Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.
Client Server secure authentication (Can GUID, serial or MAC be read from web page?)
We are building a client server based application where clients are win 7/8 desktops connecting to a server on the internet to exchange data. This exchange can be the client needing to check some settings and mostly to send some data.
At the moment, we are using curl to send the data to a php app over https.
The problem is as follows.
We want to get some unique information from the client so that we can confirm it's authentication now and then. This means that the client should send something like its GUID and/or system serial number.
Wondering if it would be possible to read a windows GUID, and/or it's system serial number and/or it's MAC address from a web page? If so, we would have the user connect to a support page when ever needed so that we can verify some information including the above.
-Not exclusive to IE, meaning, firefox for example could work as well
-Not dependent on a browser extension
-User could agree or prevent the action
The second part of this question is about credentials. At the moment, we are using a name/password being sent over https using curl. The connection is also using a cert at both ends. However, managing certs is becoming a bit of a nightmare and much of what I have read on the internet says instead of using name/passwords, use certificates.
Therefore, I am trying to understand how we might be able to change our authentication method to use certificates, perhaps, instead of name/pass?
Another problem that we are having is that someone could copy the software running on one desktop to another desktop and we need to prevent this from happening so need some way of preventing this.
Not really sure how others deal with such issues so thought I would ask the pros.
Thanks.
At the moment, we are using curl to send the data to a php app over https.
The problem is as follows.
We want to get some unique information from the client so that we can confirm it's authentication now and then. This means that the client should send something like its GUID and/or system serial number.
Wondering if it would be possible to read a windows GUID, and/or it's system serial number and/or it's MAC address from a web page? If so, we would have the user connect to a support page when ever needed so that we can verify some information including the above.
-Not exclusive to IE, meaning, firefox for example could work as well
-Not dependent on a browser extension
-User could agree or prevent the action
The second part of this question is about credentials. At the moment, we are using a name/password being sent over https using curl. The connection is also using a cert at both ends. However, managing certs is becoming a bit of a nightmare and much of what I have read on the internet says instead of using name/passwords, use certificates.
Therefore, I am trying to understand how we might be able to change our authentication method to use certificates, perhaps, instead of name/pass?
Another problem that we are having is that someone could copy the software running on one desktop to another desktop and we need to prevent this from happening so need some way of preventing this.
Not really sure how others deal with such issues so thought I would ask the pros.
Thanks.
Asked:
5-
5
1 Solution
Hi,
The first part of the question is that I need a way of creating/sending unique credentials on a win 7/8 machine. I need a way of preventing a piece of software being run on a desktop from being copied and run on another machine.
Can win7/8 desktop connect to a win server, a connection simply to create some sort of unique credentials for example?
The second part is looking to know if there is a better method of authentication than username/pass using curl however, curl would still be the tool being used to connect to a php app.
The first part of the question is that I need a way of creating/sending unique credentials on a win 7/8 machine. I need a way of preventing a piece of software being run on a desktop from being copied and run on another machine.
Can win7/8 desktop connect to a win server, a connection simply to create some sort of unique credentials for example?
The second part is looking to know if there is a better method of authentication than username/pass using curl however, curl would still be the tool being used to connect to a php app.
1. You cannot read that kind of information from a web app without the use of some intermediate channel, like Java applet or ActiveX control, which have more access to the underlying system. You run into dependency issues, that you didn't want, though.
2. Using client certificates IS the way to go here. Hardware can change over time, which can create a maintenance nightmare, too, and ultimately, that doesn't protect against replay attacks. Use client certificates to authenticate and keep using SSL/HTTPS with a valid certificate on the destination server.
A client certificate is just a file, so yes, it can be copied and someone else could then use it. That said, if a malicious user has access to the entire filesystem, then you are out of luck no matter what. That kind of access is going to allow a malicious user to circumvent just about any kind of authentication attempt you can throw at it.
Client certificate authentication is the best way to uniquely identify a user (you can use it WITH a username/password, too - it's not just one or the other), but you cannot forego the overall security of someone's machine or network.
2. Using client certificates IS the way to go here. Hardware can change over time, which can create a maintenance nightmare, too, and ultimately, that doesn't protect against replay attacks. Use client certificates to authenticate and keep using SSL/HTTPS with a valid certificate on the destination server.
A client certificate is just a file, so yes, it can be copied and someone else could then use it. That said, if a malicious user has access to the entire filesystem, then you are out of luck no matter what. That kind of access is going to allow a malicious user to circumvent just about any kind of authentication attempt you can throw at it.
Client certificate authentication is the best way to uniquely identify a user (you can use it WITH a username/password, too - it's not just one or the other), but you cannot forego the overall security of someone's machine or network.
All that said, if you're still worried about the filesystem-copying thing, about the only thing you can do is try and set up the originating application to read some kind of hardware ID (e.g. hard drive serial number is pretty common), then store it on the server side and associate it to the public key for the user's client certificate. If the same client certificate is used with a different hardware ID, then it'll be up to you to manage that association (e.g. update it if the hard disk is swapped out legitimately).
However, no matter which way you go, a web page does not have access to that information. You'd need a more full-fledged client application to gain access to this information (e.g. on Windows, a C++ or C# program with access to the Win32 API), and it would differ based on operating system/platform. The only thing I can think of that would give the same information AND be cross-platform would be a Java applet, but I don't know offhand if it has access to that kind of info about the hardware.
However, no matter which way you go, a web page does not have access to that information. You'd need a more full-fledged client application to gain access to this information (e.g. on Windows, a C++ or C# program with access to the Win32 API), and it would differ based on operating system/platform. The only thing I can think of that would give the same information AND be cross-platform would be a Java applet, but I don't know offhand if it has access to that kind of info about the hardware.
Also, if someone can copy the originating filesystem and the client application is a web script, then that means that the new user could alter the code and choose to send a specific, known hardware ID instead of actually looking up that hardware ID. So again, access to the filesystem + client-side script = game over.
You gave me the answer/s which seems like it should have been so evident.
The clients do use self signed https and certs to connect to the server and there is a two step authentication process.
The software will update it's certs every now and then.
The software will use the hardware key as part of the two step auth process.
The software will watch for multiple connections based on location and using the same credentials and if any shows up, all using those accounts would be suspended instantly by the software. The owner will have to call in for support.
Thank you so much, all that info helped a great deal.
The clients do use self signed https and certs to connect to the server and there is a two step authentication process.
The software will update it's certs every now and then.
The software will use the hardware key as part of the two step auth process.
The software will watch for multiple connections based on location and using the same credentials and if any shows up, all using those accounts would be suspended instantly by the software. The owner will have to call in for support.
Thank you so much, all that info helped a great deal.
You might also consider using a hardware multi-factor authentication process like Yubikey, if you can afford it. That way, you're not dealing with trying to read the underlying hardware, the key itself is just a USB dongle that can be moved to a new computer if necessary, but it's not going to be part of the copied filesystem. And it's cross-platform and can work in web pages, since all it does is act as a special keyboard that types out a valid authentication token when you press the button.
Downside, of course, is cost. You have to buy a Yubikey token for each person, ship them if necessary, and handle ongoing maintenance, but it would at least protect you from the copied-filesystem thing.
Downside, of course, is cost. You have to buy a Yubikey token for each person, ship them if necessary, and handle ongoing maintenance, but it would at least protect you from the copied-filesystem thing.
Not only is a purchase out of the question because it would take time to mail those out but also, the data is not financial or anything all that important. We just want to keep track of it as best we can.
Any chance that you might know of some html code which would allow the client to click and view their own MAC address? In other words, it would not be pulled by the web site but displayed to the user so that s/he can simply cut/paste it onto the web site.
No, it's a little more complicated, usually.
1. You have to consider that one PC might have multiple MAC addresses, depending on how many hardware and virtual network devices they have.
2. You can drop into a command prompt and run ipconfig /all to get all the information about your current network devices, including any MAC addresses, but that means the user has to find the address among all the other information, and then paste it in.
3. There's nothing to prevent a user from saving the MAC address in a text file somewhere and then copying and pasting from there, at which point, any user could put ANY address they want into the form. So even if they moved machines, they could still use type in the same MAC, even though it would be incorrect.
Any measure that relies on user input is going to be problematic.
1. You have to consider that one PC might have multiple MAC addresses, depending on how many hardware and virtual network devices they have.
2. You can drop into a command prompt and run ipconfig /all to get all the information about your current network devices, including any MAC addresses, but that means the user has to find the address among all the other information, and then paste it in.
3. There's nothing to prevent a user from saving the MAC address in a text file somewhere and then copying and pasting from there, at which point, any user could put ANY address they want into the form. So even if they moved machines, they could still use type in the same MAC, even though it would be incorrect.
Any measure that relies on user input is going to be problematic.
Doesn't matter, we just wanted the mac of a nic, any nic, the first one. We just need something unique about it to put together an install process.
Yes, anyone can re-create practically anything we put together but I think we've figured out a few surprises so that if they fake stuff, it will only last so long.
Thanks again.
Yes, anyone can re-create practically anything we put together but I think we've figured out a few surprises so that if they fake stuff, it will only last so long.
Thanks again.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
http://www.dell.com/support/troubleshooting/us/en/555/ProductSelector/Select/Eula
Other information may be quite hard to retrieve, as there is a quite-understandable "air-gap" between the client PC itself and sending its information to the www
However, you may want to look at a tool like BGinfo, which collates a whole range of desktop stats and then displays them on the PC desktop in a range of formats.
http://www.howtogeek.com/school/sysinternals-pro/lesson7/