Implementing a serial system for my project

[SheenBR]

I need to create a serial system for my program, nothing fancy. Whats the most reliable infos to get from the PC to create an identity number so I can create a unique serial number from it and then registering the program?
Have you guys ever did anything similar? Have some ideas to share? :

 

[Mucski]

I need to create a serial system for my program, nothing fancy. Whats the most reliable infos to get from the PC to create an identity number so I can create a unique serial number from it and then registering the program?
Have you guys ever did anything similar? Have some ideas to share? :

You need to provide the language it is writen into though, cause there are many programs writen in many languages xD Algorigthm is simple though, generate and md5 or something similar (depends on your programming language and how fancy you want to make it), store it on your server's database or local database, and there you have a unique key that nobody else have. You can then link that key to the users account or e-mail address, program should send info to server whenever it's ran and request key for the user that runs it, it is not recommended to link to IP or MAC as they can be spoofed.

 

[Ben]

You could use specific pieces of hardware and generate a serial from parts of that, like motherboard etc...

 

[Liam]

Depends how you really plan to implement it though, and what language it'll be used for. There's many different ways, some are more reliable than others; which depends on what you plan on doing with this "serial system". You could just make a rand MD5 hash, or you could go more deep into it and create a serial that uses parts of hardware ID's, as example, but keep in mind that anything that is user-inputted can be spoofed, so always keep that in mind when creating your script. If you're looking to just create a random string, I do think a random string encoded in md5 is best..

 

[SheenBR]

Sorry, forgot to mention the language. :S:

It's C#. I thought of just getting CPU ID, but I saw that machines with multiples CPU's this might be a problem. The exe will run on dedicated servers or maybe in virtual machines, so it must work with both systems. Probably Windows Server 2003, 2008

 

[Matynator]

Just as a small info addition about cpu serials.. some hardware vendors do not have unique serials for every piece of hardware they sell..
In some cases the serial is the same for ALL pieces of the same line.

Intel does this with CPU serials for example quite a lot!..

Do not base a serialization system just on cpu serials alone.. its not the right way to go

 

[Future]

I'm not really familiar with that topic. But I'm also very interested in generating something like a "Hardware ID" for my cilents.

Steam together with other online portals use something called "Hardware IDs". And with steam this stuff is quite amazing. It works whether you use their client (so basically full access to the system) but also within your browser (only few header are sent. You cant get stuff like CPU architecture or heap size)!
I kind of like to know from where they generate this ID, as browsers without plugins only have very limited access to system information.

I generally think a combination of:

• MAC-Address
• Computer Name
• Processor architecture
• HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid
• (Total Memory Size)

would be rather safe. Considering they hardly change. Ofc it's debatable how likely those are to change and if it's a good idea or not. But at the end you buy a new computer and what do you do then to keep an unique identifier for the machine then?...

At some point you have to take those which are least likely to change and have a go with it.

Can someone think of other system parameters which are very unlike to change normally?

 

[xAkira]

you could try using bios serial number ...

You must be registered to see links

--Edit--
It works quite well on physical machine and vps. But not so on vms.
Virtualbox vm have default bios serial of 0 and it's somehow configurable. Unsure about vmwares as I do not have them to test.

 

[InCube]

you could try using bios serial number ...

You must be registered to see links

--Edit--
It works quite well on physical machine and vps. But not so on vms.
Virtualbox vm have default bios serial of 0 and it's somehow configurable. Unsure about vmwares as I do not have them to test.

I would like to confirm that this method is reliable and also works on VM.

 

[Matynator]

I would like to confirm that this method is reliable and also works on VM.

interesting... hmm noted.. i am actually working myself yet again to update the way how i made a system like it for the Kal server i am working on.. i will see what i can do with it.

 

[InCube]

Also I forgot to mention that you can store a registry inside bios that won't be cleared unless CMOS reset.

You must be registered to see links

 

[s-p-n]

I'm a believer that everything sent over the line may be listened to and may be spoofed. If you're into security, you have to assume that if something may happen, it will happen. I would also assume that someone might legitimately upgrade their PC hardware, or for that matter, get a new PC altogether. Or perhaps they have multiple PCs- say a laptop and desktop, and have reason to use the software on both machines.

My suggestion, just have the users register an account with your service. Have the client send the MAC address and a hash of the user/pass combination over the internet to your server. Keep a list of known computers the client is connecting with.

Every time you see a new computer, you can verify the user in several ways- my favorite is sending them a text message, but that requires the user tell you their personal phone number and accept a call/text from your server to get a code. Another obvious solution is to use email, or simply a confirmation from one of the known valid PCs. Let the client know what you know about them, and let them add/remove their PCs. Legitimate users want to understand what information you have about them, and they can help you keep a list of accurate information.

That's my two cents. But you said you didn't want anything fancy, so maybe just use a username/password.. Just try to not hurt legitimate users in an attempt to prevent malicious users from being malicious.

Sorry I completely disregarded the question, I'm just firmly against the idea that hardware information is a good way to determine whether clients are legit.

 

[Ben]

I'm a believer that everything sent over the line may be listened to and may be spoofed. If you're into security, you have to assume that if something may happen, it will happen. I would also assume that someone might legitimately upgrade their PC hardware, or for that matter, get a new PC altogether. Or perhaps they have multiple PCs- say a laptop and desktop, and have reason to use the software on both machines.

My suggestion, just have the users register an account with your service. Have the client send the MAC address and a hash of the user/pass combination over the internet to your server. Keep a list of known computers the client is connecting with.

Every time you see a new computer, you can verify the user in several ways- my favorite is sending them a text message, but that requires the user tell you their personal phone number and accept a call/text from your server to get a code. Another obvious solution is to use email, or simply a confirmation from one of the known valid PCs. Let the client know what you know about them, and let them add/remove their PCs. Legitimate users want to understand what information you have about them, and they can help you keep a list of accurate information.

That's my two cents. But you said you didn't want anything fancy, so maybe just use a username/password.. Just try to not hurt legitimate users in an attempt to prevent malicious users from being malicious.

Sorry I completely disregarded the question, I'm just firmly against the idea that hardware information is a good way to determine whether clients are legit.

Wouldn't that be quiet some overkill for for example a standard editing tool that you would like to secure, you can't ask every client for their phone number as just developing private server tools isn't company related for most people, setting up a whole system to automaticly send codes to users phones, I think it'll be to much tbh.

 

[s-p-n]

That's my two cents. But you said you didn't want anything fancy, so maybe just use a username/password.. Just try to not hurt legitimate users in an attempt to prevent malicious users from being malicious.

Sorry I got carried away.