What is the state of today's web browsers (Chrome, IE, Safari & Firefox) and their ability to create cryptographically strong UUIDs? In researching this question I have been unable to find anything definitive. I have e across info on stackoverflow and elsewhere that points to issues with Math.random but I would like to know what the current state of all this is.

UPDATE

As icktoofay pointed out, crypto.getRandomValues is the way to do this. Unfortunately, support across browsers is limited. Is there a proven way to work around this? Are there any javascript libraries that tackle this problem?

What is the state of today's web browsers (Chrome, IE, Safari & Firefox) and their ability to create cryptographically strong UUIDs? In researching this question I have been unable to find anything definitive. I have e across info on stackoverflow and elsewhere that points to issues with Math.random but I would like to know what the current state of all this is.

UPDATE

As icktoofay pointed out, crypto.getRandomValues is the way to do this. Unfortunately, support across browsers is limited. Is there a proven way to work around this? Are there any javascript libraries that tackle this problem?

• javascript
• google-chrome
• guid
• uuid

• 5 What do you mean by 'cryptographically strong UUID'? UUIDs aren't supposed to be cryptographically anything - they're meant to be unique. – user1864610 Commented Jan 19, 2014 at 4:03
• I am referring to the quality of the random number generator. Does it have enough entropy, is it crypto grade. – user1843640 Commented Jan 19, 2014 at 5:25
• In the context of UUIDs there's no requirement for randomness, just uniqueness. The two are not synonymous. – user1864610 Commented Jan 19, 2014 at 8:45

3 Answers 3

In browsers that have it, you can use crypto.getRandomValues to get cryptographically-secure pseudorandom values. For example:

var array = new Uint8Array(16);
crypto.getRandomValues(array);

You can then manipulate those bytes into a valid UUID.

Although this doesn't directly answer the original question, it might help someone looking for a library to help with UUID creation. For my current needs I have decided to use the node-uuid library. From the feature list:

• Generate RFC4122 version 1 or version 4 UUIDs
• Cryptographically strong random # generation on supporting platforms

Looking at the source it seems to acplish this by using crypto.getRandomValues which is what @icktoofay suggested.

Short answer, No! Long answer, http://www.matasano./articles/javascript-cryptography/

Trust me, I researched into this issue for a while. Crypto is experimental, and thus for the majority of browsers, it is a no. Node might however be better since it ties directly into the OS. You will need to research that though!