I’ve got a Windows client (desktop) application that when run for the first time will hit a server and request a client ID. A short time later that client will call back up to the server with additional requests. The server can hand out client IDs all day long, but it’s important that the server be able to know that any future requests are coming from a valid client.
This means verifying that it’s the client application making the request, and not someone/something else pretending to be the client application. Ideally it would also involve verifying that the client ID of a client application hasn’t changed.
I thought about including a hash of the salted client ID with future requests, but it doesn’t seem like it would be terribly hard for a determined person to disassemble the client enough to figure out the salt value.
Thanks in advance for any solutions, tips or pointers!
Can’t be done sensibly without a heavy dose of cryptography. As long as the other end has complete control, there just is no way they can’t fake the answers. Something vaguely similar is what Kerberos does, the protocols are quite involved. Ross Anderson’s “Security Engineering” would be my first stop to take a look at how to do it.