Obtain MAC address or other device footprint
-
I'm implementing a simple class to store and retrieve values from a file using encryption. The key being used is supposed to be device-specific, so if somebody is able to steal the encrypted file he or she will still not be able to use it on his or her own device.
To make the key device-specific, I want to XOR some static key with the device's MAC address(es). I'm using the following technique to obtain the MAC addresses:
@
QString strMAC;
QList<QNetworkInterface> list = QNetworkInterface::allInterfaces();
int nCount = list.length();qDebug() << "SecureStore:" << QStringLiteral ("Found ") + QString::number (nCount) + " interfaces."; for (int i = 0; i < nCount; i++) { QNetworkInterface interface = list.value (i); strMAC = interface.hardwareAddress(); qDebug() << "SecureStore:" << QStringLiteral (" - ") + interface.humanReadableName() + "(" + strMAC + ")"; }
@
On Android tablet Samsung tab3 I get the following lines logged when there is an active WiFi connection:
@
SecureStore: "Found 2 interfaces."
SecureStore: " - lo(00:00:00:00:00:00)"
SecureStore: " - wlan0(SO:ME:AD:DR:ES:SS)" // some address
@However if WiFi is down or not connected, I get the following:
@
SecureStore: "Found 1 interfaces."
SecureStore: " - lo(00:00:00:00:00:00)"
@That's bad, because in this case my SecureStore will not be able to decrypt the file properly.
So does anybody know a means how to obtain all MAC addresses disregarding the interface's states? Or alternatively, does anybody know another means using Qt to find some device-specific numbers that might be used to derive a key from?
-
Hi,
Maybe "QtSystems":https://qt.gitorious.org/qt/qtsystems/ might be of interest
-
There's a fundamental flaw in this key generation scheme, in that the "secret" is attached to outgoing messages and incoming messages at the local network level, in plain text.
It's also a rather short key at 48 bits, with added predictability when an attacker knows what device the target is using.
If the goal is anything more than a dissuading a minimally interested attacker, please reconsider.
-
@jeremy: Thanks for the reply. The key is actually 128bit, but I want to XOR the first 6 bytes to the MAC address, leaving 80bit unaffected. I might also use some other technique than XOR, e.g. Blowfish's F function or something.
@SGaist: Thanks for the link. However, since my target is mobile platforms, the amount of code to link against the product should be as small as possible. I hope to find a way in plain Qt.
-
QtSystems is a Qt module like e.g. QtAndroidExtras
-
Sure. However, I found another solution, which may be better in terms of security. When the app is first launched, I generate a UUID and store it in the app's settings file. The UUID stays the same and will be renewed only when the user reinstalls the app. So, I no longer need the MAC addresses.
Since the settings file may be accessible on a rooted device, I don't use the UUID directly as the key to my SecureStore. Instead, I obtain the key by passing the UUID to a modified version of the bcrypt password hashing algorithm.