ESORICS 2007: Computer Security – ESORICS 2007 pp 122-138 | Cite as

SilentKnock: Practical, Provably Undetectable Authentication

  • Eugene Y. Vasserman
  • Nicholas Hopper
  • John Laxson
  • James Tyra
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4734)

Abstract

Port knocking is a technique first introduced in the blackhat and trade literature to prevent attackers from discovering and exploiting potentially vulnerable services on a network host, while allowing authenticated users to access these services. Despite being based on some sound principles and being a potentially useful tool, most work in this area suffers from a lack of a clear threat model or motivation. We introduce a formal security model for port knocking that addresses these issues, show how previous schemes fail to meet our definition, and give a provably secure scheme that uses steganographic embedding of pseudorandom message authentication codes. We also describe the design and analysis of SilentKnock, an implementation of this protocol for the Linux 2.6 operating system, that is provably secure, under the assumption that AES and a modified version of MD4 are pseudorandom functions, and integrates seamlessly with any existing application, with no need to recompile. Experiments indicate that the overhead due to running SilentKnock on a server is minimal – on the order of 150 μs per TCP connection initiation.

Keywords

Replay Attack Message Authentication Code Covert Channel Pseudorandom Function Secure Port 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Krzywinski, M.: Port knocking: Network authentication across closed ports. SysAdmin Magazine 12(6), 12–17 (2003)Google Scholar
  2. 2.
    Barham, P., Hand, S., Isaacs, R., Jardetzky, P., Mortier, R., Roscoe, T.: Techniques for lightweight concealment and authentication in IP networks. Technical Report IRB-TR-02-009, Intel Research Berkeley (July 2002)Google Scholar
  3. 3.
    Worth, D.: CÖK: Cryptographic one-time knocking. In: Black Hat USA (2004)Google Scholar
  4. 4.
    deGraaf, R., Aycock, J., Jacobson, M.J.: Improved port knocking with strong authentication. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol. 3740, pp. 451–462. Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Fluhrer, S., Mantin, I., Shamir, A.: Attacks on RC4 and WEP. RSA Laboratories, Cryptobytes 5(2) (2002)Google Scholar
  6. 6.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Proc. CCS 2002, pp. 1–11 (2002)Google Scholar
  7. 7.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Hopper, N.J., Langford, J., Von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Bernstein, D.J.: The Poly1305-AES message authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Linux 2.6.17.13 kernel source. drivers/char/random.cGoogle Scholar
  12. 12.
    Vasserman, E.Y., Hopper, N., Laxson, J., Tyra, J.: Silentknock (April 2007), http://www.cs.umn.edu/~eyv/knock/
  13. 13.
    Krzywinski, M.: Port knocking, http://www.portknocking.org/
  14. 14.
    Graham-Cumming, J.: Practical secure port knocking. Dr. Dobb’s Journal (November 2004)Google Scholar
  15. 15.
    Manzanares, A.I., Marquez, J.T., Estevez-Tapiador, J.M., Castro, J.C.H.: Attacks on port knocking authentication mechanism. In: Gervasi, O., Gavrilova, M., Kumar, V., Laganà, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3483, pp. 1292–1300. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Ahsan, D.K.: Practical data hiding in TCP/IP. In: Proc. Workshop on Multimedia Security at ACM Multimedia, ACM Press, New York (2002)Google Scholar
  17. 17.
    Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2(5) (1997)Google Scholar
  18. 18.
    Conehead: Stego hasho. Phrack 9(55) (1999)Google Scholar
  19. 19.
  20. 20.
    Ahn, L.v., Hopper, N., Langford, J.: Covert two-party computation. In: Proc. STOC 2005, pp. 513–522 (2005)Google Scholar
  21. 21.
    Bond, M., Danezis, G.: The dining freemasons: Security protocols for secret societies. In: Proc. 13th International Workshop on Security Protocols, Cambridge, England (April 2005)Google Scholar
  22. 22.
    Heffernan, A.: Protection of BGP sessions via the TCP MD5 signature option (1998), http://www.ietf.org/rfc/rfc2385.txt
  23. 23.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)Google Scholar
  24. 24.
    Ring, S., Cole, E.: Taking a lesson from stealthy rootkits. IEEE Security and Privacy 2(4), 38–45 (2004)CrossRefGoogle Scholar
  25. 25.
    Welte, H., Kadlecsik, J., Josefsson, M., McHardy, P., Kozakai, Y., Morris, J., Boucher, M., Russell, R.: The netfilter.org project, http://www.netfilter.org/
  26. 26.
    Postel, J. (ed.): Transmission control protocol (1981), http://www.ietf.org/rfc/rfc0793.txt
  27. 27.
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions (extended abstract). In: Proc. STOC 1977, pp. 106–112 (1977)Google Scholar
  28. 28.
    Aikat, J., Kaur, J., Smith, F.D., Jeffay, K.: Variability in TCP round-trip times. In: Proc. IMC 2003, pp. 279–284 (2003)Google Scholar
  29. 29.
    Bellovin, S.M.: Security problems in the TCP/IP protocol suite. SIGCOMM Comput. Commun. Rev. 19(2), 32–48 (1989)CrossRefGoogle Scholar
  30. 30.
    Kent, S., Atkinson, R.: IP authentication header (November 1998), http://www.ietf.org/rfc/rfc2402.txt
  31. 31.
    Jacobson, V., Braden, R., Borman, D.: TCP extensions for high performance (1992), http://www.ietf.org/rfc/rfc1323.txt
  32. 32.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)Google Scholar
  33. 33.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Eugene Y. Vasserman
    • 1
  • Nicholas Hopper
    • 1
  • John Laxson
    • 2
  • James Tyra
    • 1
  1. 1.Computer Science and Engineering, University of Minnesota, Minneapolis, MN 55455USA
  2. 2.Stanford University, Box 15255, Stanford, CA 94309USA

Personalised recommendations