Upload
basil-small
View
212
Download
0
Embed Size (px)
Citation preview
Limitations of Port KnockingSoftware Project PresentationPaper Study – Part III
Group Member: Liew Jiun Hau (20086034)Lee Shirly (20095815)Ong Ivy (20095040)
Agenda
Out-of-Order Delivery
Network Address Translation (NAT)
Authentication-Connection Association
Out-of-Order DeliveryProblem
◦Attackers can perform DoS on a client: Send one packet per second to a random port of
server Spoofing the client IP as the source IP
◦Knock sequence broken authentication failSolution
◦Divide the bits representing port number into data bits and sequence number bits
◦Server will be able to reorder packets correctly before decoding the knock sequence
◦Use SPA mechanism – only a single packet is sent
About Network Address Translation
A method to solve the IPv4 address space problem◦ Internet was growing
fast back in late 1990s◦ There was not enough
(public) IP address to be assigned to all hosts
NAT can map a large group of private IP addresses into a single public IP address◦ Each host will be translated into same public IP address◦ This slows down the consumption of public IP addresses
However NAT causes some hidden issue for port knocking
So what if a port knock client is behind NAT? Who is actually authorized at the end of the port
knocking process?◦ One client successfully port-knock the server◦ But everyone with the same public IP now has access◦ This defeats the purpose of port knocking!
NAT – Issues
NAT – Issues (cont)
In SPA, IP address information is hashed together with Timestamp, ID and Password
◦How do a client know about its public IP address?
◦Can it know in a secure way?
NAT – Possible Solutions
Set up a simple server machine at the boundary of the private network◦Client can securely discover its public IP
address by querying the boundary server machine
Using some external service◦www.whatismyip.com◦Use by fwknop (one of the SPA
implementation)
NAT – Possible Solutions (cont) The other alternative will be a three-pass mutual
authentication◦ Originally proposed by Rennie deGraaf, John Aycock and Michael
Jacobson Jr The notations used are as follow
◦ A = Client◦ B = Server◦ NX = Nonce of X
◦ PIDX = Public IP of X
◦ MAC = Message Authentication Code (e.g. HMAC-SHA-1)◦ K = Pre-shared key between client and server
The steps are as follow:◦ 1: A B req, NA,MACK(req, NA)
◦ 2: B A PIDA, NB, MACK(NA, PIDA, PIDB)
◦ 3: A B MACK (NB, PIDA, PIDB)
This approach is more secure but make port knocking less “stealthy”
NAT – Possible Solutions
We can also add some configurations to further mitigate risk◦ Set a short timeout◦ Close the port after timeout◦ Close the port immediately after a connection is made
This leave only a small window during which the client can connect
This also avoid a problem where adversaries could eavesdrop◦ They can wait for the port to be opened and try to make
connection after the authentic client did◦ There might still exist a race condition◦ Adversaries can send request faster than client
So how can we solve this issue?
Authentication-Connection AssociationA successfully opened port can still be
hijacked by an attacker◦ Attacker will be able to impersonating the client◦ This is the unsolved issue in previous slide
To counter this, we can wrap post-authentication connections within an encrypted session◦ Use a pre-shared key that only known by the
client and server◦ Attacker has no way of crafting valid packets
without the key◦ Invalid packets will be dropped at server side
This however increase the load on server
Authentication-Connection Association (cont)The other possible solution would be to
generate TCP Sequence Numbers (SN) in a randomized & authentication-dependent manner◦ Server can verify the TCP sequence
number based on previous authentication◦ But this require client to have heightened
privileges to manipulate the TCP / IP packet fields
◦ Powerful adversaries who can perform MITM is not affected
Next Presentation
Continue to study and analyze other known problems and their possible solutions/improvements in details
Present and discuss in next sessionQuestions?
References Jeanquier S (2006) An Analysis of Port Knocking and
Single Packet Authorization. M.Sc. Thesis. Royal Holloway, University of London. Sept 2006.
deGraaf R, Aycock C, and Jacobson M. ‘Improved Port Knocking with Strong Authentication’. ACSAC 2005, pp. 409-418.
Rash M. ‘Single Packet Authorization with Fwknop’. The USENIX Magazine. Feb 2006, Vol. 31, No. 1, pp 63-69.
William Stallings. Cryptography and Network Security: Principles and Practices (3rd Edition). Pearson Education. 2003.
James. F. Kurose, Keith W. Ross. Computer Networking: A Top-Down Approach Featuring the Internet (3rd Edition). Addison Wesley. May 23, 2004.
Thank you