%0 Journal Article
%T Extension of a port knocking client-server architecture with NTP synchronization
%A Traian Andrei Popeea
%J Computer Science Master Research
%D 2011
%I 
%X Port knocking is a firewall-based user authentication system that uses closed ports for authentication. Communication across closed ports is possible through the firewall log, which records all connection attempts. The communication initiator is considered the client, while the host using this security mechanism is considered the server. Information is encoded, and possibly encrypted, by the client into a sequence of port numbers. This sequence is termed the knock. The client attempts to initiate several three-way-handshakes and receives no reply. These connection attempts are monitored by a daemon which interprets their destination port numbers as data. When the server decodes a valid knock it triggers a server-side process. This mechanism has vulnerabilities that can be exploited by hackers with the help of data sniffed off the network. Using synchronization and cryptography to generate unique knock sequences with a limited life span, based on the client’s IP address and the current date and time, these vulnerabilities can be minimized. A knock sequence is less vulnerable to replay and brute force attacks if its lifespan is shorter. The lifespan can be determined based on the latency induced by the computation of the knock sequence by the client and server, the number of knock packets contained by a sequence and the network latency. All the entities involved in the knock sequence need to be aware all the time of the knock sequence that can be used. For this, it is required that clients and server share the same time. In order to synchronize to server and client, we are using Network Time Protocol (NTP) and interaction with the operating system current time. Both the server and the client posses the means of determining the sequence, which consists of a one-way function based on a preshared key, time value, client IP address and destination port. One-way functions are functions that that easy to compute, but hard to invert. In our application, we use hash functions to generate knock sequences based on a pre-shared key (PSK). A PSK contains time granularity expressed in seconds and the actual key (a string of randomly-generated characters). Our one-way functions take the client’s IP, time and the key as parameters, being able to ignore any of them. These parameters are concatenated and a hash is computed. The resulting hash represents the knock sequence (the first 16 bits represent the first port, the next 16 bits represent the second one etc.). At server initialization, a key is generated, which is shared with the clients. Also, the server obtains NTP
%K Network Security
%U http://csmr.cs.pub.ro/index.php/csmr/article/view/40