Client Server secure authentication (Can GUID, serial or MAC be read from web page?)

We are building a client server based application where clients are win 7/8 desktops connecting to a server on the internet to exchange data. This exchange can be the client needing to check some settings and mostly to send some data.

At the moment, we are using curl to send the data to a php app over https.

The problem is as follows.

We want to get some unique information from the client so that we can confirm it's authentication now and then. This means that the client should send something like its GUID and/or system serial number.

Wondering if it would be possible to read a windows GUID, and/or it's system serial number and/or it's MAC address from a web page? If so, we would have the user connect to a support page when ever needed so that we can verify some information including the above.

-Not exclusive to IE, meaning, firefox for example could work as well
-Not dependent on a browser extension
-User could agree or prevent the action

The second part of this question is about credentials. At the moment, we are using a name/password being sent over https using curl. The connection is also using a cert at both ends. However, managing certs is becoming a bit of a nightmare and much of what I have read on the internet says instead of using name/passwords, use certificates.

Therefore, I am trying to understand how we might be able to change our authentication method to use certificates, perhaps, instead of name/pass?

Another problem that we are having is that someone could copy the software running on one desktop to another desktop and we need to prevent this from happening so need some way of preventing this.

Not really sure how others deal with such issues so thought I would ask the pros.

Thanks.



some system information can be found, for instance Dell do it here, but it needs you to download some software first:http://www.dell.com/support/troubleshooting/us/en/555/ProductSelector/Select/Eula

Other information may be quite hard to retrieve, as there is a quite-understandable "air-gap" between the client PC itself and sending its information to the www

However, you may want to look at a tool like BGinfo, which collates a whole range of desktop stats and then displays them on the PC desktop in a range of formats.
http://www.howtogeek.com/school/sysinternals-pro/lesson7/



some system information can be found, for instance Dell do it here, but it needs you to download some software first:http://www.dell.com/support/troubleshooting/us/en/555/ProductSelector/Select/Eula

Other information may be quite hard to retrieve, as there is a quite-understandable "air-gap" between the client PC itself and sending its information to the www

However, you may want to look at a tool like BGinfo, which collates a whole range of desktop stats and then displays them on the PC desktop in a range of formats.
http://www.howtogeek.com/school/sysinternals-pro/lesson7/



Hi,

The first part of the question is that I need a way of creating/sending unique credentials on a win 7/8 machine. I need a way of preventing a piece of software being run on a desktop from being copied and run on another machine.
Can win7/8 desktop connect to a win server, a connection simply to create some sort of unique credentials for example?

The second part is looking to know if there is a better method of authentication than username/pass using curl however, curl would still be the tool being used to connect to a php app.



1. You cannot read that kind of information from a web app without the use of some intermediate channel, like Java applet or ActiveX control, which have more access to the underlying system. You run into dependency issues, that you didn't want, though.

2. Using client certificates IS the way to go here. Hardware can change over time, which can create a maintenance nightmare, too, and ultimately, that doesn't protect against replay attacks. Use client certificates to authenticate and keep using SSL/HTTPS with a valid certificate on the destination server.

A client certificate is just a file, so yes, it can be copied and someone else could then use it. That said, if a malicious user has access to the entire filesystem, then you are out of luck no matter what. That kind of access is going to allow a malicious user to circumvent just about any kind of authentication attempt you can throw at it.

Client certificate authentication is the best way to uniquely identify a user (you can use it WITH a username/password, too - it's not just one or the other), but you cannot forego the overall security of someone's machine or network.



All that said, if you're still worried about the filesystem-copying thing, about the only thing you can do is try and set up the originating application to read some kind of hardware ID (e.g. hard drive serial number is pretty common), then store it on the server side and associate it to the public key for the user's client certificate. If the same client certificate is used with a different hardware ID, then it'll be up to you to manage that association (e.g. update it if the hard disk is swapped out legitimately).

However, no matter which way you go, a web page does not have access to that information. You'd need a more full-fledged client application to gain access to this information (e.g. on Windows, a C++ or C# program with access to the Win32 API), and it would differ based on operating system/platform. The only thing I can think of that would give the same information AND be cross-platform would be a Java applet, but I don't know offhand if it has access to that kind of info about the hardware.



Also, if someone can copy the originating filesystem and the client application is a web script, then that means that the new user could alter the code and choose to send a specific, known hardware ID instead of actually looking up that hardware ID. So again, access to the filesystem + client-side script = game over.

Share this

Related Posts

There was an error in this gadget