I wanted to know if there is any way to generate a security key that is tied to the name of the computer on which the application is hosted.
Why this? So if by chance a malicious person trying to "steal" the system and host it on another server can not start the application, because the computer name is different, it would restrict the use of my system.
Is there a way to generate this key? If not, how could I "close" the system to a specific computer?
Éric, there is a lot of confusion in the area of cryptography and security. I think even the suggestions were good, but I believe there could be serious flaws there. Getting the MAC does not seem like a good solution.
Does the answer to security (and non-encryption) always start like this?
How desirable is my application and my data? Would it be worth stealing my code and my database? If so, how much time and resources would it be worth to "invest in"? Example: Do you keep passwords without encryption, card data, or sensitive user information? If so, you should be very concerned.
Based on the above answer, what kind of people would try to steal my information?
Would they be interested in my algorithms or my database?
If your answer is that the data is desirable enough for high-level criminals, you can be sure that MAC encryption is not the solution. Many of the available servers use virtual machines, which would actually be very easy to clone physical MACs.
The truth is that the question you asked is the same question asked by security companies around the world, and yet they continue to fall under attack. I say this because the question is really serious. It's not hard to get .NET code and "decompile". There are code obfuscators. They can disguise the logic of your application very well, but not the security (encryption) you use. They have no power to change their passwords ... just try to hide them somewhere better.
The answer is simple, you are not secure in any way by hosting your website at an information provider other than your own. However great the security on the server, the key is usually to try to use your access password. Having your own requires skilled professionals in the subjects, but ends up being a lot easier.
Returning to the above questions, if your code is most valuable, invest in it. Use ways to obfuscate (.Net Obfuscator?). To have a slightly simpler control, you could have a site with a fixed IP that is not shared with other applications on the same server (strange, but it would not be impossible for someone to host another site on the same server and get the IP response) . Hence every time your system starts, you could check what your current IP is by asking the external and internal servers for your IP. Your external server could reliably verify that the IP of the call is that of the servers at your fingertips.
Then the encryption finally arrives. You could send an encrypted response authorizing the execution of your application. Remember to constantly change the key of your encryption (every 1 month or so) by doing deploys on your clients, updating both your external and application servers. Even if someone could take possession of every arsenal to "copy" their code, they would not be skilled enough to decrypt the sequences in time for a new deploy.If the important information is in the database, the conversation needs to be totally different.
The computer name can be replicated on the "pirate" machine. In fact, any feature on your machine can be "cloned" by a hacker with enough free time on your hands. But if you really want to complicate the pirate, use something that should really be unique to your computer. The MAC address of the network card is a good start.
You can try to save something like% of that address on the system. Every time the application starts, you make a hash of the current MAC address and compare the result. If it hits, the application continues. Otherwise, you do what you think is most convenient to disrupt the hacker's life.
This kind of protection is not perfect. It's actually pretty flawed. This can prevent your program from being copied and reused if the hacker is a 12-year-old kid who just found out what PHP and SQL injection are. If I had your program in hand and a very large willingness to run it on another machine, I would do a disassembly of the executable and any loaded libraries. By the time I found the function that does hash , I would not go back or attempt a collision attack - it would only do a bypass authentication method and that's it.
If you really want to protect your system, the safest way now is to host it on the web and provide it as a service;)
You can generate a SHA1 key using the MAC (physical) MAC address of the machine as the seed. The process is very secure because hardly anyone who steals your system will be able to clone the physical address of the equipment because it needs access to it in some way.
The encoding algorithm in SHA1 is as follows:
private string GetSHA1HashData(string data)
{
SHA1 sha1 = SHA1.Create();
byte[] hashData = sha1.ComputeHash(Encoding.Default.GetBytes(data));
StringBuilder returnValue = new StringBuilder();
for (int i = 0; i < hashData.Length; i++)
{
returnValue.Append(hashData[i].ToString());
}
return returnValue.ToString();
}
To obtain the first physical address of your network equipment, use the following method:
private string GetMacAddress()
{
string macAddresses = string.Empty;
foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
{
if (nic.OperationalStatus == OperationalStatus.Up)
{
macAddresses += nic.GetPhysicalAddress().ToString();
break;
}
}
return macAddresses;
}
Finally, the usage is as follows:
var chave = GetSHA1HashData(GetMacAddress());
Having the key generated, simply invent a license mechanism that compares the two hashes:
if (chave == chaveVindaDoBancoOuDoWebConfig) {
// Liberar uso
} else {
// Emitir mensagem falando de problema na licença.
}
There you will save the hash:
Web.config (less secure);