I just read a good article by Michael Rash about port knocking and SPA (single packet authorization), basically both ways of trying to solve the problem of opening ports only to authorized clients. It provides a nice overview to both approaches and highlights the advantages of SPA. Looks like Michael plans a follow-up article that may also be useful to look at.

Consequently, I have thrown together a small toy single packet authorisation (SPA) testbed to play with some of the ideas. Its just playing with the SPA notion and is work in progress. It is by no means complete nor designed to be used as a production SPA system. It uses hping to do the network work, and gpg to do the encryption.

Constructing the payload

We start with 16 bytes of random data so that we reduce the risk of replay attacks - if the server/receiving side then caches the MD5 or some such hash it can reject packets with the same MD5 as cached ones.

Then we add the useful stuff to the single packet payload, things like a username (in case we want the server to respond differently depending on user), possibly some user authentication, but we may be satisfied with trusting our GPG encryption, include the IP address to do a constancy check (i.e. the server can check that the packet did come from this IP) and stuff like requested service port to be opened etc:

So that gives us an unencrypted payload of 81 bytes. Here we will encrypt with a symmetric cipher for simplicity, but there may be advantages in using a public/private key approach:

This leaves us with an encrypted payload of 99 bytes (in this toy example).

Sending the packet

There are a number of possibilities here. In this toy example we craft an ICMP packet, but with a payload. I have "signed" the packet with hping which just means that a piece of text (called the signature) is placed first in the packets data, before the payload. This can be useful for the server to recognise SPA packets rather than normal ICMP packets.

and the packet has been sent.

Receiving the packet

For SPA, we want to

1. receive the SPA packet and note the origin IP
2. confirm the validity of the SPA request
3. calculate the MD5 of the packet data and check its not one we have seen before
4. if everything checks out so far, record the MD5 of the packet data
5. modify the iptable to allow this host through to the requested service if that service is in our OK list
6. modify the iptable back once the connection has been terminated

I don't want to implement most of this, as I am playing with the SPA idea (not building an application). So all I will do is pick up the packet on the server and unencrypt it with GPG. We can use hping to listen for particular signed packets (could also use tcpdump):

Apply gpg to the received payload to confirm that it was a correct SPA request

With the right password this would reveal the original packet data. I guess the next step is to play with netfilter to look at how we might want to do some of the other server tasks.