-3

I have a .NET client app and a PHP server web app.

At some point, the .NET app will have to be identified by a unique id and pass that data to the webserver by http post. The web server will respond with some data and store the unique id in a database.

Assume that I have a malicious user and I would like to ban him by the unique id. So in my opinion there are two important things about this unique id:

  • The unique id has to be really unique and always the same per computer
  • A user should not be able to trick the system (a banned user could generate a new id and post it manually to the web server to receive new data)

How can I make sure that the unique id cannot be (easily) generated by a user?

How can I make sure that the unique id can be verified on the server for validity?

What is the usual approach (algorithms, encryptions?) here?

andreas
  • 7,844
  • 9
  • 51
  • 72
  • Yes, but even the most basic algorithms already prevent most people from faking your ids. :-) – andreas Jun 03 '14 at 23:48
  • You can store a hash of the mac address but there are ways to spoof those. – Dave S Jun 03 '14 at 23:48
  • @DaveS: a single IP Address can span a complete network, so the 'always the same per computer' is not really working out here (apart from possible spoofing). – ChristopheD Jun 03 '14 at 23:50
  • Generate an id (like UUID), store it somewhere on the computer in an encrypted form, include a seed in your code then transmit a hash of the id with the seed to your server, requiring every call to include that hash along with some other component which you also include in the hash to verify. –  Jun 03 '14 at 23:51
  • I thought about that. Generate a uuid, hash it with some custom salt which only I know and the user cannot easily find out? – andreas Jun 03 '14 at 23:52
  • You need to then have an identifier. The hash is essentially a password. Create a "username", per se, to include in the hash and send along with it. –  Jun 03 '14 at 23:54
  • 1
    Yes this is true christopheD but there really isn't a solution that perfectly meets his criteria as far as I know. Assuming you want to allow new users to make accounts freely. Anything stored locally can be removed and all identifying information can be changed. Edited the comment regardless. – Dave S Jun 03 '14 at 23:55
  • "A user should not be able to trick the system (a banned user could generate a new id and post it manually to the web server to receive new data)" -- it's that that truly kills this question... a banned user is not always a typical "most people"... they have something to prove. –  Jun 03 '14 at 23:56
  • True, I realize that there is no ideal solution, but maybe there are some good ones? That is why I asked here to find some ideas. I think it's weird to get downvoted on interesting questions and upvoted on noobish 1-line-questions "how to code this". – andreas Jun 04 '14 at 00:05
  • I'm not completely sure why you think your question is "interesting" - topics on licensing and generating "machine specific ID" are discussed many times and your post show zero research on previous art... Note that your last remark in the post "...encryption?)" potentially shows that you don't understand relation between security, authentication and crypto... – Alexei Levenkov Jun 04 '14 at 16:09

2 Answers2

3

Create UUIDs for all apps and store them into databases after verification and delete/ban/flag UUIDS so they cannot be used again

UUIDs in MYSQL :

http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_uuid

also available in postgres and other RDBMS storage

I have created 10 million lists with uuids multiple times and never once had a collision.

Dan
  • 3,755
  • 4
  • 27
  • 38
  • Not downvoting (since it is not easy to pass) but this does not fulfill the `The unique id has to be really unique and always the same per computer` requirement. – ChristopheD Jun 03 '14 at 23:54
  • from my link - "A UUID is designed as a number that is globally unique in space and time. Two calls to UUID() are expected to generate two different values, even if these calls are performed on two separate computers that are not connected to each other." Other than that, i dunno what the OP means... if he can clarify, i can expand my answer as well – Dan Jun 03 '14 at 23:55
  • 1
    Doesn't uuid() always generate a new unique id? So that wouldn't solve my problem. – andreas Jun 03 '14 at 23:56
  • you generate the uuid ONLY after verification with the app? store it, and pass it along with the creds used for that app - this discussion is turning into programming 101 - cant help there, answered the UUID issue which i thought was the main issue – Dan Jun 03 '14 at 23:57
  • Sorry, I probably should not have called it uuid, but just uid. – andreas Jun 03 '14 at 23:57
  • @Dan. A banned user can deinstall the app, easily get a new id and reconnect to the server, but that is not what I want (see problem description). – andreas Jun 04 '14 at 00:00
  • @andreas upon verification request IP address, store it, request his name, phone number, mothers maiden name, his first preschool teacher, w/e, if another app tries to install, check against banned creds? I mean, Adobe and MS cant keep their software hack proof - you think every developer on SO has a LEGIT copy of dreamweaver, or is using a paid version of Sublime Text? These are methods to prevent common and easy misuse of your app - deterents, etc - to push hackers away from you and onto easier theft projects – Dan Jun 04 '14 at 00:05
  • [have you tried Guids](http://stackoverflow.com/questions/1705008/simple-proof-that-guid-is-not-unique) – MustangManiac Jun 04 '14 at 00:17
0

Okay so here I summarize:

  • Of course there is no perfect security system. Jeremy Miller
  • Dan's answer is not correct because a MySql UUID is not device dependant and so not fulfilling the condition "the id should be the same per computer"
  • I should generate an id (like UUID), store it somewhere on the computer in an encrypted form, include a seed in your code then transmit a hash of the id with the seed to your server, requiring every call to include that hash along with some other component which you also include in the hash to verify. Jeremy Miller
  • This approach is not fool proof because everything stored locally can be removed but at least it is hard to guess a valid generated hash
andreas
  • 7,844
  • 9
  • 51
  • 72