
> On 11 Mar 2009, at 18:15, Rick van Rein wrote:
>
>>
>> There is no such thing as a random UUID; there are UUIDs (which are  
>> in
>> part random) and, as a totally different thing, random numbers that
>> may or may not look alike.
>
> man uuid_generate
>
> "       The uuid_generate_time function forces the use of the  
> alternative algo-
>       rithm which uses the current time and the local  ethernet   
> MAC  address
>       (if available).  This algorithm used to be the default one  
> used to gen-
>       erate UUID, but because of the use of the ethernet MAC  
> address, it  can
>       leak information about when and where the UUID was generated.   
> This can
>       cause privacy problems in some applications, so the  
> uuid_generate func-
>       tion only uses this algorithm if a high-quality source of  
> randomness is
>       not available.
> "

Actually, let me be a bit more verbose.

1. You might want to read about the 5 versions of UUIDs mentioned in http://en.wikipedia.org/wiki/Universally_Unique_Identifier 
  (the URL already sent by Jakob.)

2. just in case you don't have a mac or linux the whole man page:
SYNOPSIS
        #include <uuid/uuid.h>

        void uuid_generate(uuid_t out);
        void uuid_generate_random(uuid_t out);
        void uuid_generate_time(uuid_t out);

DESCRIPTION
        The uuid_generate function creates a new universally unique  
identifier (UUID).  The uuid will be generated based on high-quality  
randomness from /dev/urandom, if available.  If it is
        not available, then uuid_generate will use an alternative  
algorithm which uses the current time, the local ethernet MAC address  
(if available), and  random  data  generated  using  a
        pseudo-random generator.

        The  uuid_generate_random function forces the use of the all- 
random UUID format, even if a high-quality random number generator  
(i.e., /dev/urandom) is not available, in which case a
        pseudo-random generator will be subsituted.  Note that the use  
of a pseudo-random generator may compromise the uniqueness of UUID's  
generated in this fashion.

        The uuid_generate_time function forces the use of the  
alternative algorithm which uses the current time and the local  
ethernet MAC address (if available).  This algorithm used to  be
        the  default  one used to generate UUID, but because of the  
use of the ethernet MAC address, it can leak information about when  
and where the UUID was generated.  This can cause pri-
        vacy problems in some applications, so the uuid_generate  
function only uses this algorithm if a high-quality source of  
randomness is not available.

        The UUID is 16 bytes (128 bits) long, which gives  
approximately 3.4x10^38 unique values (there are approximately 10^80  
elemntary particles in the universe according to  Carl  Sagan's
        Cosmos).  The new UUID can reasonably be considered unique  
among all UUIDs created on the local system, and among UUIDs created  
on other systems in the past and in the future.

RETURN VALUE
        The newly created UUID is returned in the memory location  
pointed to by out.

CONFORMING TO
        OSF DCE 1.1

AUTHOR
        Theodore Y. Ts'o

AVAILABILITY
        http://e2fsprogs.sourceforge.net/


3. the mac uuid code on >=10.5 appears to be that from e2fsprogs

4. I agree there is little danger of leaking information - however, it  
might be good practice to force the use of uuid_generate_random when  
using the e2fsprogs uuid lib.

5. BTW - I do know what a UUID is :)

John

---
John Dickinson
http://www.jadickinson.co.uk

More information about the Opendnssec-develop mailing list