Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best way to generate a machine fingerprint?

I need to generate a unique string that will differ from machine to machine -- a "device fingerprint".

What are...

  • possible approaches for custom implementations? (I've got a few ideas, but I figure you guys probably have BETTER ones)
  • existing solutions? (both commercial / non commercial are acceptable)
like image 617
Joshua Evensen Avatar asked Nov 09 '11 22:11

Joshua Evensen


4 Answers

Device fingerprinting is a complex topic if you want to cover the many edge cases (e.g. hardware upgrades, OS upgrades, etc.) and if you are worried about people expending energy to either forge a known-good device fingerprint (good meaning the fingerprint is known to you and receives some benefit such as software usage rights), or create a brand-new fingerprint you have no knowledge of (e.g. the fingerprint was on a blacklist of some sort, and the user wants to create a new Device ID for the device that is not on the blacklist).

Some things are fairly static and a reasonable basis for a simple fingerprint. MAC address best fits that category, but is also very easy to change. Also, some computers have several MAC addresses (including MAC's from virtual machines), so you need to deal with that complexity. Some network devices are ephemeral, e.g. tethered cell phone.

Other aspects of the computer are harder (but by no means impossible) to forge, such as CPU information, BIOS checksum, hard drive serial numbers, etc. Those things that tend to be harder to forge, however, are also more likely to change (BIOS upgrade, new hard drive, removable hard drives, etc).

You also need to consider carefully protecting the code that actually generates the fingerprint. If that code is easy (enough) to hack, someone attempting to defeat your solution will simply insert whatever fingerprint they want directly in the code that gathers and evaluates components.

like image 90
Eric J. Avatar answered Oct 13 '22 22:10

Eric J.


Well what I do with my apps is usually create a special ID by taking the hash from the machine name found in Environment, concat it with a hash value of my app's name, and then apply a salt (probably not even necessary but it helps to be paranoid) to produce a "fingerprint" for an app/machine combo.

This works in my situation because there is only one copy of my app on a machine at a time.

like image 22
Jeff LaFay Avatar answered Oct 13 '22 21:10

Jeff LaFay


Most machines have a NIC with a MAC Addresses now (if it isn't attached to the net then what do you need a unique id for the machine for?). Just make sure you are getting the physical NIC's MAC address and not a virtual mac (created by VMWare or Virtualbox). You may want to store the name of the device the MAC is coming from so that you always get the same MAC address when you are enumerating the MAC addresses. Also don't use this for security as it is always possible to fake a MAC address, it just provides a relatively unique identifier.

like image 30
Kris Erickson Avatar answered Oct 13 '22 22:10

Kris Erickson


You can use WMI and get NIC MAC address, HDD serial (not volume serial), CPU ID and BIOS ID. Downside of this method is that on some machines for several reasons some of this information are not available, but you can combine info from that 4 source and at least one will be there, but WMI on some machines simply doesn't work as expected and you must have some sort of fallback, something that surley work on all machines eg. volume serial number.

Another problem is that you must have administrator rights to get this info trough WMI, I solved that problem with windows service that uses WMI and send info to application(s).

Here are some of interesting WMI queries:

Hard discs serials:

SELECT SerialNumber FROM Win32_PhysicalMedia where SerialNumber <> null

BIOS serial:

SELECT SerialNumber FROM Win32_BIOS where SerialNumber <> null

CPU serial:

SELECT ProcessorID FROM Win32_Processor

NIC MAC:

SELECT MACAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

btw. you can test WMI with Paessler WMI Tester

like image 1
Antonio Bakula Avatar answered Oct 13 '22 21:10

Antonio Bakula