Single Packet Authorization Increasing Security in SSH Leandro Almeida [email protected] III ENSOL Liberdade no Extremo João Pessoa-PB 19,20 e 21 de Junho de 2009
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Single Packet AuthorizationIncreasing Security in SSH
Leandro [email protected]
III ENSOL Liberdade no ExtremoJoão PessoaPB 19,20 e 21 de Junho de 2009
Who is this guy?
●
● Degree in Computer Network● Postgraduate in Information Security
● Security Analist
AGENDA
● SSH
● Firewall
● Port Knocking
● Single Packet Authorization
● FWKNOP
● Video
● Questions
Who here uses SSH?
Do you think the SSH secure?
● CERT® Advisory CA200218 OpenSSH Vulnerabilities in Challenge Response Handling
● USN6491: OpenSSH vulnerabilities
● OpenSSH Security Advisory: cbc.adv Plaintext Recovery Attack Against SSH CPNI957037
● CPNI Vulnerability Advisory SSH – CPNI957037
● openssh vulnerability CVE20080166, http://www.ubuntu.com/usn/usn6121
● SSH is an application and have flaws
When someone comes and says...If you are not safe places a
Firewall
Search / Design a solution to your problem
Otherwise an attacker can succeed!
There is a light at the end of the tunnel
● Port Knocking● Literally “door knocking”
● The technique is built on a sequence of packages predetermined
● If the sequence is wrong, nothing (SSH access) will be released
● Use the fields reserved for the TCP/UDP
● Does not use encryption
1º Moment: Blue2º Moment: Red3º Moment: green
Problems...
The encryption can not be used
Packets may arrive out of order, which breaks a string
An attacker may be sending packets to random ports, breaking the sequence
Susceptible to attack by replay
And now? Who can save us...
Single Packet Authorization
It is a technique based a Port Knocking
● The SPA inherits the strengths and addresses the major flaws of Port Knocking
The application that implements the SPA is FWKNOP (FireWall KNock OPerator)
The FWKNOP is Free Software maintained by Michael Rash
http://cipherdyne.org/fwknop/
Only one packet is sent
Correcting the problem of delivery out of order
Uses the fieldrelated data of the package
Correcting the problem of encryption
● Creates a temporary rule in the firewall, allowing access only to client
There is not the possibility of using the same package in a range of predetermined time (default 60s)
– Correction of attacks on Replay
Ability to encrypt packets with keys
Symmetrical (Rijndael)
– Asymmetric (GPG + ElGamal)
Makes the deciphering of the packages to verify
IP address of the packet with the IP address of the encrypted
● Addition of a block of random content generated for each packet, thus allowing the encryption single
Packet SPA
Scenario testing
1º Moment: Without SPA
2º Moment: With SPA
SSH Access Released \o/
References● http://www.cipherdyne.org/fwknop/
● http://www.linuxjournal.com/article/9565
● http://www.linux.com/archive/feature/135100
● http://www.jsena.info/downloads/palestras/JansenSena_FISL9_Single_Packet_Authorization.pdf
●
Related Documents
