-6

My current business model takes a loss upfront on hardware in the hopes that the service will be paid for continuously. When service is not paid for the instructions are sent to the client hardware to stop functioning.

I want to find a way to decrease the chances that someone sets up a rouge server to keep the client hardware functioning even though it has not been paid for. This has the added benefit of ensuring that rouge servers are not setup to simply take over client machines for malicious purposes.

In a very simple attempt to get the ball rolling I have setup the following "system":

  1. Hardware based serial numbers are collected from the client machine before deployment and are combined through encryption with 2 pieces of information known to the server.

  2. The encrypted value is stored on the client machine. 2a. The 2 pieces of information are always known to the server.

  3. When the client first connects to the server it passes the hardware serial to the server.

  4. The serial is combined with the information and encrypted.

  5. The encrypted value is passed back to the client to see if it matches the stored value.

This system seems to work, but I would not be here asking if it is valid if I thought it was the best solution to my problem.

mrhobbeys
  • 93
  • 6
  • 1
    Maybe you are looking for IPSec? or SSL? Perhaps you should describe what is actually going on here. – Michael Hampton May 19 '13 at 14:34
  • 2
    SSL is a well established method to do secure communication. Why not simply use this? – Sven May 19 '13 at 14:34
  • 1
    How is what you're describing going to protect against theft of hardware? – GregD May 19 '13 at 14:39
  • GregD I was thinking the server is sending to the client a message to say keep on working. Also because the service/client depends on constant updates of new information so when the client no longer can connect to a trusted source it stops working. – mrhobbeys May 19 '13 at 17:50
  • I have reasked the question to hopefully clear up the confusion. – mrhobbeys Sep 20 '13 at 14:28

2 Answers2

4

Hardware serial numbers can be easily spoofed, so that's not a reliable authentication measure.

I think you're thinking about this too hard - there are already very well-established methods to do just this, namely SSL, or more broadly, RSA public key authentication. If you use strict key fingerprint verification, then that's all you need to establish both client and server identity.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • The fingerprint verification seems like the right answer, but I have rewritten my question would you be so kind as to reread it and possibly reopen it? – mrhobbeys Sep 20 '13 at 14:29
4

I want to find a way for client machines to authenticate that they are talking to the correct server, not something hijacked, or just the wrong product server.

Client and server certificate authentication can do this.

Would this protect against rogue instructions?

You're not clear on what this means. "Rogue instructions" isn't an industry standard term. If you're asking if it will keep accidental commands from being run by a trusted computer, then no. Harden your application to discard dangerous/malicious commands.

Is this going to be enough to protect against theft of hardware if the client is always looking for a "goodboy" message from the server?

No. If your service is that sensitive, do client certificate authentication and put it behind a VPN that requires two-factor authentication in addition to using public key crypto like @EEAA recommends. Something like an RSA token or a smartcard in addition to login credentials should prevent a stolen laptop from connecting to your service. Also consider doing whole disk encryption on mobile computers that are vulnerable to theft, so that a thief cannot even get into the computer in the first place.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • When I was saying rogue instructions I was thinking if someone had taken the hardware and wanted to try and figure out a way to make their own server. I am sorry I do not know what that would be called. Use of a VPN actually would solve several problems, I had not considered it at all till now. Also whole disk encryption is another thing I had just not thought about using thank you these suggestions are a huge help! – mrhobbeys May 19 '13 at 17:21