| Título: | Extension of a port knocking client-server architecture with NTP synchronization |
| Autores: | Popeea, Traian Andrei; University POLITEHNICA of Bucharest |
| Fecha: | 2011-11-23 |
| Publicador: | Computer Science Master Research |
| Fuente: |
 |
| Tipo: | |
| Tema: | Network Security |
| Descripción: | Port knocking is a firewall-based user authentication system that uses closed ports for authentication. Communication across closed ports is possible through the firewall log, which records all connection attempts. The communication initiator is considered the client, while the host using this security mechanism is considered the server. Information is encoded, and possibly encrypted, by the client into a sequence of port numbers. This sequence is termed the knock. The client attempts to initiate several three-way-handshakes and receives no reply. These connection attempts are monitored by a daemon which interprets their destination port numbers as data. When the server decodes a valid knock it triggers a server-side process. This mechanism has vulnerabilities that can be exploited by hackers with the help of data sniffed off the network. Using synchronization and cryptography to generate unique knock sequences with a limited life span, based on the client’s IP address and the current date and time, these vulnerabilities can be minimized.A knock sequence is less vulnerable to replay and brute force attacks if its lifespan is shorter. The lifespan can be determined based on the latency induced by the computation of the knock sequence by the client and server, the number of knock packets contained by a sequence and the network latency.All the entities involved in the knock sequence need to be aware all the time of the knock sequence that can be used. For this, it is required that clients and server share the same time. In order to synchronize to server and client, we are using Network Time Protocol (NTP) and interaction with the operating system current time.Both the server and the client posses the means of determining the sequence, which consists of a one-way function based on a preshared key, time value, client IP address and destination port. One-way functions are functions that that easy to compute, but hard to invert.In our application, we use hash functions to generate knock sequences based on a pre-shared key (PSK). A PSK contains time granularity expressed in seconds and the actual key (a string of randomly-generated characters). Our one-way functions take the client’s IP, time and the key as parameters, being able to ignore any of them. These parameters are concatenated and a hash is computed. The resulting hash represents the knock sequence (the first 16 bits represent the first port, the next 16 bits represent the second one etc.).At server initialization, a key is generated, which is shared with the clients. Also, the server obtains NTP time which will be used for synchronization. When the client wants to initiate a sequence, he will first obtain NTP time. After synchronizing the system clock through NTP, the client computes the knock sequence based on the PSK, his source IP address and time. Then, the client sends TCP SYN packets forming the sequence.When the server detects a knock sequence, it computes the keys for all ports, based on time and source IP address, the server compares the incoming knock sequence to the ones computed by him and if there is a match, the specific port is opened in the firewall. The article will present the means to achieve the client-server synchronization and will describe an application that implements this. |
| Idioma: | Inglés |
1 First steps toward a fault-tolerance Multi-agent Systems por Amza, Cristina; Universitatea Politehnica Bucuresti | 6 An Electronic Voting System Based On The Blind Signature Protocol por Ion, Marius; University "Politehnica" of Bucharest,Posea, Ionut; University "Politehnica" of Bucharest |
2 Embedding Parallelization in Compilers por Matei, Liviu Sebastian; University "POLITEHNICA" of Bucharest,
Faculty of Automatic Control and Computer Science,Frateanu, Liviu; University "POLITEHNICA" of Bucharest,
Faculty of Automatic Control and Computer Science | 7 Generation and Evaluation of Scheduling DAGs: How to provide similar evaluation conditions por Olteanu, Alexandra; University "Politehnica" of Bucharest,Marin, Andreea; University "Politehnica" of Bucharest |
3 Improving a system to centralize the results returned by web crawlers for scientific documents por Simion, Liviu Mihai; Politehnica University of Bucharest,Lepar, Ana Maria; Politehnica University of Bucharest | 8 JSDL Extension for Tasks Workflow Representation of Execution in Distributed Systems por Visan, Andreea; University POLITEHNICA of Bucharest,Istin, Mihai; University POLITEHNICA of Bucharest |
4 DLLFS - A Caching Mechanism for a Distributed File System por Matei, Liviu Sebastian; University "POLITEHNICA" of Bucharest,
Faculty of Automatic Control and Computer Science,Frateanu, Liviu; University "POLITEHNICA" of Bucharest,
Faculty of Automatic Control and Computer Science | 9 Scheduling Courses of the Academic Curriculum por Constantinescu, Irina; University POLITEHNICA of Bucharest,Manea, Flavius |
5 Improving Malicious Clients Detection in BlobSeer using a Policy Enforcement Module por Lepar, Ana-Maria; UPB | 10 On Scheduling in Service Oriented Architectures por Ion, Marius; University "Politehnica" of Bucharest |