Academic Journals Database
Disseminating quality controlled scientific knowledge

Extension of a port knocking client-server architecture with NTP synchronization

Author(s): Traian Andrei Popeea

Journal: Computer Science Master Research
ISSN 2247-5575

Volume: 1;
Issue: 2;
Start page: 21;
Date: 2011;
Original page

Keywords: Network Security

Port knocking is a firewall-based user authentication system that uses closed ports for authentication. Communication across closed ports is possible through the firewall log, which records all connection attempts. The communication initiator is considered the client, while the host using this security mechanism is considered the server. Information is encoded, and possibly encrypted, by the client into a sequence of port numbers. This sequence is termed the knock. The client attempts to initiate several three-way-handshakes and receives no reply. These connection attempts are monitored by a daemon which interprets their destination port numbers as data. When the server decodes a valid knock it triggers a server-side process. This mechanism has vulnerabilities that can be exploited by hackers with the help of data sniffed off the network. Using synchronization and cryptography to generate unique knock sequences with a limited life span, based on the client’s IP address and the current date and time, these vulnerabilities can be minimized.A knock sequence is less vulnerable to replay and brute force attacks if its lifespan is shorter. The lifespan can be determined based on the latency induced by the computation of the knock sequence by the client and server, the number of knock packets contained by a sequence and the network latency.All the entities involved in the knock sequence need to be aware all the time of the knock sequence that can be used. For this, it is required that clients and server share the same time. In order to synchronize to server and client, we are using Network Time Protocol (NTP) and interaction with the operating system current time.Both the server and the client posses the means of determining the sequence, which consists of a one-way function based on a preshared key, time value, client IP address and destination port. One-way functions are functions that that easy to compute, but hard to invert.In our application, we use hash functions to generate knock sequences based on a pre-shared key (PSK). A PSK contains time granularity expressed in seconds and the actual key (a string of randomly-generated characters). Our one-way functions take the client’s IP, time and the key as parameters, being able to ignore any of them. These parameters are concatenated and a hash is computed. The resulting hash represents the knock sequence (the first 16 bits represent the first port, the next 16 bits represent the second one etc.).At server initialization, a key is generated, which is shared with the clients. Also, the server obtains NTP time which will be used for synchronization. When the client wants to initiate a sequence, he will first obtain NTP time. After synchronizing the system clock through NTP, the client computes the knock sequence based on the PSK, his source IP address and time. Then, the client sends TCP SYN packets forming the sequence.When the server detects a knock sequence, it computes the keys for all ports, based on time and source IP address, the server compares the incoming knock sequence to the ones computed by him and if there is a match, the specific port is opened in the firewall. The article will present the means to achieve the client-server synchronization and will describe an application that implements this.

Tango Rapperswil
Tango Rapperswil

     Affiliate Program