Is this C# code enough to uniquely identify a computer?

Question

I am doing license system. and every time I work for each computer. I created a code snippet. Do you think this is really enough for me to get a unique identity? Is it possible to return null?

I visited certain topics but I could not create a clear idea

    private string CID()
      {
        ManagementObjectSearcher search = new ManagementObjectSearcher("SELECT SerialNumber FROM Win32_BaseBoard");
        ManagementObjectCollection searchs = search.Get();
        string serial=""; string cpuid="";
        foreach (ManagementObject id in searchs)
        {
            serial = (string)id["SerialNumber"];
        }

        search = new ManagementObjectSearcher("Select ProcessorId From Win32_processor");
        searchs = search.Get();
        foreach (ManagementObject id in searchs)
        {
            cpuid = (string)id["ProcessorId"];
        }

        return MD5(serial+cpuid);
    }

I've tried a few computers, the result is positive, but I don't think you can try it on hundreds of computers.

Answer 1

I have a lot of application that has serial numbers. The first thing we need to care about it is to prevent to hack our serials numbers. the hackers are just like coders always search for repeated algorithms. in your case you just use the md5 algorithm and CPU ID to find a unique number as a serial number per any systems. But if the hacker knows about your algorithm, so he/she can make a tool to return any CPU Id+ md5.
This is my opinion to help you to clear the way.
First, you need to check the validity on application start. you can check it on Load and every time user Login events. This is a sample

private void checkValidaty()
    {
        if (!setting.checkLicence(settingInfo.validateCode))
        {
            if (MessageBox.Show("Do you want to enter new licence?", MessageBoxButtons.YesNo, MessageBoxIcon.Information, MessageBoxDefaultButton.Button2, MessageBoxOptions.RightAlign) == DialogResult.No)
            {
                Application.Exit();
            }
            else
            {
                frmValidateNewLisence frm = new frmValidateNewLisence();
                frm.ShowDialog();
                this.checkValidaty();
            }
        }
    }

Then you can call checkValidaty() function on mentioned events.

Now I show you a sample to how to create a unique serial number. As you did we have a method to GetProcessorID

private static string GetProcessorID()
    {
        string sProcessorID = "";

        string sQuery = "SELECT ProcessorId FROM Win32_Processor";

        ManagementObjectSearcher oManagementObjectSearcher = new ManagementObjectSearcher(sQuery);

        ManagementObjectCollection oCollection = oManagementObjectSearcher.Get();

        foreach (ManagementObject oManagementObject in oCollection)

        {
            sProcessorID = (string)oManagementObject["ProcessorId"];
        }

        return (sProcessorID);
    }

You can ensure that there is the right id of any CPU.
Now with a password generator app, you can find an impressive static secret password. I just use this site to create strong passwords Secure Password Generator.
On this case, I use this one: y(M6dH%<Wx=)+fr,.
After that, you need to send those password and CPUID to generateCode function.

private static string generateCode(string GetProcessorID)
    {
        using (SHA1Managed sha1 = new SHA1Managed())
        {
            var hash = sha1.ComputeHash(Encoding.UTF8.GetBytes(Id));
            var sb = new StringBuilder(hash.Length * 2);
            foreach (byte b in hash)
            {
                // can be "x2" if you want lowercase
                sb.Append(b.ToString("X2"));
            }
            return sb.ToString() + "y(M6dH%<Wx=)+fr," +  GetProcessorID;
        }
    }

This Method generates a Non-repetitiveand Non-guessable license.
The only weak point is being exposed your static password so you need to lock your source or other ways to secure it.

Answer 2

.NET does use windows API calls behind the scenes, you do not have control to the final enviroment. Those calls could be patched/faked, there is no bulletproof .net solution.

If you want a decent uniqueness, do note I dont say perfect, I would add to the motherboard serial number and the processor id the MAC of the PC. Those three things would make it harder to bypass.

Ultimately those hardware checks can by always bypassed unless hardware tokens/dongles are used, but is up to your cost/benefit.