Single Packet Authorization

You might want to go read my previous article on Port Knocking before going furter.

Single Packet Authorization is very similar to port knocking. The difference lays in the knock. Instead of a secret knock sequence, you need to tell the door a password as in the famous “Open Sesame!”.

On a more technical level, Single Packet Authorization works as port knocking with two main differences:

  1. Instead of using port numbers, the knock is inclosed into the data of a packet. You must have a way to inspect the content of the traffic with some kind of Deep Packet Inspection technology for SPA to work. Wireshark or TCPdump could fit the bill nicely.
  2. The message included in the packet must be analyzed by a daemon.Port Knocking vs Single Packet Authorization

SPA uses what is called a “Magic Packet” which contains the knock in its data payload. This magic packet can contain any data you want. It may range from a simple password (in clear text or hashed) to an asymmetric encryption system closer in functionality to SSL. What limits you is a tradeoff between usability, security and performance.

Here’s an example of SPA in action with our friends Alice and Bob :

  • Bob setups his firewall with all port closed and configure it to log invalid connection attempt without replying.
  • Bob setups a small daemon that inspect incoming traffic. when it receives an ICMP Ping packet, it analyzes it. If it contains the word “Passw0rd” in it’s payload it opens up the port 80 for the originating IP. (or whatever action you want including executing command contained within the payload)
  • Bob tells Alice in a secure manner how to knock on his firewall.
  • Alice sends the knock : a magic packet containing the word “Passw0rd”. Alice expects the port 80 to be opened and initiates a connection to port 80.

Simple? Yes. But it isn’t really secure. An attacker who can sniff traffic outside your firewall could listen to the knock and simply replay it to your firewall after substituting Alice’s IP with his own.

There are solutions to this problem but every one of them adds complexity and has a negative impact on performances. They are out of the scope of this paper but I’ll list some general strategies for the sake of completeness.

The Magic Packet payload could look something like this :

  • Symmetric key : a pre-shared password is used
    • Hash ( “Passw0rd” + Time stamp + salt )
  • Asymmetric key : a Public Key Infrastructure is used :
    • Alice uses her private key to sign a message and encrypts it with Bob’s public key. The message might contain a time stamp to help thwart replay attacks.

Some questions must be answered before deploying a port knocking or single packet authorization setup:

  • How do you detect when a connection is not needed anymore?
  • How do you cope with packets that arrives out of order?
  • How do you prevent replay attack?
  • How do you manage concurrent users?
  • How do you share the knock securely?

Those questions will all be addressed in following articles.

As simple as it is in theory, in practice there are lots of gotchas that must be deal with.

You can continue your reading on port knocking with my third article : Defining Knocking.

Special thanks to Jerome Gauthier for reviewing this articles.

Leave a Reply

Your email address will not be published. Required fields are marked *