Security key in Asp.net mvc

Asked

Viewed 500 times

3

I wonder if there is any way to generate a security key that is attached to the name of the computer on which the application is hosted.

What is this for? So that if by chance a malicious person tries to "steal" the system and host it on another server has no way to start the application, because as the name of the computer is different, it would restrict the use of my system.

Is there any way to generate this key? If not, how could I "close" the system to a specific computer ?

3 answers

5


Eric, there’s a lot of confusion in the area of cryptography and security. I think even the suggestions were good, but I believe there could be serious flaws there. Getting the MAC doesn’t seem like a good solution.

The answer to security questions (and nonencryption) always start like this?

  1. How desirable is my application and my data? Would it be worth stealing my code and database? If so, how much time and resources would be worth "investing in"? Example: Do you store passwords without encryption, card data or confidential user information? If so, you should be very worried.

  2. Based on the above answer, what kind of people would try to steal my information?

  3. They would be interested in my algorithms or in my database?

If your answer is that data is desirable enough for high-ranking criminals, you can be sure that MAC encryption is not the solution. Many of the available servers use virtual machines, which would be really very easy to clone physical Macs.

The truth is that the question you asked is the same question asked by security companies around the world, and yet they continue to fall under attack. I say this because the issue is really serious. It is not difficult to get a code . NET and "decompile". There are code obfuscators. They can disguise the logic of your application very well, but not the security (encryption) you use. They don’t have the power to change their passwords... just try to hide them somewhere better.

The simple answer, you are not safe in any way by hosting your website on an information provider other than your own. However much the security on the server is, in general the key is to try to use your access password. Having your own requires skilled professionals in the field, but it ends up being much easier.

Going back to the questions above, if what’s most valuable is your code, invest in it. Use ways to obfuscate (.Net Obfuscator?). To have a slightly simpler control, you could a site with fixed IP and that is not shared with other applications on the same server (strange, but it would not be impossible for someone to host another site on the same server and get the IP response). Hence every time your system starts, you could check which is your current IP by asking external and internal servers for your IP. Your external server would be able to reliably verify if the IP of the call is that of the servers at your fingertips.

That’s when cryptography finally comes in. You could send an encrypted reply authorizing the execution of your application. Remember to constantly change the key to your encryption over time (every 1 month or so), deploying to your clients, updating both your external server and your applications. Even if someone could take possession of every arsenal to "copy" their code, they would not be able to decrypt the sequences in time for a new deploy.

If the important information is in the database, the conversation needs to be completely different.

  • 2

    I disagree only on the part about obfuscation, but otherwise +1, and this should be the answer marked as correct.

  • 1

    Excellent answer! Very good indeed. Nowadays there is no way to be 100% safe. But answering the questions. Not that my system is a gold mine. Far from it. I don’t keep such sensitive information that way. Just a system of occurrences with your students and users. Only. My intention is only to protect the project from intentional theft of my code so that another place uses it as if I had sold it. The question is just that. After deploying, the person can’t get my code from the Inetpub folder, copy and paste it into another IIS server. But congratulations, very good answer !

4

The computer name can be replicated on the "pirate" machine. In fact, any feature of your machine can be "cloned" by a hacker with enough free time on your hands. But if you really want to complicate for the pirate, use something that should really be unique to your computer. Network card MAC address is a good start.

You can try something like save a hash of that address on the system. Every time the application starts, you hash the current MAC address and compare the result. If you hit, the application continues. Otherwise, you do what you find most convenient to disrupt the life of hacker.

This type of protection is not perfect. It is actually quite flawed. This can prevent your program from being copied and reused if the hacker in question is a 12 year old boy who just discovered what PHP and SQL injection are. If I had your show on hand and a very strong desire to run it on another machine, I would make a Disassembly executable and any libraries loaded. When I find the function that does the hash, I wouldn’t go after or attempt a collision attack - I’d only make a bypass of the authentication method and ready.

If you really want to protect your system, the safest way currently is to host it on the web and provide it as a service ;)

  • In fact ASP.NET MVC is well protected against Injection if standard practices are used. I agree with the disassembly, but if he really wants to distribute the code, the encryption of the MAC address already makes the work of the Hacker difficult enough.

  • I agree with everything you said @Renan. Very helpful. I was already thinking in the future to put my application on the web and offer it as a service.

2

You can generate a SHA1 key using as seed for generating the MAC address (physical) of the machine network adapter. The process is very safe because it is difficult for the person who steals your system to clone the physical address of the equipment because they need to have access to it in some way.

The encoding algorithm in SHA1 is as follows:

private string GetSHA1HashData(string data)
{
    SHA1 sha1 = SHA1.Create();

    byte[] hashData = sha1.ComputeHash(Encoding.Default.GetBytes(data));

    StringBuilder returnValue = new StringBuilder();

    for (int i = 0; i < hashData.Length; i++)
    {
        returnValue.Append(hashData[i].ToString());
    }

    return returnValue.ToString();
}

To get the first physical address of your network equipment, use the following method:

private string GetMacAddress()
{
    string macAddresses = string.Empty;

    foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
    {
        if (nic.OperationalStatus == OperationalStatus.Up)
        {
            macAddresses += nic.GetPhysicalAddress().ToString();
            break;
        }
    }

    return macAddresses;
}

Finally, the use is as follows:

var chave = GetSHA1HashData(GetMacAddress());

Having the generated key, just invent a license engine that compares the two hashes:

if (chave == chaveVindaDoBancoOuDoWebConfig) {
    // Liberar uso
} else {
    // Emitir mensagem falando de problema na licença.
}

There goes your preference to store the hash:

  • Store in the archive Web.config (less secure);
  • Save to database (a little more secure).

Browser other questions tagged

You are not signed in. Login or sign up in order to post.