1

I have a server application which provides functions to a client program. The client is also programmed by me. Now I want to authenticate the client program itself (not any user) before using my service. I want to achieve that my service can only be used by executing my client software. The problem is, that both server and client aren't necessarily connected to the internet. Therefore, any authentication via a third entity cannot be used.

In my opinion, some secret has to be compiled into the executable of the client program and something like a challenge-response-procedure has to be performed.

What do you think about this thought or do you any have other ideas?

I've already thought about a client certificate but the certificate itself has to be compiled into the executable, too.

Thanks in advance.

Iniesta8
  • 113
  • 3

1 Answers1

4

You cannot ensure that the program talking to the server is your program. Anything client-side can be compromised, and any communication coming from the client can be altered.

The multiplayer game industry is facing a decades old battle against the kind of problem you stated, and even with millions in funding, expert programmers and a lot of money at stake, they cannot prevent people from using custom client software to interfere with their systems.

some secret has to be compiled into the executable

And the attacker can extract this secret, reverse-engineer the challenge-response protocol, and write its own client.

thought about a client certificate

It won't work. Attackers can extract the certificate and misuse it, like the secret.

You can obfuscate the code, add certificates, add secret data, checksums, and any client-side measure, they will not prevent a dedicated attacker from writing its own client if he has enough incentive.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142