Date post: | 14-Jul-2015 |
Category: |
Technology |
Upload: | leandro-almeida |
View: | 786 times |
Download: | 0 times |
Single Packet AuthorizationIncreasing Security in SSH
Leandro [email protected]
III ENSOL Liberdade no ExtremoJoão PessoaPB 19,20 e 21 de Junho de 2009
Who is this guy?
●
● Degree in Computer Network● Postgraduate in Information Security
● Security Analist
● CERT® Advisory CA200218 OpenSSH Vulnerabilities in Challenge Response Handling
● USN6491: OpenSSH vulnerabilities
● OpenSSH Security Advisory: cbc.adv Plaintext Recovery Attack Against SSH CPNI957037
● CPNI Vulnerability Advisory SSH – CPNI957037
● openssh vulnerability CVE20080166, http://www.ubuntu.com/usn/usn6121
● SSH is an application and have flaws
● Port Knocking● Literally “door knocking”
● The technique is built on a sequence of packages predetermined
● If the sequence is wrong, nothing (SSH access) will be released
● Use the fields reserved for the TCP/UDP
● Does not use encryption
Packets may arrive out of order, which breaks a string
An attacker may be sending packets to random ports, breaking the sequence
Susceptible to attack by replay
It is a technique based a Port Knocking
● The SPA inherits the strengths and addresses the major flaws of Port Knocking
The application that implements the SPA is FWKNOP (FireWall KNock OPerator)
The FWKNOP is Free Software maintained by Michael Rash
http://cipherdyne.org/fwknop/
Only one packet is sent
Correcting the problem of delivery out of order
Uses the fieldrelated data of the package
Correcting the problem of encryption
● Creates a temporary rule in the firewall, allowing access only to client
There is not the possibility of using the same package in a range of predetermined time (default 60s)
– Correction of attacks on Replay
Ability to encrypt packets with keys
Symmetrical (Rijndael)
– Asymmetric (GPG + ElGamal)
Makes the deciphering of the packages to verify
IP address of the packet with the IP address of the encrypted
● Addition of a block of random content generated for each packet, thus allowing the encryption single