Editing Universally unique identifier (section)

==== Versions 3 and 5 (namespace name-based) ====

Version-3 and version-5 UUIDs are generated by [[Cryptographic hash function|hashing]] a [[namespace]] identifier and name. Version 3 uses [[MD5]] as the hashing algorithm, and version 5 uses [[SHA-1]].<ref name="RFC 9562" />

The namespace identifier is itself a UUID. The specification provides UUIDs to represent the namespaces for [[Uniform Resource Locator|URL]]s, [[fully qualified domain name]]s, [[object identifier]]s, and [[X.500]] [[LDAP|distinguished name]]s; but any desired UUID may be used as a namespace designator.

To determine the version-3 UUID corresponding to a given namespace and name, the UUID of the namespace is transformed to a string of bytes, concatenated with the input name, then hashed with MD5, yielding 128 bits.  Then 6 or 7 bits are replaced by fixed values, the 4-bit version (e.g. 0011<sub>2</sub> for version 3), and the 2- or 3-bit UUID "variant" (e.g. 10<sub>2</sub> indicating an RFC 9562{{r|RFC 9562}} UUIDs, or 110<sub>2</sub> indicating a legacy Microsoft GUID). Since 6 or 7 bits are thus predetermined, only 121 or 122 bits contribute to the uniqueness of the UUID.

Version-5 UUIDs are similar, but SHA-1 is used instead of MD5. Since SHA-1 generates 160-bit digests, the digest is truncated to 128 bits before the version and variant bits are replaced.

Version-3 and version-5 UUIDs have the property that the same namespace and name will map to the same UUID. However, neither the namespace nor name can be determined from the UUID, even if one of them is specified, except by brute-force search. RFC 4122 recommends version 5 (SHA-1) over version 3 (MD5), and warns against use of UUIDs of either version as security credentials.<ref name="RFC 4122" />