Obtain MAC address or other device footprint



  • I'm implementing a simple class to store and retrieve values from a file using encryption. The key being used is supposed to be device-specific, so if somebody is able to steal the encrypted file he or she will still not be able to use it on his or her own device.

    To make the key device-specific, I want to XOR some static key with the device's MAC address(es). I'm using the following technique to obtain the MAC addresses:

    @
    QString strMAC;
    QList<QNetworkInterface> list = QNetworkInterface::allInterfaces();
    int nCount = list.length();

    qDebug() << "SecureStore:" << QStringLiteral ("Found ") + QString::number (nCount) + " interfaces.";
    
    for (int i = 0; i < nCount; i++)
    {
        QNetworkInterface interface = list.value (i);
        strMAC = interface.hardwareAddress();
        qDebug() << "SecureStore:" << QStringLiteral (" - ") + interface.humanReadableName() + "(" + strMAC + ")";
    }
    

    @

    On Android tablet Samsung tab3 I get the following lines logged when there is an active WiFi connection:

    @
    SecureStore: "Found 2 interfaces."
    SecureStore: " - lo(00:00:00:00:00:00)"
    SecureStore: " - wlan0(SO:ME:AD:DR:ES:SS)" // some address
    @

    However if WiFi is down or not connected, I get the following:

    @
    SecureStore: "Found 1 interfaces."
    SecureStore: " - lo(00:00:00:00:00:00)"
    @

    That's bad, because in this case my SecureStore will not be able to decrypt the file properly.

    So does anybody know a means how to obtain all MAC addresses disregarding the interface's states? Or alternatively, does anybody know another means using Qt to find some device-specific numbers that might be used to derive a key from?


  • Lifetime Qt Champion

    Hi,

    Maybe "QtSystems":https://qt.gitorious.org/qt/qtsystems/ might be of interest



  • There's a fundamental flaw in this key generation scheme, in that the "secret" is attached to outgoing messages and incoming messages at the local network level, in plain text.

    It's also a rather short key at 48 bits, with added predictability when an attacker knows what device the target is using.

    If the goal is anything more than a dissuading a minimally interested attacker, please reconsider.



  • @jeremy: Thanks for the reply. The key is actually 128bit, but I want to XOR the first 6 bytes to the MAC address, leaving 80bit unaffected. I might also use some other technique than XOR, e.g. Blowfish's F function or something.

    @SGaist: Thanks for the link. However, since my target is mobile platforms, the amount of code to link against the product should be as small as possible. I hope to find a way in plain Qt.


  • Lifetime Qt Champion

    QtSystems is a Qt module like e.g. QtAndroidExtras



  • Sure. However, I found another solution, which may be better in terms of security. When the app is first launched, I generate a UUID and store it in the app's settings file. The UUID stays the same and will be renewed only when the user reinstalls the app. So, I no longer need the MAC addresses.

    Since the settings file may be accessible on a rooted device, I don't use the UUID directly as the key to my SecureStore. Instead, I obtain the key by passing the UUID to a modified version of the bcrypt password hashing algorithm.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.