1

We have to build a product that will have a network. Users will be able to connect to this network by downloading a client. However, before allowing them to access the network we want to check if their hardware, for instance, supports certain characteristics.

I had thought that by sending to our server the result of a test, which looks for these hardware characteristics, and its hash, both of them encrypted, it could be enough. However, I fear that this result could be "injected", and thus we would be fooled into thinking that he/she has the correct hardware.

On the same wavelength, I might want to check that the client has not been manipulated, using, for example, a hashing algorithm. I think that we face a similar problem that in the hardware check scenario.

eversor
  • 924
  • 4
  • 8
  • 22

2 Answers2

3

So in terms of gaming companies blocking illegal software, as @lucaskauffman and @terrychia mention in commments this is typically done by the company issuing license keys to each user and then doing an online check during installation/operation that the key is only used in one place and is a valid key.

If you're looking at restricting access to a system based on hardware characteristics or perhaps installed software/configuration that sounds more like a job for Network Access Control (NAC) style systems.

They typically work by deploying an agent to each client which then runs a series of checks returning the result to network hardware that then only allows access to the network if the result is as expected.

A big warning with this kind of system is that a determined attacker will likely be able to bypass it. The security adage is that once the attacker has control of the hardware (in this case the client) they can usually bypass controls deployed to it.

It's not to say that it's not a good control, but that it's only effective in some situations and against some classes of attacker.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
1

There's a pretty good rule to keep in mind here:-

Using only client sided validation never works. https://stackoverflow.com/questions/3531968/why-is-client-side-validation-a-security-risk-as-opposed-to-server-side-validati

Therefore, if you ask only a client based software to check for authenticity of hosts, it will never work (with or without things like hash checks). We can discuss that in comments or the chat room. ;)

We therefore more onto concepts where authentication is handled at a remote server which is considered secure from the attacker.

Next up are Network Access Control (NAC) related solutions which are good for most applications but like almost everything is security can't give you a one-step solution. They have the advantage of often not requiring client sided software installations. Try PacketFence: http://www.packetfence.org/home.html

Most solutions wherein software can be installed on a client's computer involve giving users unique access credentials which are then verified for integrity on the server. Simultaneous use of one set of credentials is not permitted and is detected via two concurrent sessions by the same user ID by the session management module.

This works fine unless you want user access credentials tied to a PC. In that case, there is no definitive solution I know of. Administrators rely on things such as the user is not having the know-how to clone the OS image or to steal and then spoof the MAC.

By implementing multiple such checks and keeping logs along with that, potentially adventurous troublemakers can be caught as the learn how to circumvent the system.

Rohan Durve
  • 2,321
  • 16
  • 19