Browse Prior Art Database

Port Knocking Authorization Using a One Time Pad

IP.com Disclosure Number: IPCOM000024651D
Original Publication Date: 2004-Apr-02
Included in the Prior Art Database: 2004-Apr-02
Document File: 5 page(s) / 213K

Publishing Venue

IBM

Abstract

Port knocking today is very susceptible to being packet sniffed. Therefore, replicating the knock from an unauthorized client is extremely trivial. The idea here is to include additional data to the port knock to make a sniffed port knock useless so that a replicated port knock can not start a daemon. Only an authorized client could enable the daemon with a proper port knock.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 47% of the total text.

Page 1 of 5

Port Knocking Authorization Using a One Time Pad

Background Information:

The idea with port knocking is to turn off all services and daemons and enable them only when it is required. To enable a daemon, a successful port knock must be sent; this port knock is similar to the secret knocks used to enter secret halls. But now instead of a particular beat from a knock, port numbers from packets trying to connect to a server are used to represent a pattern. With port knocking, the firewall on the machine that is to start the daemon logs each access to every closed port. If the proper ports are probed in the correct order the appropriate daemon is started. Each access to each port represents a characteristic of the daemon: which the daemon to start, when to start the daemon, and how long to keep the daemon up. By disabling all listening daemons, this reduces the chance of a system comprise. Code which is not executing, can not be compromised the machine. But the machine is still useful because daemons can be started with the proper port knock.

Definitions:

Port knocking: Port knocking is a method to used to start a daemon on an remote machine which is not running. Even though the machine will not have that particular daemon active daemons, the firewall will log all access to any port trying to access the specific daemon. Each access to a non-listening port is used to determine which daemon to start, for how long and any authorization information.

For instance, if a client tries to connect on port 21, then tries to connect on port 60, then connect on port 1. We can set up a rule which would dictate the activation of a daemon as follows: start daemon listening on port 21, keep that daemon alive for 60 seconds, and start the daemon in 1 second after the last port knocked packet received. Now any access to these particular ports in this particular order will start the specified daemon.

To allow port knocking packets through firewalls which drop packets based on port number, one should define a base port number and a specified range. The firewall should now allow packets from the base range to the specified range transparently through the firewall. Now, all the port knocked packets will add this base to the value of the knock, and on the receiver's end it will subtract this base port number. The following examples will keep things simple and not be concerned with a base port number.

One-Time Pad: This is a random list of numbers which are synchronized on the server and client and are used for authentication. To use the lists, the verify position on the server must be the same as the one on the client. Then as each number is verified to be the same on the server and client. If they are the same we have properly authorized and now and increment the position in the list. The more each digits that are verified the stronger we can assume that the client and the server have the same list and is authorized to start the service. Only the encoder and...