1

Is there a unique hardware token or a UUID on every computer motherboard/BIOS that can be used to create a "strongly coupled" software?

I am working on writing a proprietary software for a client and I can't afford anyone to create copies of the same, since unauthorized duplication and installation can cause the entire setup to malfunction which would lead to loss of life and property. The setup works on multiple hardware devices on a LAN each one having its own security key and creates a setup similar to "blockchain".

I wanted to know if there's a special hardware device/IC on motherboards (like BIOS), which is unique for all computers manufactured in the world?

I read through a few articles and I figured out following alternatives:

  1. BIOS has a unique serial number - Issue: Not all BIOS manufacturers ensure writing a serial number to their chips. My current computer is one such example. Motherboard manufacturer is MSI and BIOS produced by AMI. When queried, I get Default string as result.
  2. USB token devices - Issue: USB devices are detachable, and it may be migrated to a new system without much effort along with the software.
  3. MAC address - Issue: It can be changed very easily. I dont want to client to have trouble by just changing the network card.
  4. MFA (Multi-factor authentication) - Issue: The LAN would have no connectivity to WWW, so it may not be possible to implement this at all.

Is there an alternative to this? I want to have a strongly coupled system so that it because very tough (if not impossible) to create copies. Any maintenance needed can only be carried out by trained and authorized personnel.

Cyberpks
  • 113
  • 3
  • Are you only looking for solutions that give you a guarantee, a certainty, of the device's identity, or would it be ok if they only gave you a strong indication? In other words, do you need to hang all your security on this, or is it just one factor among others you will be using? – pgr May 30 '21 at 10:11
  • No, and if it's that important supply the computer with the application. – Greg Askew May 30 '21 at 12:03

2 Answers2

1

The problem in your approach is that you are outsourcing part of your licensing to third parties, that is, equipment manufacturers.

Even if you found some kind of universal authentication token, there can still be thousands of hardware products with buggy implementation of the feature. Once something is broken, you cannot do anything to fix it.

It is also impossible for you to test licensing when you outsource part of it to third parties.

You should own the licensing infrastructure completely. One way to do this is to implement licensing backend in the cloud. All software instances would receive unique licensing credentials, which are checked from backend.

If backend detects two users of the same license, then it will disable both licenses.

This approach does require connection to the license backend.

Overall, designing a well-functioning licensing system is a very complex topic. Therefore I suggest you to get some professional help on the subject.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
0

With further study, I figured out that these days there a device called Trusted Platform module abbreviated as TPM, which may or may not be added to your motherboard by default. It is used to store such information, like hardware secrets, encryption details, certificates etc. The only limitation here would be that I'll have to supply hardware and not allow the client to change it during the lifetime of the product.

Cyberpks
  • 113
  • 3