I need to generate UUIDs for use as non-predictable / guessable session IDs.
This can easily be accomplished using boost's UUID library:
boost::uuids::uuid newUUID()
{
static boost::uuids::random_generator gen;
return gen();
}
The returned UUID can easily be converted to a string.
The above code is equivalent to:
boost::uuids::uuid newUUID()
{
static boost::uuids::basic_random_generator<boost::mt19937> gen;
return gen();
}
So we are using the Mersenne Twister 19937 pseudo random number generator. It looks like boost takes the task of seeding it properly serious.
However, I wonder if something important – security wise – is gained by using a non-deterministic RNG like boost::random_device instead, and also how it will impact the speed of UUID generation.
boost::uuids::uuid newUUID()
{
static boost::uuids::basic_random_generator<boost::random_device> gen;
return gen();
}
Advice from people with security insight is appreciated.
MT is not a cryptographically secure RNG.
boost::random_device is guaranteed (by docs) to only exist if cruptographically secure and non-deterministic. Note that this is not true of std::random_device.
For any serious application, you cannot trust a mere documented guarantee. But for a small scale unimportant one it should do.
Writing your own cryptographically secure code or system is usually a bad idea. Describe how bad it is that someone defeat your system, as that really matters to how much effort you need to put into it.