Question about GUIDs

[NoCforMe]

After writing a li'l GUID-getting utility, I have some basic questions:

GUIDs are supposed to be unique, right? (And no, there's no such thing as being "somewhat unique", which would be like being "somewhat pregnant": it's definitely a binary thing).

So how do "they" ensure that they actually are unique? (whoever "they" may be)

I understand that UuidCreate() "phones home" (to Micro$oft?) when it's called. Do they (MS or someone else) maintain a database of GUIDs? How else could they guarantee uniqueness (if in fact they do guarantee uniqueness)?

And--kind of a long shot here, but still--is there any danger, privacy-wise, of having a central repository of these numbers? I know they're not supposed to be attached to any physical device or system, but one wonders ...

[Siekmanski]

18.446.744.073.709.551.616 different GUIDs are possible, more than enough to generate unique GUIDs.

[NoCforMe]

18.446.744.073.709.551.616 different guides are possible, more than enough to generate unique guides.

Yes, I get that; but how do they guarantee that they are unique, that there are no duplicates? I don't think even the best random-number generators can promise that. There must be some way of tracking them. Otherwise why would UuidCreate() be phoning someone up on the Internet?

[NoCforMe]

For instance, here's a page describing how the NIH (US Nat'l. Institute of Health) generates GUIDs, with a diagram showing a GUID database on a "NIH Centralized GUID Server".

So if there are many of these databases, how are they coordinated? and is there a central repository?

[Siekmanski]

GLOBAL UUID DATABASE  https://uuid.pirate-server.com/blog/uuidcreate-predictability.html

[sinsi]

For instance, here's a page describing how the NIH (US Nat'l. Institute of Health) generates GUIDs, with a diagram showing a GUID database on a "NIH Centralized GUID Server".

I don't think their GUID is the same

a new GUID (a random 10-digit alpha-numeric format: NIH012ABC34DE) is generated

I understand that UuidCreate() "phones home" (to Micro$oft?) when it's called

Where did you get that from?

[NoCforMe]

I understand that UuidCreate() "phones home" (to Micro$oft?) when it's called

Where did you get that from?

For one thing, this error from UuidCreate():

RPC_S_UUID_NO_ADDRESS
Cannot get Ethernet or token-ring hardware address for this computer.

It's evidently reaching out somewhere on the network ... or is it using that address to generate the GUID via a RNG?

[fearless]

You obviously didn't read the links that where provided by TimoVJL, as they explain everything about the GUIDs and how they work.

https://masm32.com/board/index.php?topic=12077.msg132161#msg132161

[NoCforMe]

That's a lot of stuff to read. More than I care to.
Can you explain to us, in simple terms, how GUIDs are generated, and how their uniqueness can be assured?

[NoCforMe]

In that first doc Timo linked to:

The specification [Version 4] doesn't specify how the random numbers should be generated, they could be anything where from psuedo-random to cryptographically secure - hence these GUIDs like all other GUIDs should only be used for identification and not for security.

(my italics)
This sounds like it implies that they may not be absolutely guaranteed to be unique. (How could a GUID produced by some unspecified PRNG be expected to be guaranteed unique?)

[sinsi]

I understand that UuidCreate() "phones home" (to Micro$oft?) when it's called

Where did you get that from?

For one thing, this error from UuidCreate():

RPC_S_UUID_NO_ADDRESS
Cannot get Ethernet or token-ring hardware address for this computer.

It's evidently reaching out somewhere on the network ... or is it using that address to generate the GUID via a RNG?

Windows will use the MAC address of a network adapter as part of the generation.

This sounds like it implies that they may not be absolutely guaranteed to be unique. (How could a GUID produced by some unspecified PRNG be expected to be guaranteed unique?)

As unique as can be, with 122 bits to use, makes 5.3e+36 combinations.

The security problem comes from using a MAC address, in theory you could ID a computer this way.

For security reasons, UuidCreate was modified so that it no longer uses a machine's MAC address to generate UUIDs. UuidCreateSequential was introduced to allow creation of UUIDs using the MAC address of a machine's Ethernet card.