I'm working on a network product that has proprietary protocol connecting to remote server. The server grant permissions to the agent if the machine comply with some security standards (i.e. whether it has disk encryption activated, anti-virus installed, etc..). Those are written in a report that the agent generates from time to time.
I'd like to be able to verify the authenticity of the agent against other tools that may mimic the client-server protocol, impersonate to the agent, and generate fake security report to get the relevant permissions from the server.
Basically, for legitimate local user with root privilege there's no hermetic solution, since he may sniff the network traffic unencrypted, and he also have access to the machine key-store/key-chain, so he may use it to sign with the product signature.
I was thinking of using some rotating key method that after each signed report it produces, it invalidate the current key and generate another key that part of it is stored only within the process internal memory to harden the impersonation challenge (hard to sniff there).
Is there any such algorithm for rotating key exist, are there any other methods worth trying for this problem ?
Thanks
