Home > Mobile >  Can I rely on Go's `crypto/rand` package to give me unique random string?
Can I rely on Go's `crypto/rand` package to give me unique random string?

Time:07-24

I want to generate 32 characters long unique alphanumeric secret keys. The secret key will be an identifier for my system and will be used to look up information.

While searching the web I stumbled upon the crypto/rand package of Go. Which is able to generate random alphanumerics with the help of underline system calls. But I am concerned that the value returned by the crypto/rand package might produce a non-unique string down the line.

Can anyone clarify if I can rely on the crypto/rand package for the job?

CodePudding user response:

Of course with randomly generated tokens, there is always the possibility of generating a duplicate token. There are standards such as UUID (excluding v4) that use other methods to try to "guarantee" uniqueness of each identifier. These methods do not truly obviate the possibility of collisions, they just shift the failure modes. For example, UUID1 relies on uniqueness of MAC addresses, which is a whole issue of its own.

If you are not limited by the size of your tokens, you can easily pick a sufficiently large number of bits that the probability of collisions becomes so small that it is completely dwarfed by countless other failure modes (such as programmer error, cosmic rays, a mass global extinction event, etc.).

Very approximately, if you have a true random key length of N bits, you can generate 2^(N/2) keys before having a 50% chance of seeing collisions. See the Wikipedia page for UUID#Collisions for a more general formula.

CodePudding user response:

I think it is important to mention that uniqueness and randomness are mutually exclusive concepts. Generally, with a random number generator there is no guarantee that individual random numbers will occur more than once. The probability of this to happen may be very low, however, and it may be good enough for your use case. In many cases UUID will be good enough. If you are curious about the probability of duplicate UUIDs, see Wikipedia for example.

If you really need true uniqueness you may want to combine random numbers with a map to record them, where the number serves as key and the value is a "don't care". While recording the numbers, duplicates are excluded automatically as keys in a map are unique. Then, you can consume numbers by removing them from the map successively. However, this approach may introduce a new challenge depending on your setting as the numbers are now kept in memory which is insecure per se. It will also be challenging if your use case does not determine the quantity of secrets required during the lifetime of the system.

For me, it really boils down to the question whether the identifiers for your system you use for info lookups are really secrets or you just want unique identifiers which are hard to predict before they occur in the system. Maybe you can elaborate on your use case to clarify your requirements.

CodePudding user response:

I think for this type of thing, you should use UUID

package main

import (
    "fmt"
    "github.com/google/uuid"
)

func main() {
    id := uuid.New()
    fmt.Println(id.String())
}
  • Related