program login security

[WalterK]

I'm writing a client-server type application using the internet.
I read somewhere someone's suggestion to use some program file's
time-date stamp as unique information to make the login secure.
I thought that was a good idea - it's just one additional piece
of information to keep in the server's user/pass database to
hinder a copier.

(There was a thread on the Delphi Non-Technical newsgroup on
this but I can't find it now.)  I've read about a CPU Id, but I need something cross-platform.

I was going to use sequential user numbers with some added random
characters to make it harder to generate/guess, and then a
long string of random characters sent from the server as the
password.

Ought this data be hashed to prevent those who 'sniff' passwords
out of internet connections? (I guess I'm fairly ignorant on this.)

I'd love to hear suggestions.

Thanks.

Walter

[IPguy]

There was a discussion (here and on the Laz mailing list ?) about using OnGuard and some of the issues with that component.

I've adopted a suggestion from someone (graeme?) to use the timestamp (in timeticks) of a standard directory on the platform as a unique ID.  examples:  *nix: /bin directory; on windows: the /windows (or similar) directory.   The thinking being that the likelihood of two machines having the exact same create timeticks is low enough to be worth the risk.

What I have not a chance to explore is what are the timestamps on ghosted (or vm equivelent) machines.

Yours (and others) thoughts?

[joseme]

I am very interested in this discussion. IPGuy, how do you read directory timestamp from Lazarus? Thanks in advance

[IPguy]

I use the following code, as I could not find a function within fpc that worked.  (fpc has functions that work for files, but they do not return the timestamp of directories.)

Note that the below has minimal error checking.  Use at your own risk.  I found the core of this elsewhere and made it work for me.

var DirTStamp : LongInt;
 
DirTStamp := DirectoryAge(SysConfigDir);  // get the SysConfigDir timestamp 

Code: [Select]

function DirectoryAge(const DirectoryName: string): LongInt;
// Returns the timestamp of the passed directory, in Integer
// I'm not sure if this works well.
var
  sr: TSearchRec;
begin
  DirectoryAge := -1;   // set the error condition / null value
  if FindFirst(DirectoryName, faAnyFile or faDirectory, sr) = 0 then
  begin
    DirectoryAge := sr.Time;
    FindClose(sr);   
  end;
end;                   


[WalterK]

One thing I now remember being asked on the Delphi forum thread was how to hash the password so it could be safely stored in a file and still not be useable to someone who stole the computer (laptop, for example).  I think the consensus was that it was never really safe from a determined cracker.

Option 1:
Send password as stored in file with a timestamp of some file, as with example DirectoryAge.  But this could be captured and retransmitted.

Option 2:
Use the difference between the current time and the timestamp to create a hash...   This difference wouldn't be computable except if one had the computer in hand and knew which directory/file was being used, or somehow had a virus to get that information for you.  This hash of the time difference (maybe used on the stored password) couldn't be otherwise predicted.

This is (partially) what I'm thinking about now....

But better minds than mine have gone down this road before, so I'm hoping for more feedback.

Walter

[IPguy]

I'm using the core of the OnGuard functions.

I take the "HW" ID (dir timestamp), mix in a bit of version limit, program mode, and a few spare bits here and there and then use OnGuard's special key function and their scrambling function to generate (and decode) the registration key.  It took me a few months (evening hours) to get this working.  And then when I discovered the flaws in the hardware information that OnGuard was extracting, I had to revise it to use the timestamp.  (sigh) 
I do send the customer the registration key via email and they apply the key to unlock the program.  The registration key is stored in an ini file, which the customer can see and edit.   However, I think that the encoding and checking I do within the program is sufficient to protect the key against casual "attack".

Will this protect me 100%?  No, but my target audience is not gaming, but rather a business app for folks with more work to do than spare time, so they are less likely to break it I (hope).

[joseme]

Thank you, IPGuy. I will try your code.