views:

19

answers:

1

Although algorithmic security is normally to be avoided, I'm interested in a means for agent / client software (running on Windows under the local system account) to authenticate itself to a REST web service:

  • without relying on PKI
  • without relying on the user's account (agent code is "local system")

In short, I'm attempting cheaply to distinguish imposter applications from legitimate client/agent software I have written. I know that such security would be broken through (1) disassembly of my code or (2) analysis of many messages my agents send - either would reveal the algorithm. I'm ok with that (security is never perfect).

That said, what would you suggest?

Since for other reasons I need each client/agent to uniquely identify itself via a GUID anyway, I'm considering an approach where each agent generates a GUID for itself, then uses the GUID and time as a seed for a "secret algorithmic" hash. Each request to one of my web services would require extra info: the agent GUID, the special hash, (and possibly the time value used in the seed as well). Upon receiving a request, my web service attempts to re-create the same hash with the same "hidden" algorithm. If the two hashes match, it might be a legitimate client application I wrote.

At this point, unless someone has either (1) done sufficient analysis of my inputs (the GUID and time) to crack the algorithm or (2) reversed / dissambled my code to find the algorithm...then my web service will probably be able to reject both imposters and replay attacks.

What types of mathematical / alrgorithmic formulas would be good for combining hashing two inputs (such as a GUID and time)? Is there an existing pattern for this kind of "cheap" security? Is there a predefined implementation or standard? Are there suggestions for how I should modify the approach?

+1  A: 

Since, as you recognize, there's no way to prevent people impersonating your application, keep it simple: embed a shared secret in your app, 'protected' however you wish, and use it to sign your requests using an HMAC. Don't forget to include a nonce and a timestamp to prevent replay attacks.

Nick Johnson