Device Fingerprinting


I have a web application and i would need to uniquely identify every client system aka device fingerprinting
 that access my application, The device fingerprint should be made such that even when the user changes a few attributes wrt his system
or use a new browser or alter any other info, still i should be able to identify the device with confidence.

I have read a lot of articles about device fingerprinting and could see some commercial solutions available to achieve the same
but i wish to integrate it into my system without having to incur that cost. Morover, reading over the internet, it seems that browser fingerprinting alone cannot suffice this purpose
and i have to capture some other details specific to the user machine. Running an applet can be a work around but that will prompt the user every time he comes to my website and can slow things down for him as well

The application is written in Java and the users are authenticated before they can access the system.

 Any points on this problem would be highly appreciable

Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Ideally the fingerprinting can be most unique with hardware identification which can include machine, disk and other devices UUID (e.g. like network card) and serial numbers, to the extent of even grabbing available security embedded h/w such as TPM related unique id, if possible. Understand that it is not full-proof but thought it will not be those that change often if we target specific platform. E.g. for Windows, it has Win32_EncryptableVolume WMI provider scripts

The more common way is using active script such as Javascript, Applet or ActiveX (plugin of browser) to run check for the on the computed fingerprint that can be unique hash of combination of device information. For example, the screen resolution, IP address and web browser user-agent can be concatenated and hashed using a hashing algorithm such as SHA. But of course, we may substitute entity that is subject to change. They can be limited due to the restrictions imposed on system security policy e.g. disable those active scripting. Maybe signed and safe object scripting can give a better chance...

But I am wondering if it is a enterprise organisation deployment, the machines tend to be cloned and the baseline is the same. There can be false positive in the checking and probably a fair profiling stage need to be done first before the actual verification of uniqueness. I heard of evercookie that attempt to persist (as long as possible) and it can be of use for your web application to place some unique (protected) id in the machine.

Maybe the key is to place your web ID (computed on what you know) and use it as reference check instead. Of course it will not be totally unique but minimally it is one of the machine that the appl has profiled previously. I tend to see it like licensing scheme to restrict deployment (but it will required user to accept this scheme, we do not want to unintentionally mis-informed the appl is doing something spying them)

Hope it help
Well, the Uniloc / Softanchor product really is the way to go.  In fact, you would be hard-pressed to find an alternative digital fingerprinting solution that is married to the hardware.

You pretty much have to go with it unless you introduce a dongle or some other hardware you bundle.  The owner got a patent shortly after the IBM PC came out to differentiate them with hardware.   MIcrosoft even lost to them, and that is why MSFT changed their licensing for Office & operating systems a few years ago.

My advice is that if Microsoft had to move away from hardware fingerprinting and pay those guys a half billion dollars and redo all of their licensing, then you reconsider. What you are attempting most likely is patent infringement.
In a nutshell, if you are trying to uniquely identify a PC by querying things unique to the machine, such as cpu speed, memory, disk serial numbers, etc ... then creating a hash and/or a encrypted representation and keying off of it, then it will be patent infringement.

You are free to query combinations of software settings like operating system/patches;  any software configurable setting,  cookies, obviously.

Now I volunteer I am biased towards patent holders, as I have one myself in this area of uniquely identifying a machine, so I speak from experience here on what you can and can't do, and have even been an expert witness in this area in only a 9-figure lawsuit.   Please take my advice.  License patented technology or go without.  
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

jaingaaAuthor Commented:
I am not trying to do any patent infringement. All i am interested in knowing is whether there is some useful information from TCP/IP packets which can be used to generate a matrix to identify a returning machine with good level of confidence. Cookies are definitely a way to do it but this would be good enough only for the authentic users. Fraudsters can easily get away with that.

Also, i would like to know a way to understand if my website is being hit for an ip which is hiding behind a proxy. If somebody can suggest some approach towards that or some sample code that can help achieve that, that would be helpful too
Then that is a very different problem.   You don't really need to identify a particular piece of equipment, you need to identify a specific instance of an operating system.  Also if you did go down the path of trying to identify the hardware .. let's assume for the moment no intellectual property issue.

Then somebody like me could defeat you in a heartbeat with a matter of minutes (I don't care to put that technique out there in a public forum, but if you really want to know how then contact me via my profile and I'll share how easy it would be for what you are trying to do)..

Anyway you don't need a huge applet.  
You could generate a public/private key first time they attach and use cookies to identify sessions.  Is the IP number at that time as part of the encryption along with the UTC time.  If they intercept & clone the information, it would be too late as your back-end server would always change it.   Make sure cookies are unique
jaingaaAuthor Commented:
dlethe - Thanks for reverting back.
Agreed that i can track returning devices using cookies but cookies are not reliable at all and can be easily tempered with. I am looking for something which can identify a device ( all kinds of computer, mobile, ipad etc ) with good level of confidence. Unless i get some of the hardware info ( which i thought i can get sniffing through the tcp/ip packets ), the fingerprint wont be reliable and the user can easily play with that. I need to have this solution which can support all browser types and all OS's

I need to know what info in these packets is of use and how can i get that info through my java code ?
You own the web server, so you are delivering the content, any content, and have a real-time clock that can't be tampered with.  You also have ability to send out unique encrypted tokens that have a time-stamp that are good JUST for that session.  

You could access the serial # of their O/S, a public/private key.    You could add session information and detect if same account is logging on elsewhere

If you identify hardware via querying serial #s make/model, etc, then you violate the patent.  You just can't do that w/o infringing.

btanExec ConsultantCommented:
I am also thinking that checking for presence of Virtual Machine can be useful but that would be dependent on the script running in specific OS
jaingaaAuthor Commented:
breadtan - I shall accept your answer though all these things i am already aware of but the links you have provided may help with my research further.

I understand that the device identification is currently a difficult task and all the solutions that exist currently are patented or commercial solutions. I assume that even they would be using a mix of browser fingerprinting, applets, hardware fingerprinting etc to come to the device id which would again have a  90% success rate

In case you come up witth more ideas/solutions on this, i would be happy to hear your advice

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.