AutoHotkey Community

Titan · Joined: 11 Aug 2004 Posts: 5009 Location: imaginationland

Generates a time-based Universally Unique Identifier based on random clock and node IDs.
e.g. MsgBox, % uuid(y) ; where y is false for random IDs

Laszlo · Joined: 14 Feb 2005 Posts: 3943 Location: Pittsburgh

Since AHK's (pseudo) random number generator is initialized based on the current time, if thousands of PC's generate these uuid values in the same time, there is a good chance that some of them will be the same. Have you considered to mix in some values, which are different in different PC's? Something like the user name, language, windows version are easy to access, others, like the BIOS version, motherboard type, disk serial number are still possible. These have to be hashed, not to leak personal information. And, of course, you can always access Windows' GUID, which already incorporates these.

Titan · Joined: 11 Aug 2004 Posts: 5009 Location: imaginationland

The time based algorithm allows up to 10000 unique identifiers to be made every millisecond (281474976710656 in my version) so the chance of a similarity is very little. In the new version 1.1 I took your idea of parsing Windows GUID in the registry for real clock and node IDs. This value is cached for later calls.
_________________

RegExReplace("irc.freenode.net/autohotkey", "^(?=(.(?=[\0-r\[]*((?<=\.).))))(?:[c-\x73]{2,8}(\S))+((2)|\b[^\2-]){2}\D++$", "$u3$1$3$4$2")

Laszlo · Joined: 14 Feb 2005 Posts: 3943 Location: Pittsburgh

This is better!

About the collisions: How many people need to be in a group, such that there is a 50% chance that at least two of them have the same birthday? Think about it, before reading further.

The answer is 23. It is surprisingly low, is not it? In general, if there are n possible results of a measurement, after performing it sqrt(n) times, there is a near 50% chance that two results are the same. It is called the birthday paradox.

The resolution of the Windows timer is 10..16 ms. It means, in every second there can be as few as 1000/16 = 62.5 different A_MSec values. In a minute there are only 60*62.5 = 3750 different time values. According to the birthday paradox, if sqrt(3750) =~ 61 PC's read the time in this minute, there is a 50% chance that two of them get the same result, and their random number generator will be initialized identically, too. If 500 PC's would execute the script in the same hour, there will almost certainly be two of them getting the same time values: sqrt(60*60*62.5) =~ 474.

Titan · Joined: 11 Aug 2004 Posts: 5009 Location: imaginationland

I've read about the birthday paradox, it's an interesting theory. I'm disappointed about the low res. timer; 2/500 is a bad probability for an identifier which "1 trillion have to be created every nanosecond for 10 billion years to exhaust [...]". I've looked into GetSystemTime but that's likely to be the same.

However your calculations (which are impressive btw.) only account for the first part of the UUID - the LSB time group. The last two parts, clock ID (CPU clock) and node ID (MAC address) are there to ensure no collisions can occur with different computers using genuine NICs. Even in quirks mode (param = false) fourteen digits are randomized which yields a probability of 1/14^16 (72057594037927936).
_________________

RegExReplace("irc.freenode.net/autohotkey", "^(?=(.(?=[\0-r\[]*((?<=\.).))))(?:[c-\x73]{2,8}(\S))+((2)|\b[^\2-]){2}\D++$", "$u3$1$3$4$2")

Laszlo · Joined: 14 Feb 2005 Posts: 3943 Location: Pittsburgh

I wrote about the collision of the time values. Mixing in PC or user dependent information makes the collision much less likely. However, you have to mix (hash) the pieces together, otherwise there is a possible attack: someone can identify unchanging parts of your uuid values, and create valid uuid values in your behalf. In some cases it is bad.

Titan · Joined: 11 Aug 2004 Posts: 5009 Location: imaginationland

Uuids are not used in cryptography so it doesn't matter. You can edit any uuid and it will still be valid (with a few exceptions). Also randomized node IDs are prefixed with '1' (RFC 4122) which differentiates it from valid MAC addresses, so there is no security concern here.
_________________

RegExReplace("irc.freenode.net/autohotkey", "^(?=(.(?=[\0-r\[]*((?<=\.).))))(?:[c-\x73]{2,8}(\S))+((2)|\b[^\2-]){2}\D++$", "$u3$1$3$4$2")

SKAN · Joined: 26 Dec 2005 Posts: 5581

Very Nice.. Very Happy

.. On a related note: I think Random command should be available as a function.
_________________
SKAN - Suresh Kumar A N

Titan · Joined: 11 Aug 2004 Posts: 5009 Location: imaginationland

I've changed my mind, hashing values is not too difficult anyway. Here's what I came up with, is it secure enough?

Dippy46 · Posted: Sun Dec 17, 2006 11:01 am Post subject:

@Goyyah

I think this is probably good enough for what you need

SKAN · Joined: 26 Dec 2005 Posts: 5581

majkinetor · Joined: 24 May 2006 Posts: 3593 Location: Belgrade

I tried to do this with API functions like this:

tonne · Joined: 06 Jun 2006 Posts: 1143 Location: Denmark

Unicode?
_________________
there's a dog barking close within the range of my ear
sounds like he wants to escape the chain
he would probably bite me to death if he could
but the chain lets me spit in his face
- Kashmir

majkinetor · Joined: 24 May 2006 Posts: 3593 Location: Belgrade

uh...I forgot that... most definitely...
_________________

SKAN · Joined: 26 Dec 2005 Posts: 5581

Yes .. it is Unicode and the string length is 76