I have few applications where I need to create some unique IDs. GUIDs are great as they give Globally Unique identifier but they are big. I mean if you want to issue unique number in your application which you want to give as Booking Number or any reference number then GUIDs is obviously not a solution. Therefore, I need some simple Id which is unique too. For example when I send a request to my Credit Card Processor there’s an ID that correlates my invoice with the transaction at the provider. A GUID isn’t what I’d want here.
But one relatively simple solution is to create sequential ID which will be of appropriate size as well as it will guarantee uniqueness. Very Good and Simple solution!!! Isn’t it !! My answer would be NO !! Because it is security threat for your website. In case of Web Application where you can Retrieve your Order or Booking Details by just giving Order Reference number, you can easily BruteForce Sequential Reference numbers to retrieve records.
In this article I will discuss some of techniques.
Using DateTime and HashCode:
Using DateTime for generating unique keys is very common practice. I have remixed this approach by inducing HashCode in it also. Like
It will give you some key like 496bffe0. At the first glance it seems to be satisfied Unique key as its using current time and hashing to generate key but GetHashCode() doesn’t procduce unique code everytime. Althought Microsoft is using Double Hashing algorithms with N Number of collision resolving double hash function but during my experimentation I found lot of collisions.
Using GUIDs and HashCode:
So then I tried
It gives key something like 649cf2e3.Somehow I don’t think that this string representation at least is unique… 38 characters represented as 8? Ok 32 bits, but still it’s 8 digits and characters limited to hex values and yes my doubt got right as I wrote program which generated 100,000 keys and checked it for collisions and found several keys duplicated.
Using RNGCryptoServiceProvider and Character Masking :
The .net Framwork provides RNGCryptoServiceProvider class which Implements a cryptographic Random
Number Generator (RNG) using the implementation provided by the cryptographic service provider (CSP). This class is usually used to generate random numbers. Although I can use this class to generate unique number in some sense but it is also not collision less. Moreover while generating key we can make key more complicated by making it as alpha numeric rather than numeric only. So, I used this class along with some character masking to generate unique key of fixed length.
Below is code sample:
private string GetUniqueKey()
int maxSize = 8 ;
int minSize = 5 ;
char chars = new char;
a = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890”;
chars = a.ToCharArray();
int size = maxSize ;
byte data = new byte;
RNGCryptoServiceProvider crypto = new RNGCryptoServiceProvider();
size = maxSize ;
data = new byte[size];
StringBuilder result = new StringBuilder(size) ;
foreach(byte b in data )
result.Append(chars[b % (chars.Length – 1)]);
Analysis shows that RNGCrypto with Character Masking is best method to generate Unique keys.