Wednesday, June 24, 2009


First and foremost, they have to be 128 bit long.

There are apparently 5 versions. By versions, they mean algorithms with variants.

Version 1 uses a combination of monotonic time, a random number and nodeID, which is either the IP or the MAC address. This guarantees that the UUID is unique across time (from 1582 till around 3400AD) and space. And in case of unforseen reason, it generated the same time and have the same nodeID, the random number decreases the possibility of collision further. The main complain against this is that you can trace the source based on the nodeID.

Version 2 is the OSF Desktop Computing Environment Security version with embedded POSIX UID. Not sure exactly what this means, but apparently not implemented by Apache.

Version 3/5 uses the URL and either MD5 or SHA1 hashing for spatial but not temporal uniqueness.

Version 4 is the same as version 1 but with the nodeID computed using a cryptographically strong random number generator such as Java's SecureRandom and a hashed name (such as that of Version 3/5). This also guarantees spatial and temporal uniqueness. A cryptographically strong random number must produce a non-determinstic output. Apache implements some variation of this. And Sun uses the Leach-Salz variation.


  1. P. Leach, M. Nealling, R. Salz, A UUID URN Namespace, Internet Engineering Task Force, 12/2004.
  2. Universal Unique Identifier, The Open Group, 1997.
  3. Java 5 UUID Class Javadoc, Sun Microsystems, Inc., 2004.
  4. Universally Unique Identifier, Wikipedia, 2005.
  5. Commons: Id, The Jakarta Project, Apache Software Foundation, 4/2/2005.

No comments:

Post a Comment