View Full Document

14 views

Unformatted text preview:

ESSTCP Enhanced Spread Spectrum TCP Amir R Khakpour Hakima Chaouchi Institut National des T l communication INT Evry France Email amir khakpour hakima chaouchi int evry fr Abstract Having stealth and lightweight authentication methods is empowering network administrators to shelter critical services from adversaries Spread Spectrum TCP SSTCP 1 is one of these methods by which the client sends an authentic sequence of SYN packets to the server for authentication Since SSTCP have some certain drawbacks and security flaws we propose an enhanced version of SSTCP ESSTCP which modifies the original algorithm to reduce the computational cost and cover its vulnerabilities from denial of service and replay attacks Some performance problems like time synchronization are also resolved We finally try to extend the functionality of this method for different applications and numbers of users by which ESSTCP can be performed as a secure Remote Procedure Call RPC 1 Introduction Hiding internet services from untrusted users would be one of the effective methods to protect not only the unpredictable attacks on local network and servers but also to the unknown potential service and software vulnerabilities discovered gradually Thereby in order to distinguish between authorized users and adversaries hidden authentication techniques should be exploited These authentication techniques should be lightweight enough to be easily applicable on vast variety of devices and strong enough to be reliable for protecting crucial services and servers Barham et al 1 proposed a few techniques in which the client authenticates to firewall and asks for access to a specific port number for connection Since this authentication has to be done stealthily the general idea is to send some specific packets to closed ports of the firewall and trigger daemons on the firewall by authentic packets to open the desired ports for the authenticated user These authentication techniques are classified into three groups based on the way the authentic packets are sent In Spread Spectrum TCP SSTCP the client sends a sequence of SYN packets to particular port numbers and prompts the firewall to execute the corresponding instructions for the client In second method called Tailgate TCP TGTCP instead of sending a sequence of SYN packets it sends a packet with some data including 1 4244 0910 1 07 20 00 2007 IEEE the secret and other parameters for authentication In the third approach Option Keyed TCP OKTCP firewall only allows the SYN packets which contain a key encoded in some IP and TCP header fields to pass through Subsequently Port knocking is introduced by Martin Krzywinski in 2 as a method of connection through a closed port It is mostly focused on the server s personal firewall and protecting UNIX based services with iptables Since using this method protects important administrative services like SSH SNMP and etc from denial of service and or any possible attacks and moreover it is flexible for developers to have their own implementation it is widely embraced by the industry and academic communities and several open source implementations have been released The structure of this paper is organized as follows In section 2 we examine the SSTCP method and review its advantages and drawbacks In section 3 we will have a survey on existing implementations and proposed methods and study their benefits and flaws We then present in detail our new proposal based on ESSTCP in section 4 and its method analysis in section 5 Finally in section 6 we summarize and conclude the work 2 Spread Spectrum TCP SSTCP 2 1 Methodology In this method the client calculates the Authentic PortKnock Sequence APKS and sends N TCP SYN packets to calculated port numbers In the other side there is a Silent Authentication Service SAS module on the firewall that listens for incoming knock sequence and if M N of them is received in correct order it authorizes the client to send packets through the firewall on the desired port In SSTCP an infinite array of ports is generated by a one way function based on a key K and time window value Each new element of APKS in each time interval of T generated as 1 A t SHA K t 0xFFFF where SHA denoted as the hash function of SHA 1 denotes concatenation and t is the current time divided by T They also propose a mechanism for synchronization on the first knock In this mechanism the received knock 2 2 1 Probability of guessing APKS Since this protocol is completely passive in the network and generates no traffic the SAS module can be implemented on layer 2 L2 devices such as hidden security boxes which have no IP address example of which include layer 2 firewalls and IPS IDSs Furthermore knocks have no specific signature to which may reveal the existence of this service on the firewall to the attacker SSTCP is also resilient to the packet loss and the packet reordering Its computation complexity is relatively low and it is invincible to brute force attacks since the probability of guessing is T Listening mode Listen firstKnock firstKnock A t 1 A t A t 1 else start t 1 start t start t 1 Listening mode T PGuessing APKS in SSTCP end start N matchCntr 1 i 0 Loop 1 N 1 N 1 M 1 M 1 3 16 16 M 1 3 16 M 2 2 2 2 in which first term is for the first knock and second term is the probability of guessing other knocks For example for the arbitrary values of N 10 and M 8 the probability would be 2 1738 10 37 which is small enough to be safe against brute force attacks Barham et al also addressed certain problems in SSTCP and discussed alternative approaches to mitigate these issues One approach is using ISN Initial Sequence Number instead of the destination port first to diminish the probability of guessing port knocks Because the destination port field in TCP header is just 16 bits while the sequence number field is 32 bits Secondly as some packets with specific destination ports might be dropped by the firewalls in between ISN would be a good idea to be exploited However sending packets to a specific destination ports with different ISN would jeopardize the stealthiness of SSTCP technique Moreover ISN is likely to be changed by the firewalls proxies and NAT boxes in between which will be more explained in section 5 T i i N False True Listening Mode matchCntr M True False Listen knock Successful Knocking k 1 i 1 Loop 2 k end start True False k Loop 1 knock A start k True start start k matchCntr False Loop 2 Loop 1 Figure 1 SDL representation of how the


Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view Enhanced Spread-Spectrum TCP and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Enhanced Spread-Spectrum TCP and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?