Let's say you have a client/server application. You want to uniquely and securely identify that the communications in question is coming from a particualr client installation.
To solve this, you create some kind of symmetrically encrypted signature that each machine must pass up to the server to authenticate each request. This signature includes things like MAC addresses, hard drive serials numbers, motherboard serial numbers,
etc. Your mechanism is flexibly enough to handle hardware changes, etc. Basically, it's like Windows Activation.
But how do you ensure that somebody looking at your code (through disassembly) can't figure out how these signatures are geneated/encrypted and just duplicate them on a non-authorized machine? What are the common patterns for this? Since both the client
and the server must rely on a shared secret of some kind, using crytpo key containers or the DPAPI doesn't seem like an option.
View Complete Post