MAC-Based Authentication for Web Sites

Introduction

It has become a common practice to provide a secure login for companies web sites, and they adopt different methodologies. Some of those methods are either very expensive that middle or small size companies cannot afford or these are not 100 % foolproof. When I faced such a situation and was asked to find a solution for secure login to my company’s official site that should not rely upon the user to keep their credentials confidential and safe, I came up with the following solutions.

Simple User ID and Password

This method, I believe, is the least secure method because users are human beings and they may disclose their ids and passwords unintentionally.

ActiveX Control

An ActiveX control can be developed that, once installed on client machine, will check whether the machine is allowed to access and log into the company website; however, in a LAN environment users sometimes have minimum rights and with low privileges are not allowed to install any program or software on their machine without the permission of administrators. Also, control cannot be distributed until it is signed by a certificate signing authority.

Client Certificate Authentication

A Microsoft Certificate Server can be installed on a Windows Server machine and user certificates can be issued to site users. Furthermore, the web site can be configured to require both username and password and a user certificate.

Two-Factor Authentication

Two-factor authentication requires that two methods be used when accessing content on the secure web site. For example, one factor can be the username and password, and the second factor can be biometric input, such as a fingerprint. The two-factor authentication methods typically depend on what I know and what I have. Most two-factor authentication schemes require very expensive third-party devices that provide the what I have component.

MAC-Based Authentication

You can develop a simple Windows application that will enable the user to provide his user ID and password. The application will get the system MAC address and send it along with the ID/password to web server. Upon receiving the ID, password, and MAC, the web server will grant access to the user only if his/her machine is registered.

After careful analysis, I decided to work on the last option—MAC-based authentication—although client certificate authentication was also feasible and suitable. However, granting access to web site users through a window application was a unique and interesting idea to me.

Understanding the Code

To better understand the code, kindly go through the paths of program execution that I have outlined below. The demo application (a window application is written in VB 6.0) is also attached. It deals with two main topics of the programming world:

  1. Registry reading/writing
  2. MAC address retrieval

Paths of Program Execution

  1. The application will retrieve the system’s MAC address and display it to the user when it is run for the first time. Also, it will create a new key in the system Tegistry. The MAC address, along with the user ID and password, must be sent to the web site administrator to register the machine.

  2. For the Registry creation, I used the following API.


    hTopKey = HKEY_CURRENT_USER
    sRegPath = “Key1\Key2\Key3”

    sa.nLength = Len(sa)
    sa.bInheritHandle = CLng(True)

    lResult = RegCreateKeyEx(hTopKey, sRegPath, 0, _
    vbNullString, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, _
    sa, hKey, lDisposition)
    If lResult = ERROR_SUCCESS Then
    If lDisposition = REG_CREATED_NEW_KEY Then
    CreateRegistry = True
    ElseIf lDisposition = REG_OPENED_EXISTING_KEY Then
    CreateRegistry = False
    End If
    Else
    CreateRegistry = False

    Details of parameters and return values of RegCreateKeyEx method can be found in MSDN. The Registry key must be created under .HKEY_CURRENT_USER if the application’s user has limited rights on the machine. I created a key in the system Registry in the following manner to hide it from prying eyes.

    --> HKEY_CURRENT_USER  -->Key1 -->Key2 -->Key3

    The program first checks the Registry entry you just created when it is run for the first time on the machine. If the key is found, the login screen is shown.

  3. After the user puts in his login and password on the login screen and presses OK, the program silently gets the system MAC address using GetAdaptersInfo and CopyMemory APIs. GetAdaptersInfo helps in reliably getting all MAC addresses for the system, but only for active and enabled interfaces. CopyMemory copies a block of memory from one memory location to another. Details can be found in MSDN.
  4. sts = GetAdaptersInfo(AdapInfo, bufLen)
       If (bufLen = 0) Then Exit Function
       numStructs = bufLen / Len(AdapInfo)
    
       ReDim IPinfoBuf(0 To bufLen - 1) As Byte
       sts = GetAdaptersInfo(IPinfoBuf(0), bufLen)
       If (sts <> 0) Then Exit Function
    
       srcPtr = VarPtr(IPinfoBuf(0))
       For i = 0 To numStructs - 1
       If (srcPtr = 0) Then Exit For
          CopyMemory AdapInfo, ByVal srcPtr, Len(AdapInfo)
    
          With AdapInfo
             If (.AdapterType = MIB_IF_TYPE_ETHERNET) Then
                retStr = retStr & MAC2String(.MACaddress) & " "
             End If
          End With
    
          srcPtr = AdapInfo.Next
       Next i
    
  5. After getting all required information from user and his/her system, a web browser session is initiated using the Internet Explorer component.

    Dim ie As New SHDocVw.InternetExplorer
    Header = "Content-Type: application/x-www-form-urlencoded" & _
       Chr(10) & Chr(13)
    
    URI = "http://www.yourwebsite.com/Login.asp"
    macId = Replace(Trim(GetMACs_AdaptInfo()), "-", "", 1, -1, _
                    vbTextCompare)    'case-insensitive
    PostData = "uid=" & userName & "&pwd=" & password & "&mid=" & _
       macId
    'Encoding: Convert string data into byte array
    Post = StrConv(PostData, vbFromUnicode)
    ie.Visible = True
    ie.Navigate2 URI, , , Post, Header
    

IE component is available under Project –> Reference –> Microsoft Internet Controls. To successfully run the attached demo application, you must provide the name of your active web site and a page that will accept the user ID, password, and MAC information from Request.Forms collection in the URI variable. On the web end, you can have your web site in PHP, ASP, ASP.NET or in any other language. This window application requires just an active URL to which it could pass the credentials. Everything else will be taken care of by the login web page itself.

I have tested this application on machines having the Windows Vista, XP, 2000, and 98 operating systems. If anyone finds any problem with the application, please let me know.

The one thing that I dont like about this application is that it gets all MAC addresses of the system. I could not successfully find the MAC address of the Ethernet interface only. If anyone successfully gets it, please share it with me also.

References

To make the code work, I got a little help from Manni HV’s article, Reliably Retrieve MAC Address(es) with VB.

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read