0

I am creating a PHP/MySql application and for some reasons I have to establish a Security/Trust relationship between the user's device and my system. The following shows my options and shortcoming:

Cookies: This method of sustaining an existing relationship was the first to mind, but could easily be erased by the user of the device.

User Agent String: This can be spoofed and proven unreliable.

MAC Address: Same reason as the user agent. This option cannot be trusted.

IP Address: This for me is a no no especially for users with dynamic IP's or NAT

Would appreciate anyone with an answer to my idea. I am proficient in PHP/MySql so applying the logic shouldn't be a problem

Thanks in advance

Turnerj
  • 4,053
  • 5
  • 32
  • 49
Gruther
  • 93
  • 3
  • 8
  • 2
    If the user chooses to erase their cookies, they should have to reauthenticate. Why would this be a problem? – Asad Saeeduddin Mar 31 '14 at 22:05
  • Is it that you are aiming for a high-security system with encryption or that you just want to guarantee that the current request is a legitimate request from the user? It really could be either when talking about a security/trust relationship. – Turnerj Mar 31 '14 at 23:50
  • @Asad I see your point, but from a security perspective, am worried about cookie theft/hijacking. – Gruther Apr 01 '14 at 04:53
  • @Turnerj I just want to guarantee that the current request is a legitimate request from the user. My idea would lessen how attackers can fiddle with my system. Even if a user's account is compromised, I am 'at least' guaranteed that sensitive tasks cannot be executed – Gruther Apr 01 '14 at 04:58

1 Answers1

0

This is all information coming from the end user/device, so it is not a problem to be forged.

Think of something more like two step auth, certificates, etc... it really depends on how deep you want to dive.

blue
  • 1,946
  • 1
  • 8
  • 8
  • My thoughts were radical when analysing the system and yes, I do have two step auth in place, but this can easily be broken by tricking a user to provide access tokens/code in other to process sensitive tasks, although, it an added layer of security that is recommended. What am seeking is more like granting an extended user's experience based on a trusted device. What certificate are you suggesting? SSL? – Gruther Apr 01 '14 at 05:07
  • @Gruther - I am thinking about [Public-key infrastructure](http://en.wikipedia.org/wiki/Public-key_infrastructure). While one may store his private "software" key on the device and protect it with a password, which is somewhat easy to export the cert once you've got access to the device, there is also the option to use smart cards with [Secure cryptoprocessor](http://en.wikipedia.org/wiki/Secure_cryptoprocessor). The latter is supposed to be much more harder to allow access to the private key. Well, the secure device you're probably looking for is the card reader for the crypto smart card. – blue Apr 01 '14 at 09:02
  • Thank you for your input. I will keep researching and provide feedback upon successful implementation to help others. I found this link though [stackoverflow](http://stackoverflow.com/questions/15966812/user-recognition-without-cookies-or-local-storage/16120977#16120977) – Gruther Apr 01 '14 at 15:26