advice needed - secure transfer of client details

[Tim James <jimtames () yahoo com>]

Hi all,

This is a brain teaser. I have an application to
review which supplies details from the client's
workstation (derived from files on disk, hostname, IP
address). It currently implements a Java applet whose
job is to obtain these details and send them up to the
server in an ordinary HTTP POST. 

This sends alarm bells ringing for me. I have
developed a simple attack whereby I can replace the
applet at will with my own code, which can send
different details for workstation ID, hostname, IP
address. This falsifies the audit trail from this
point on and the server is none the wiser.

So, the general problem is this :-

How can a client communicate details that are only
known to the client, up to a server, in a way that
cannot be tampered with ? Why should a server trust
the supplied values ? The data for the workstation
next to me is known by everyone - why can't I create
an applet to reproduce those details, and hence
impersonate that workstation ?

I have some ideas but none are totally satisfactory. 

1) Encrypt the data
This shifts the problem to one of key management.
2) Checksum the applet 
3) Keep the details on the server in the first place
and supply some token from the client which cannot be
impersonated

I would *really* appreciate a different perspective on
this problem because I'm kind of stalled.....

Thanks a lot

Tim

Send instant messages to your online friends http://uk.messenger.yahoo.com