On Thursday, 20 February, 2020 11:48, Richard Hipp <d...@sqlite.org> wrote:

>The author of that article, "Raymond", assumes that the random number
>generator in the SQL database engine is not cryptographically strong.

Actaully, what "Raymond" is on about is the fact that the original definition 
of a GUID, according to Microsoft, was what is now called, in standard 
parlance, a Version 1 Variant 2 UUID, only without the Version and Variant 
identifiers.  It used the "clock and sequence" based on the current clock in 
huns and a sequence number to "break ties" in case you tried to have Windows 
generate more than 1 GUID per hun.  The last 48-bits were the "Unique ID" of 
the computer as generated and stored in the registry by Microsoft when Windows 
was installed (with no generated-id flag as provided in the current standard).

It was always stored in little-endian order exclusively, even on big-endian 
processors.  There was no randomness at all.  Not even the slightest.  Ever.  
It was exclusively a (more or less) sequential number.

Several years ago Microsoft decided to replace the version 1 GUID, which 
contained an identifier traceable back to the computer on which it was created, 
with a truly random Version 4 type UUID (though still without a version number 
and still without variant encoding, and still always in little endian format) 
-- apparently Microsoft software loves storing "GUIDs" thither and yon like in 
Word and Excel documents, and Microsoft's Legal Department determined that this 
was a "liability" because the Justice Department would be able to prove which 
computer was used to compose a document, spreadsheet, or email message with 
trivial effort, thus exposing the company and its executives to liability which 
could be avoided by simply using "random" GUIDs rather than "machine specific" 
GUIDs.

A new API was introduced to permit the "old fashioned sequential GUIDs linked 
inexoribly to the computer" to be generated by those that wanted to still use 
them, but the default API changed internally to now providing version 4 UUIDs 
(though still without the standard UUID version and variant flags, and still in 
exclusively little endian byte order).

So it has nothing to do with randomness.  It has to do with the fact that a 
"GUID" contains two parts:  a time stamp in UTC and a sequence number, plus the 
(hopefully) unique ID of the computer generating the GUID.  It is not random.  
It is sequential.  And the "Global Uniqueness" part is determined solely by the 
hopefully "Global Uniqueness" of the machine identifier which created the GUID.

Only later did the "GUID" contain randomness by default though Windows was 
still capable of generating the old sequential GUIDs.

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.




_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to