Single Packet Authorization

Single Packet Authorization fills the gaps in port knocking.

Countless pieces of software, protocols and complex interdependencies together form a system for which it is difficult to guarantee any particular property—particularly security. Even software specifically designed to enhance security can, at the behest of clever individuals armed with detailed knowledge, work to its detriment. Vulnerabilities have been discovered in all sorts of security software from firewalls to implementations of the Secure Shell (SSH) Protocol. For example, OpenSSH is developed by some of the most security-conscious developers in the world, and yet it occasionally contains a remotely exploitable vulnerability. This is an important fact to note because it seems to indicate that security is hard to achieve and, therefore, bolsters the case for a defense-in-depth approach. This article explores the concept of Single Packet Authorization (SPA) as a next-generation passive authentication technology beyond port knocking.

When an attacker is on the prowl in an attempt to exploit a vulnerability in server software (as opposed to client software), the first step is reconnaissance; the attacker needs to locate a target. This process has been brilliantly automated by Nmap, so it is easy to construct a list of target systems that may be ripe for compromise. If the attacker has found a zero-day vulnerability in server software that you happen to be running, you don't want to appear in this list of targets! Both port knocking and Single Packet Authorization use a packet filter configured in a default-drop stance and simultaneously provide service only to those IP addresses that can prove their identity via a passive mechanism. No TCP/IP stack access is required to authenticate remote IP addresses via this passive means. Nmap cannot even tell that a server is running when protected in this way, and it does not matter even if the attacker has a zero-day exploit.

This article is the first of a two-part series on Single Packet Authorization, and it lays the theoretical foundation for Single Packet Authorization and why it is a next-generation passive authorization technology beyond port knocking. The next article will provide a hands-on look at using fwknop to provide Single Packet Authorization protection for your SSH dæmon.

Introduction to Port Knocking

Port knocking is a first-generation technology that uses the port fields within TCP and UDP packet headers to communicate information. Normally, these protocols are used to encapsulate application layer data, but port knocking encodes information in sequences of packets to various ports by using the port numbers themselves as fields to transmit data. These packets are typically either monitored out of a firewall log or via a packet capture mechanism, such as libpcap. Typically, there is a port knocking client and a port knocking server. The terms client and server, in this case (and throughout the remainder of this article unless otherwise noted), refer to the software components that send and monitor packets, respectively. The client is responsible for generating the port sequences, and the server is responsible for passively collecting the sequences and reconfiguring the packet filter to allow connections to protected services upon receipt of a valid sequence.

The typical port knocking scenario is for a port knocking server to configure a packet filter to block all access to a service, such as SSH, until a specific port knock sequence is sent by a port knocking client. For example, the server could require the client to send TCP SYN packets to the following ports in order:

  • 23400

  • 1001

  • 2003

  • 65501

If the server monitors this knock sequence, the packet filter reconfigures to allow an SSH connection from the IP address that sent it. By making use of a connection tracking mechanism provided by the packet filter (such as the conntrack system in Netfilter), an SSH session can remain established after the initial rule created by the knock server is removed after a timeout. Port knock sequences can be encrypted, and there are many implementations listed at www.portknocking.org. For a graphical representation of port knocking in action, see Figure 1.

Figure 1. Port Knocking in Action

Port Knocking Limitations

Port knocking offers some real benefits for limiting access to services, but where do the limitations lurk? First, it is clear that encrypting knock sequences is important, and this in turn implies that several bytes of information must be transmitted. For symmetric crypto systems, the encrypted data will be at least as large as the block size (128 bits for the Rijndael symmetric block cipher chosen for the Advanced Encryption Standard). For asymmetric crypto systems, the encrypted data will be substantially larger.

For instance, the raw ElGamal algorithm used by GnuPG doubles the plain-text size when encrypting data. Even though GnuPG also utilizes compression (which can sometimes reduce the size of the cipher text to below the original size of the plain text), the typically large key size of GnuPG keys implies that the cipher text for even the smallest messages will be in the hundreds of bytes.

This has important implications for port knocking. Each packet within a port knock sequence can send only two bytes of information due to the 16-bit-wide port fields in the TCP and UDP headers. (This assumes that other fields within packet headers are not also used to transmit data. However, even if other fields are used, this still cannot result in nearly as much data transmission as using packet payloads.) Hence, for a block cipher, an encrypted sequence must contain at least B/(2*8) packets, where B is the block size in bits. This by itself would not be so bad when considering the general speed and reliability of today's networks, but the real issue is out-of-order delivery.

Decrypting garbled data results in garbled data, and because there is no notion of a “connection” (in the TCP sense) between the port knock client and server, the server has no ability to re-order out-of-order packets.

Packets may take different routing paths, some of which may be slow. Hence, the client must resort to an artificial mechanism to try to reduce the potential for out-of-order delivery: time. By introducing a time delay between each packet in a knock sequence, say on the order of a half second, packet order usually can be maintained by the time the packets reach the server. Now, for a block size of 128 bits, the corresponding port knock sequence is 128/(2*8) = 8 packets. By factoring in the half-second delay, it takes four seconds just to transmit the sequence. For a much larger message, such as those that would be generated by an asymmetric cipher, this data transmission rate is simply not practical.

Having a limited ability to transmit data introduces another limitation in port knocking schemes. It is difficult to guard against a replay attack effectively. Anyone who can monitor a knock sequence as it is sent from the client to the server is free to replay the sequence against the server in an effort to gain the same access. This is an especially important issue if the sequence is sent through a NAT device, and the source IP that is allowed through the packet filter at the server side is the external NAT address. For example, if the port knock client is on an RFC 1918 subnet, say 10.10.1.0/24, and the port knock server is on a remote network that is accessible only over the open Internet, the server must allow access to the NAT IP address. Anyone on the same subnet who can replay the sequence will be granted the same level of access. Also, anyone on the same subnet has the same level of access once a rule is instantiated to accept connections from the NAT address as long as the rule exists (no sequence replay is required in this case, and this remains true for SPA as well).

There have been variations made on traditional port knocking to try to provide a solution for the replay problem, such as making time a significant factor, using S/Key-style hash function iteration and even simply changing the encryption key after each use. However, each of these methods requires some state to be maintained by both the port knock client and server and does not scale very well when multiple users become involved.

An additional port knocking limitation is that it is extremely easy for a malicious third party to bust a knock sequence just by spoofing an additional packet into the port sequence as it is sent over the wire by the client. The attacker would simply set the source address on the packet to be the same as that of the real client and choose the same port number as the last packet sent by the client. This extra packet would break the knock sequence, so the server would not allow the legitimate client any additional access. Although the chances that people would actually do this are relatively small (they still need to be able to monitor packets emanating from the client), the main issue is that such an attack is so trivially easy to perform. A single packet is all that is required, and the attacker doesn't even need to be inline to the original packet data path.

Finally, knock sequences are easily detectable as port scans by any intrusion detection system (IDS) that is able to monitor traffic between the client and server. This is particularly true for encrypted knock sequences, which tend to be longer than simple shared sequences. To an IDS, port knocking looks just like a series of probes to various ports from a single IP address within a relatively short period of time, and this fits the definition of a port scan quite nicely.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

fwknop and SELINUX on FC6

Andy B's picture

I can't seem to implement the fwknop daemon on FC6 with SELINUX running. Has anyone come up with a policy that allows iptables to write to the /var/log/fwknop directory? Disabling SELINUX is not an option here, but might be for others.

Michael Rash

mrash's picture

Although I haven't run fwknop on an SELINUX system, I would think that if you have apache or mysql installed and running, then you could use the same SELINUX policy settings that are applied to those daemons. They also write to directories like /var/log/apache2 and /var/log/mysql. In fwknop, the fwknopd and knoptm daemons need to write to files in /var/log/fwknop, and all three of fwknopd, knopwatchd, and knoptm daemons need to write to files in /var/run/fwknop/.

original?

marc's picture

Think this USENIX article should be listed in the references!


Single Packet Authorization with Fwknop
by Michael Rash

ok ok...

marc's picture

my mistake... its the same guy

Moron

Open Mouth Insert Foot's picture

Drool on your keyboard much?

16 bytes of random data?

Anonymous's picture

>Every SPA packet is prepended with 16 bytes of random data before being
>encrypted, and then upon a successful decrypt by the fwknop server, the
>MD5 sum of the entire packet is cached.

Assuming the attacker can encrypt packets, does this provide any additional security? Couldn't an attacker just replace the first 16 bytes with their own arbitrary data?

Caching the MD5

Anonymous's picture

Perhaps I'm missing something, but how long must you keep previous MD5 hashs lying about to compare every new packet received? It would seem that if someone replayed after the MD5 cache was purged/recycled you could replay the message. True?

Re: Caching the MD5

anonymous's picture

By default fwknopd also requires that SPA packets are not older than two minutes (see the MAX_SPA_PACKET_AGE variable in the /etc/fwknop/fwknop.conf file), so even if the MD5 sum cache is removed, this is of little use to an attacker. Note that the SPA age is determined from a time stamp that is included within the encrypted SPA message, so even if an attacker intercepts an SPA packet the original time stamp cannot be changed.

The packet is encrypted and

sb's picture

The packet is encrypted and the attacker doesn't have your private key. If he tries to change a single bit, the entire packet will be rejected as garbage.

Of course, if whitelisting

Anonymous's picture

Of course, if whitelisting is used then potentially some of this is effectively a moot point, is it not?

Well, the description of SPA

Anonymous's picture

Well, the description of SPA says that two methods can be used for encryption: Rijndael symmetric block cipher or the asymmetric ElGamal algorithm.

If you're using symmetric crypto, obviously you have to provide the key to every client that will need access. (Possibly a bad idea if there are multiple clients.) If you're using asymmetric crypto, the attacker doesn't need your private key to encrypt messages - just your public key. In this case it is feasible that an attacker could encrypt their own packets.

The random data just prevents replay attacks (using captured packets that were previously encrypted).

Re: Well, the description of SPA

mrash's picture

Hello - If asymmetric crypto is used, then the fwknop SPA server requires that that SPA packet is cryptographically signed by an approved client private key. So, it is true that an arbitrary client can encrypt an SPA packet with the server public key (which is published to the world), but the SPA server will reject it because it is not also signed. Part II of this article will illustrate this, but in the meantime here is a howto for using GnuPG for SPA encryption. Note the GPG_REMOTE_ID variable in the SPA server config specifies the client key ID's that must sign an asymmetrically encrypted SPA packet.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix