[FoRK] Re: CRYPTO-GRAM, March 15, 2004

Stephen D. Williams sdw at lig.net
Tue Mar 16 19:09:43 PST 2004

This isn't new, IMHO.  I've suggested before using something like spread 
spectrum for the actual port #: you change the port you are listening to 
during each period based on a crypto hash of the time span, a la 

Another way to do the same thing as below would be to accept UDP packets 
with a key of some kind, which is all the knock is, which would then 
enable port 22 for the sender.

The problem with the knock below is that it is easily observable.  Just 
compromise a nearby system, switch, or router and you've defeated it.

There are only two reasons to front SSH: to avoid denial of service with 
expensive computation by filtering most bogus attempts in a way cheaper 
than SSH cycles, and to provide an additional layer of defense to that 
SSH isn't the only layer being trusted.  There are only three choices to 
fundamental mechanisms: symmetric/shared keys of some kind (security by 
obscurity, knock knock as below, passwords, dongles (SecureID), and 
crypto keys are all shared secrets), asymmetric keys (crypto: PKI etc.), 
and one time pad.  Sending a UDP packet with a crypto computation 
proving access to a key of some kind would work better.

Barring more bugs, {SSH, SSL, IPSec} is very secure.


Rohit Khare wrote:

> Just wanted to add this one for the archives -- tres cool!
> Rohit
> On Mar 14, 2004, at 11:14 PM, Bruce Schneier wrote:
>> Port knocking is a clever new computer security trick.  It's a way to 
>> configure a system so that only systems who know the "secret knock" 
>> can access a certain port.  For example, you could build a 
>> port-knocking defensive system that would not accept any SSH 
>> connections (port 22) unless it detected connection attempts to 
>> closed ports 1026, 1027, 1029, 1034, 1026, 1044, and 1035 in that 
>> sequence within five seconds, then listened on port 22 for a 
>> connection within ten seconds.  Otherwise, the system would 
>> completely ignore port 22.
>> It's a clever idea, and one that could easily be built into VPN 
>> systems and the like.  Network administrators could create unique 
>> knocks for their networks -- family keys, really -- and only give 
>> them to authorized users.  It's no substitute for good access 
>> control, but it's a nice addition.  And it's an addition that's 
>> invisible to those who don't know about it.
>> <http://www.linuxjournal.com/article.php?sid=6811>
>> <http://www.portknocking.org/>
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork

swilliams at hpti.com http://www.hpti.com  Personal: sdw at lig.net http://sdw.st
Stephen D. Williams 703-724-0118W 703-995-0407Fax 20147-4622 AIM: sdw

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sdw.vcf
Type: text/x-vcard
Size: 234 bytes
Desc: not available
Url : http://lair.xent.com/pipermail/fork/attachments/20040316/6a1ffebb/sdw.vcf

More information about the FoRK mailing list