|
Single Packet Authorization (SPA) |
|
|
|
SPA is a non-replayable, spoofable(!), encrypted alternative to port knocking.
I'm sure many of you have heard of port knocking in the past. Basically it's a method where a computer (A) sends packets to certain ports on computer (B) thereby proving that computer (A) is allowed to speak to computer (B) (feel free to read up on it on wikipedia). Single Packet Authorization is the next incarnation of port knocking.
Let's say an attacker scans your computer with NMAP, he will see which of your ports are open and what services are running behind the ports. Now let's say we don't allow access until he can prove he is authorized. By requiring a port knocking sequence or SPA-packet, NMAP will not see any open ports because the port won't actually open until the correct data is received by your computer.
Why is SPA better than port knocking?
Port knocking can be seen as a port scan, causing unnecessary trouble from a harmless activity.
Replay attacks are more easily avoided.
Protocols like ICMP which doesn't have a notion of ports can be used.
More robust, with port knocking an attacker can sabotage the sequence by connection to random ports.
There is a specific SPA utility called fwknop that is the most advanced (if not the only) SPA program out there. fwknop works by sending a single encrypted packet to the target computer. There libpcap catches the packet, fwknop looks at the data and determines if the packet is correct. If it is it's contents are MD5-hashed and stored in a control file, and the port contained in the packet is opened for access for the IP-number contained in the packet. If an attacker replays an identical packet it will be denied because the MD5 sum is identical to a "used" sum in the control file.
fwknop supports both GnuPG and Rijndael keys, allowing users with existing keys easy access. Inside the packet fwknop sends are first 16 bytes of random data, an username, timestamp, version, action, which port should be opened, which IP-number access should be allowed from and an internal MD5 sum. So only the IP-number actually contained in the packet is allowed access. Not like in the case of port knocking where the originating IP-number gets access.
What's good with this system is that the packets can be spoofed, sent over ICMP or even not directly sent to the receiving computer. As long as the receiveing computer can intercept the packet somewhere on its course the system works.
Related Items:
|
