Is Microsoft's GUID generator cryptographically secure
I'm going to disagree with the accepted answer. While it's generally a bad idea to go against the advice of an RFC, in this case I was able to find MSDN documentation specifying that Microsoft indeed took the obvious, helpful route and tied a cryptographically-secure RNG into the generation of v4 GUIDs:
According to https://msdn.microsoft.com/en-us/library/system.guid.newguid(v=vs.110).aspx, .NET's GUID creation just wraps the Windows functions CoCreateGuid and UuidCreate. And according to http://download.microsoft.com/download/5/0/1/501ED102-E53F-4CE0-AA6B-B0F93629DDC6/Windows/%5BMS-WSO%5D.pdf, since Windows 2000 back in 1999,
"the random bits for all version 4 GUIDs built in Windows are obtained via the Windows CryptGenRandom cryptographic API or the equivalent, the same source that is used for generation of cryptographic keys"
So I'd say you could call them cryptographically secure -- at least to the extent of the 122 bits of entropy they provide.
No. The goal of the Guid is to be unique, but cryptographically secure implies that it is unpredictable. These goals sometimes, but not always, align.
If you want cryptographically secure, then you should use something like RNGCryptoServiceProvider
See also:
- How Random is System.Guid.NewGuid()? (Take two)
- How securely unguessable are GUIDs?
The key point in both the above links is that Microsoft's Guid is an implementation of UUID, and the UUID spec indicates that they should not be used as security tokens:
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.