Implemented Techniques
Port Knocking is a security technique that has attracted the attention of many researches and developers. For that reason, a number of different protocols and techniques have been studied and implemented. However, none of them has yet emerged as the “de facto” standard.
The most common protocols are:
- ICMP Knocking
- Single Packet Authorization
- Dynamic Sequence Knocking
- Single Challenge/Response
- Dynamically-negotiated Knocking Sequence
- etc.
Currently Aldaba implements two different protocols (IP-Id and SPA). However, this number will increase in future releases. The idea is to allow end-users to contrast many different port knocking protocols and use the one that is more suitable for their systems.
The first implemented protocol is a modified version of the Spread Spectrum TCP technique proposed by Barham et al (2002). The second one is based on the protocol designed by Rash (2004) in his own implementation fwknop. Although both techniques are based on previous work by other authors, specific protocols have been designed specially for Aldaba.
It was decided to implement IP-ID because it represents the pure essence of port knocking. On one hand it issues several knocks (packets targeted to specific ports on a remote host) and on the other hand it follows the principle of stealthiness as it embeds a covert channel into TCP packets, making them look like normal TCP connection attempts following the TCP three-way handshake.
It was decided to implement SPA because although it does not actually use a sequence of packets to form a knock it provides an effective and reliable way of transmitting information to the server by using a single packet to authorize a client. In general terms, SPA can perform the same tasks as Port Knocking but avoids some common problems associated with it. Additionally clients using this technique may not require administrator privileges to issue authentication packets.
In the following sections IP-Id and SPA protocols are described in detail.
1. The IP-ID Protocol
The following information needs to be transferred from the client to the server:
- An IP address for which ports will be opened or closed to.
- A port number to be opened or closed.
- An open/close flag that specifies the action to take.
- A checksum that validates the previous data.
All the information is sent by the client through a covert channel, created using the Identification field of the IPv4 header, as detailed by Rowland (1996) and Murdoch (2005).
The IP Identification field is 16 bits long so 2 bytes of information can be transferred in every packet. This knocking technique uses 4 TCP/SYN packets, targeted to the specific ports that form the knocking sequence, to transfer 8 bytes of information. The structure of the information is very similar to the one proposed by Krzywinski (2003). The information is encoded as follows:
[IP Address][Port No][Checksum][Open/Close Flag]
[ 4 bytes ][2 bytes][ 15bits ][ 1 bit ]
The checksum is calculated using the standard checksum function used to compute TCP/IP header checksums. At the time of computing the checksum, the checksum field is set to zero with the exception of the least significant bit, which is used as an open/close flag.
The checksum is 16 bits long but as one bit is needed to store the open/close flag, the bits that form the checksum are shifted one position to the left. This reduces the accuracy of the checksum by one bit but makes it possible to include the open/close flag in the least significant bit.
The following example illustrates this process:
Calculated CRC: 0000 0101 0100 1111 (05 4F)
Shift one pos. to the left: 0000 1010 1001 1110 (0A 9E)
Add flag 0x01 (Open): 0000 1010 1001 1111 (0A 9F)
Add flag 0x00 (Close): 0000 1010 1001 1110 (0A 9E)
The following diagram illustrates the IP-Id protocol designed for Aldaba.
2. The SPA Protocol.
Since aldaba-client version 0.1.4 and aldaba-server version 0.1.2, a new SPA protocol is being used. This protocol uses 384-byte UDP packets to transfer authentication information to a server. The following diagram presents the SPA Protocol version 2 header:
Currently some features like One-Time-Passwords or Challenges are not supported. Future releases will support them.
This technique does not require the use of a covert channel as it is based on the Single Packet Authorization scheme proposed by Rash (2004) and Jeanquier (2006).
The following diagram illustrates the flow of SPA protocol v2 designed for Aldaba.
References:
- Barham, P, Hand, S, Isaacs, R, Jardetzky, P, Mortier, R and Roscoe, T. (2002) Techniques for Lightweight Concealment and Authentication in IP Networks. Intel Research Berkeley (IRB-TR-02-009)
- Jeanquier, S. (2006) An Analysis of Port Knocking and Single Packet Authorization. Information Security Group. Royal Holloway College, University of London
- Kruptos (2005). Potential Covert Channel Manipulation Detector (based on the IPv4ID) [online]. Covert Channels and Steganography in Computer Networks research at the Distributed Systems and Networks Research Group at the University of St Andrews.
- Krzywinski, M. (2003) Port Knocking: Network Authentication Across Closed Ports. SysAdmin Magazine, (12), pp.12-17.
- Murdoch, SJ. and Lewis, S. Embedding Covert Channels into TCP/IP. Computer Laboratory, University of Cambridge.
- Rash, M. (2004) Combining Port Knocking and Passive OS Fingerprinting with fwknop. The USENIX Magazine, (29), pp.19-25
- Rowland, CH. (1996) Covert Channels in the TPC/IP Protocol Suite. First Monday Magazine.
