Computer Fingerprints

Forethought

So one thing that bothers me when trying to preform analytics or to ensure security is the need for computer fingerprinting.

The idea of fingerprinting is a way to ensure that the computer you are talking to is the one you think it is. Usually this is done by some sort of computed hash of its components, or assigning it some arbitrary number. Something unique to that computer, much the same way real human fingerprints work.

The problem lies in the fact computers are interchangeable. In real life to take your hand off and replace it with another is cumbersome and difficult and leaves traces. This does not reflect in the computer world.

New ram, new CPU, new graphics cards. ext. All of these core parts of a PC are interchangeable. And therefore make it nearly impossible to build a “Fingerprint” of a computer.

Hypothesis

So my thought is, Why are we trying to build a unique signature off of some components, when instead we should look at the collection of individual components and describe them as the unique part.

That collection of objects is what makes a computer unique.

So my idea, is that instead of trying to create a fingerprint, we instead create a sort of DNA strand for that device by using the individual components. Then we compare the listing of these parts as “Chromosomes” and assign them a weighted sum.

We can then start assigning groups of semi-unique data to these chromosomes. And by providing a difference equation to this groups, we can compute whether or not that machine is near or close to its anticipated outcome.

Test Case

So lets say for a user, when they first join a community or use some program as a service. We request a “true” DNA strand from that device. We then store this Strand under the account. They then authenticate that this is them. Now every time that user logs in again, we can then send them down a random SALT value as well as a Request for some chromosomes.

They then preform a rehashing of some of there semi-unique data with the salt and pass that back to us. We check this data and as-long as it is within tolerances. We permit this login with no second level authentication.

Chromosomes

Some examples of chromosomes could be:

1: Installed programs & Version.
2: Volumes & Serial Numbers
3: Connected Devices
4: Network Interfaces
5: System Specs
6: Operating System Stats
7: CPU Stats
8: Drivers and Versions

Example

So For instance, at first we have them preform a SHA1 Of Chromosome 1

They gather the list:

7-Zip 16.04 (x64)  16.04 
ABBYY FineReader 9.0 Sprint 9.00.15.58233
Acceptor Tools 7.1.0.0
Acronis True Image 20.0.5554

Then preform a SHA1 Set of that:

B2438E4FDA88FCCC41D60C9E4265022CE4F81BE5-0C57386F58362D480EC325464C06E099F9E925D1
 C439E4B1E9428517390EFE68C15E730D8A578DDD-4691C72D462700F938FD6824C76FDFBCEC7EE881
 7722802E5A7E8C80D81439A746DC0546BF37193B-AFC6CBF13C03016910089DA10468FFFF55495A87
 558983DC66A8069926635FE7F84A61DC850DC51F-93E0182F27C1BFEF852D0DC6AC36DEED78E8FF7D

They then send us this as a “True” DNA sample. We store this as a reference.

Later when they log in again, we request X% of Chromosome 1 salted with some new salt. This X% uses the salt as the seed value for a RNG and selects X% of the subset.

REQ: CHR1{10} SALT: SOMENEWSALT23213

We get some data back and after some checking we find that its 90% similar to the true sample, we can assume its them. We then store these differences as “Mutations” sepperately from the true DNA strand.

Later, we get another login attempt. We ask again:

REQ: CHR1{10} SALT: ANOTHER NEW SALT 413241

This time, however we get a response that is only 60% matching to a true DNA for there account. But if we compare it to its mutations, that number gets increase to about 89%. Still good in our eyes. (This assumes there system has been upgraded)

A few months later we get another login request. But this time after all is said and done, we have only a 10% match. Now we request a Second factor authentication for this login. During this step, we generate a new true DNA strand, and add it to there key ring. (This assumes a new computer)

Later we get another login, it matches DNA1 but we also get a message stating that there account has been Hijacked! We can now review the case, see that there has been a new DNA, a new login ext. This helps build evidence that this HAS been the case. We remove DNA2 from there account, and add it to our blacklisted DNA set. Then force them to change there information and reset there second factor

Now, this has helped the customer, but this has also given us valuable information. We now have a DNA to a different PC. And can search our database to try and find matches. Allowing us to look for and fight attacks.

Now for another use case, lets say we have a new account created, a true sample is taken and a Back-End server finds a 99% match to a blacklisted DNA. We can then flag this account for a case review.

You can see where I’m going with this.

Leave a Reply

Your email address will not be published. Required fields are marked *