UUIDv7 in Postgres 18. With time extraction

https://www.thenile.dev/blog/uuidv7

54•sierikov•3h ago

Comments

Recursing•2h ago

Interesting comment from a previous thread on UUIDv7 in Postgres: https://news.ycombinator.com/item?id=39262286

jph•2h ago

We evaluated UUIDv7 and determined that it's unwise to use it as a primary key.

We have applications where we control the creation of the primary key, and where the primary key will be exposed to end users, such as when using a typical web app framework built with Rails, Phoenix, Loco, Laravel, etc. For these applications, UUIDv7 time is too problematic for security, so we prefer binary-stored UUIDv4 even though it's less efficient.

We also have applications where we control the creation of the primary key, and where we can ensure the primary key is never shown to users. For these applications, UUIDv7 is slower at inserts and joins, so we prefer BIGSERIAL for primary key, and binary-stored UUIDv4 for showing to users such as in URLs.

wpollock•1h ago

I wonder if the issue is with exposing internal IDs to end users. I'm sure the experts here have already thought of this, but could someone explain why using encryption or even an HMAC for external views of a primary key doesn't make sense? Maybe because the extra processing is more expensive than just using UUIDv4? Using a KDF such as argon2id on the random bits of a UUIDv7 seems like it might work well for external IDs.

(And why the heck are different types or variants of UUIDs called "versions"?)

gfody•37m ago

> but could someone explain why using encryption or even an HMAC for external views of a primary key doesn't make sense?

it does make sense and it's what you should do instead of using a UUID as PK for this purpose.

Hizonner•29m ago

Because now, for the rest of eternity, every single person who writes any code that moves data from this table to somewhere else, for any purpose, has to remember that the primary key gives away the creation time of something, which can potentially be linked to something else. A lot of people won't notice that, and a lot of people who do notice it will get the remediation wrong. And you can now forget using a simple view on the database to give any information to any person or program that shouldn't get the creation times.

You've embrittled your system.

kasperset•1h ago

Currently evaluating UUIDv7 as primary key for some inventory origin. I think it should be ok to use it for such use case since it will indicate the time of creation? Any thoughts?

gtowey•47m ago

You have to ask what problems exactly are you solving? Unless there is a compelling reason to use them, sticking with auto increment IDs is much simpler.

And I say this as someone who recently has to convert some tables from auto increment IDs to uuid. In that instance, they were sharded tables that were relying on the IDs to be globally unique, and made heavy use of the IDs to scan records in time order. So uuids solved both those problems.

wongarsu•1h ago

Deploying UUIDv7 certainly requires more thought about the implications. In many cases leaking the creation time of a key is completely fine, in some cases it isn't

An interesting compromise is transforming the UUIDv7 to a UUIDv4 at the API boundary, like e.g. UUIDv47 [1]. On the other hand if you are doing that you can also go with u64 primary keys and transform those

1: https://github.com/stateless-me/uuidv47

bricss•1h ago

If knowing IDs has a negative impact on security, then application system design is probably a trash.

bearjaws•57m ago

Yeah I am trying to imagine a universe where having the creation time of an item breaks your security model and every path I go down is that the system has terrible security.

Hizonner•20m ago

I know that the person I'm stalking created a pseudonymous account on service X around time Y. Based on other information, I have a limited number of suspect accounts. The creation time leaks to me, either via a bug which would otherwise have been harmless, or because somebody writing code "can't imagine a universe where having the creation time of an item breaks your security". I use the creation time to figure out which of my candidates is actually the target.

It took me under 15 seconds to come up with that.

dietr1ch•22m ago

The actual concern is privacy.

Privacy wise,

- Knowing sequential IDs leaks the rate of creation and amount of said entity which can translate in number of customers or rate of sales.

- Knowing timed IDs leaks activity patterns. This gets worse as you cross reference data.

- Random IDs reveal nothing.

---

Security wise,

- Sequential IDs can be guessed.

Performance wise,

- Sequential IDs may result in self-inflicted hotspots.

   - Spanner doesn't like  writing rows first keyed with timestamps, https://cloud.google.com/spanner/docs/schema-design#primary-key-prevent-hotspots.

- Random IDs lends themselves to sharding, but make indexing, column-compression, and maintaining order after inserts hard.

laughing_snyder•59m ago

Why would exposing any primary key be bad for security? If your system's security *in any way* depends on the randomness of a database private key, you have other problems. It's not the job of a primary key to add to security. Not to mention that UUIDv7 has 6 random bytes, which, for the vast majority of web applications, even finance, is more than enough randomness. Just imagine how many requests an attacker would need to make to guess even one UUID (281 trillion possible combinations for 6 random bytes, and he also would need to guess the unix timestamp in ms correctly). The only scenario I can think of is that you use the primary as a sort of API key.

Hizonner•34m ago

Because anything that knows the primary key now knows the timestamp. The UUID itself leaks information. It's not that it's not adding security. It's that it's actually subtracting security.

lucideer•28m ago

> leaks information

It would have to leak sensitive information to be "subtracting security", which implies you're relying on timestamp secrecy to ensure your security. This would be one of the "other problems" the gp mentioned.

atomicnumber3•15m ago

Pretty much any information can be used for something. You're ignoring everything they say about how something not critical to application security may still not be desirable to be leaked for other reasons. Example: Target and Walmart may not depend on satellites being unable to image their parking lots from the perspective of loss prevention or corporate security. But it still leaks information they may not want financial analysts to know about their performance.

btown•22m ago

One of the big things here is de-anonymization and account correlation. Say you have an application where users'/products' affiliation with certain B2B accounts is considered sensitive; perhaps they need to interact with each other anonymously for bid fairness, perhaps people might be scraping for "how many users does account X have onboarded" as metadata for a financial edge.

If users/products are onboarded in bulk/during B2B account signup, then, leaking the creation times of each of them with any search that returns their UUIDs, becomes metadata that can be used to correlate users with each other, if imperfectly.

Often, the benefits of a UUID with natural ordering outweigh this. But it's something to weigh before deciding to switch to UUIDv7.

sz4kerto•3m ago

Example: if user IDs are not random but eg Bigserial (autoincremented) and they're exposed through some API, then API clients can infer the creation time of said users in the system. Now if my system is storing eg health data for a large population, then it'll be easy to guess the age of the user. Etc. This is not a security problem, this is an information governance problem. But it's a problem. Now if you say that I should not expose these IDs - fine, but then whatever I expose is essentially an ID anyway.

moron4hire•58m ago

This is why the UUID versions should have been labeled by letter rather than number. Each UUID version doesn't replace the last. They do different things. The numbered versioning gives the impression that "higher numbers = better" and that's neither the case nor the intention.

gm678•1h ago

Does anyone know if there are any sorts of optimizations (either internally or available to the user) for a table with a UIIDv7 PK and a `date_created` column?

gfody•30m ago

various engines have what's called "fast key" optimization specifically for integer sequences - if you're testing performance between an int/serial pk and a uuid the impact is profound to digusting depending on the engine.

raminf•1h ago

One of the main points of using a UUID as a record identifier was to make it so people couldn't guess adjacent records by incrementing or decrementing the ID. If you add sequential ordering, won't that defeat the purpose?

Seems like it would be wise to add caveats around using this form in external facing applications or APIs.

Demiurge•1h ago

The next ID can't be found just by adding 1, can it? How would you guess the next value?

bearjaws•58m ago

There's still 62 bits of random data, even if you know the EXACT milisecond the row was created (you likely won't), you still need to do 1 billion guesses per second for 73 years.

Ideally you have some sort of rate limit on your APIs...

wongarsu•54m ago

UUIDv7 has a 48 bit timestamp, 12 bits that either provide sub-millisecond precision or are random (in pg they provide precision) and another 62 bits that are chosen at random.

The A UUIDv7 leaks to the outside when it was created, but guessing the next timestamp value is still completely unfeasible. 62 bits is plenty of security if each attempt requires an API request

Sj.h: A tiny little JSON parsing library in ~150 lines of C99

DXGI debugging: Microsoft put me on a list

The University of Oxford has fallen out of the top three universities in the UK

I forced myself to spend a week in Instagram instead of Xcode

LaLiga's Anti-Piracy Crackdown Triggers Widespread Internet Disruptions in Spain

Disk Utility still can't check and repair APFS volumes and containers (2021)

The link between trauma, drug use, and our search to feel better

The Beginner's Textbook for Homomorphic Encryption

A coin flip by any other name (2023)

Spectral Labs releases SGS-1: the first generative model for structured CAD

iFixit iPhone Air teardown

New thermoelectric cooling breakthrough nearly doubles efficiency

AI was supposed to help juniors shine. why does it mostly make seniors stronger?

Review: Project Xanadu – The Internet That Might Have Been

How to stop functional programming (2016)

Meta exposé author faces bankruptcy after ban on criticising company

Ultrasonic Chef's Knife

Show HN: Freeing GPUs stuck by runaway jobs

$2 WeAct Display FS adds a 0.96-inch USB information display to your computer

Writing a competitive BZip2 encoder in Ada from scratch in a few days – part 3

Liberté, égalité, Radioactivité

Extrachromosomal DNA–Driven Oncogene Evolution in Glioblastoma

UUIDv7 in Postgres 18. With time extraction

President Trump Signs Technology Prosperity Deal with United Kingdom

Hi No Youjin

Linux Ready to Upstream Support for Google's PSP Encryption for TCP Connections

Teardown of Apple 40W dynamic power adapter with 60W max

Gluco data handler: Receive and visualize glucose data on Android

The bloat of edge-case first libraries

Why, as a responsible adult, SimCity 2000 hits differently

Sj.h: A tiny little JSON parsing library in ~150 lines of C99

DXGI debugging: Microsoft put me on a list

The University of Oxford has fallen out of the top three universities in the UK

I forced myself to spend a week in Instagram instead of Xcode

LaLiga's Anti-Piracy Crackdown Triggers Widespread Internet Disruptions in Spain

Disk Utility still can't check and repair APFS volumes and containers (2021)

The link between trauma, drug use, and our search to feel better

The Beginner's Textbook for Homomorphic Encryption

A coin flip by any other name (2023)

Spectral Labs releases SGS-1: the first generative model for structured CAD

iFixit iPhone Air teardown

New thermoelectric cooling breakthrough nearly doubles efficiency

AI was supposed to help juniors shine. why does it mostly make seniors stronger?

Review: Project Xanadu – The Internet That Might Have Been

How to stop functional programming (2016)

Meta exposé author faces bankruptcy after ban on criticising company

Ultrasonic Chef's Knife

Show HN: Freeing GPUs stuck by runaway jobs

$2 WeAct Display FS adds a 0.96-inch USB information display to your computer

Writing a competitive BZip2 encoder in Ada from scratch in a few days – part 3

Liberté, égalité, Radioactivité

Extrachromosomal DNA–Driven Oncogene Evolution in Glioblastoma

UUIDv7 in Postgres 18. With time extraction

President Trump Signs Technology Prosperity Deal with United Kingdom

Hi No Youjin

Linux Ready to Upstream Support for Google's PSP Encryption for TCP Connections

Teardown of Apple 40W dynamic power adapter with 60W max

Gluco data handler: Receive and visualize glucose data on Android

The bloat of edge-case first libraries

Why, as a responsible adult, SimCity 2000 hits differently

UUIDv7 in Postgres 18. With time extraction

Comments