Although algorithmic security is normally to be avoided, I'm interested in a means for agent / client software (running on Windows under the local system account) to authenticate itself to a REST web service:
- without relying on PKI
- without relying on the user's account (agent code is "local system")
In short, I'm attempting cheaply to distinguish imposter applications from legitimate client/agent software I have written. I know that such security would be broken through (1) disassembly of my code or (2) analysis of many messages my agents send - either would reveal the algorithm. I'm ok with that (security is never perfect).
That said, what would you suggest?
Since for other reasons I need each client/agent to uniquely identify itself via a GUID anyway, I'm considering an approach where each agent generates a GUID for itself, then uses the GUID and time as a seed for a "secret algorithmic" hash. Each request to one of my web services would require extra info: the agent GUID, the special hash, (and possibly the time value used in the seed as well). Upon receiving a request, my web service attempts to re-create the same hash with the same "hidden" algorithm. If the two hashes match, it might be a legitimate client application I wrote.
At this point, unless someone has either (1) done sufficient analysis of my inputs (the GUID and time) to crack the algorithm or (2) reversed / dissambled my code to find the algorithm...then my web service will probably be able to reject both imposters and replay attacks.
What types of mathematical / alrgorithmic formulas would be good for combining hashing two inputs (such as a GUID and time)? Is there an existing pattern for this kind of "cheap" security? Is there a predefined implementation or standard? Are there suggestions for how I should modify the approach?