Hardware authentication?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does Windows XP have built in support for something called 'hardware
authentication'? I have been asked to research technology that ensures that
that only specified hardware (I assume based on hardware hashes) interacts
with the back end server.

I have confirmed that our client is not referring to smart card, biometric
or MAC based authentication.

Can anoyone shed some light on this?

Thanks
Jay
 
A couple quick searches on "hardware authentication" turned up references only to hardware tokens and such. Are you sure the person asking you about this might really be concerned about authenticating washers and bolts and screws and nuts? hahaha

Seriously, let's engage in a thought exercise to ruminate how such technology might work. There's got to be an initial bootstrapping of trust, a process by which Thing A and Thing B are introduced and instructed that they should trust each other. I can't envision any way of doing that other than by a human physically accessing both Things and performing an activity: entering a pre-shared key, installing a digital certificate, or some other means of configuring a secret on each Thing that the other Thing can then validate. I've just described a very common scenario, used by many products for performing authentication. Interestingly enough, this is exactly the way IPsec works. So in a manner of speaking, yes, Windows XP can do what you're asking. So long as you keep control over the pre-shared key or the certificate distribution mechanism, then you can achieve a form of "hardware authentication." Unapproved hardware -- that is, hardware without the corporate IPsec policy and corresponding authenticator -- will be ignored by approved hardware. (Note also that we can eliminate the requirement of the physical visit by the human if both Things happen to be Windows computers that are domain-joined: in this case, we can automatically provision the identifier, whether it be a pre-shared key or a digital certificate.)

Let's ignore IPsec for a moment. How else can you accomplish the goal? Each thing will still require a secret that the other Thing can validate. This is the only way to prove an identity claim. How else can you do it? Two steps are necessary:

1. Initial mutual authentication of the Things to each other
2. On-going authentication of all the data the Things exchange with each other

If you omit step 2, then you introduce a vulnerability in which someone can take over the communications channel after the initial authentication succeeds. (See my article about such a problem with 802.1X: http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx.)

So...we're right back to where we started: IPsec. Rather than re-invent the wheel, just take advantage of a technology that's been around for a while and can be configured to do exactly what you want.

Jay, would you provide more details about the requirements for this technology?

_________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley


Does Windows XP have built in support for something called 'hardware
authentication'? I have been asked to research technology that ensures that
that only specified hardware (I assume based on hardware hashes) interacts
with the back end server.

I have confirmed that our client is not referring to smart card, biometric
or MAC based authentication.

Can anoyone shed some light on this?

Thanks
Jay
 
Back
Top