Bachelor Thesis Project Behaviour of port-knocking authentication mechanism Author: Petko Gerdzhikov Supervisor: Ola Flygt Semester: VT 2016 Subject: Computer Science Abstract Port-knocking is a security mechanism used in computer systems to hide available network services. Its operation relies on a drop policy firewall setting in order to make impossible for port-scanning attacks to occur. This project researches the im- pact of implementing such a software solution. Furthermore, it looks into the be- haviour of three chosen implementations and make conclusions on the benefits and disadvantages that they bring. In addition, the surrounding implications related to both user and administrator are explored. This thesis includes tests on the resource consumption of the implementations as well as records of the added delay of using the mechanism when initiating a SSH session. There has not been such research performed in this field and the results of it could be beneficial to those who are in- volved in computer science and network security in particular. Finally, the product of this study state that port-knocking is overlooked and has great benefits in preventing zero-day exploits and hacker tools relying on exposed network services. Keywords: port knocking, network security, security through obscurity, concealment, single packet authorization Contents 1 Introduction1 1.1 Background and history...........................1 1.2 Previous research..............................1 1.3 Problem formulation and motivation....................2 1.4 Research Question.............................2 1.5 Scope/Limitation..............................2 1.6 Target group.................................3 2 Method4 2.1 Scientific approach.............................4 2.2 Hardware load experiment.........................4 2.3 Response time experiment.........................4 2.4 Multiple client behaviour experiment....................5 2.5 Reliability and Validity...........................5 3 Port-knocking6 3.1 Overview..................................6 3.2 Knockd...................................7 3.3 Fwknop...................................7 3.4 Knockknock.................................8 3.5 Security considerations...........................8 4 Experiment results 10 4.1 Single client hardware experiment..................... 10 4.2 Single client response time experiment................... 12 4.3 Multiple clients behaviour experiment................... 15 5 Analysis 17 5.1 User experience analysis.......................... 17 5.2 Hardware analysis.............................. 18 6 Discussion 20 7 Conclusion 21 7.1 Future research............................... 21 References 22 A Appendix 1A 1 Introduction Although, port-knocking is not a new concept, there have been mixed opinions regarding the operation and benefits that could be gained by such an implementation. Part of the purpose of this project is to gather such opinions and attempt to give rational explanations and facts that support or renounce the subject. Furthermore, this thesis work will try to give a more definitive answer on the topic by examining the working process of real implementations. In order to achieve this, experiments that test the behaviour of the system, are performed. Throughout this paper, the behaviour of this security mechanism is going to be the focus. Different aspects ranging from the theoretical limitations to actual results from ex- periments on available implementations are going to be presented in a structured manner. In addition to standard port-knocking solutions, this report also examines Single packet authorization or SPA, which is considered similar to port-knocking (PK). Whereas there are differences in the execution, both mechanisms carry out the same functions and they are referenced throughout the paper as equivalent. 1.1 Background and history The simplest answer to the question “What port-knocking is?”, is that port-knocking is a security authorization mechanism. Its goal is to provide integrity and concealment when accessing services on remote nodes. Although, this concealment is often misinterpreted as obscurity. With port-knocking the system does not rely on open network ports in order for a service to be reached. Instead, the implementation of the mechanism works in tandem with a firewall solution that handles the access control parameters and a policy for dropping all incoming requests is enforced. When a correct authentication request or “knock” is being detected, the port-knocking daemon issues changes in the firewall rules in order to allow the client to access the originally desired service. The concept behind this security mechanism goes way back to the beginning of the 21st century. It was first publicly discussed on a German Linux user group mailing list [1]. The original poster, by the name of Christian Borss, was questioning the reasons for leaving open ports constantly on a system to have services available. He saw that as a problem and proposed a solution that is very similar to the modern day port-knocking that we use today. The title “port-knocking” was first brought onto the world by Martin Krywinski in 2003 [2]. Then he was talking about the idea that by sending packets to predefined network ports, you could form a combination or a ‘secret knock’ that would translate to some sort of unique response. 1.2 Previous research The inspiration for this thesis project comes from the paper titled “Performance Evalua- tion of Widely used Portknocking Algorithms” [3]. In it the authors have described the different features of several port-knocking implementations and have graded them cor- respondingly. This report would like to expand on that document by shifting the focus towards the behaviour aspect and the real implications of introducing a port-knocking so- lution to a physical system. Furthermore, the project by Sebastien Jeanquier [4] has been found to be close to the field of study presented in this report and has served as a starting point in the performed research. 1 1.3 Problem formulation and motivation By inspecting the design of port-knocking, we can see that is a neat solution to a problem related to accessibility and protection of remote services. However, there are varying opinions regarding the benefits that it offers. Some authors claim that the method is bound to cause more trouble than it provides security [5], whereas others suggest that it can serve as a successful most outer layer of defence [4]. With that in mind, the goal of this thesis is to abstract itself from this dispute by taking a more practical approach and study the actual impact of implementing a port-knocking solution. In this way the study will be focused more on the user experience aspect than theoretical capabilities. The results that would come out of setting up and testing real port-knocking implementations should shed more light on the choice that a system administrator would make regarding this additional layer of security. Characteristics such as response time, multiple user support, ease of implementation, hardware load and maintenance requirements would be the prime area to study. In order to accomplish this, there would be a controlled environment setup, where one would compare and contrast each implementation separately against a system that does not run port-knocking. 1.4 Research Question RQ1 What are the differences and similarities in the design of port- knocking with “security through obscurity”? RQ2 How does the implementation of a port-knocking service affect the behavior of a system? RQ2.1 What is the hardware load that port-knocking adds to a system? RQ2.2 How reliable is port-knocking as an authentication mechanism in a system with multiple users? RQ2.3 What kind of system requirements are needed in order to support port-knocking from an administrator’s perspective? RQ3 What are the potential security risks for a system with port-knocking authentication? It is expected that implementing a port-knocking solution does not cause significant load on the running system. Moreover, handling multiple clients should be in the scope of capabilities of the examined implementations. On the subject of network security, regarding this mechanism, the expected results should reinforce the idea that this method could indeed bring benefits. Furthermore, there is a consideration that by design port- knocking and its derivatives introduce a “bottleneck” in a system. Thus, it is up to the research to prove the reliability of the highlighted implementations. 1.5 Scope/Limitation The intention of this research is to explore the behaviour of existing port-knocking and single packet authorization implementations. Hence there must be a certain aspect of this behaviour that is going to be the focus. For this study the implementations are evaluated based on their hardware performance and response time. Furthermore, any features or complications regarding the operation and maintenance of these mechanisms is also of interest. An important consideration is that all of the experimentation and diagnostics have been performed only on a UNIX system. As for the choice of existing implementations, 2 the selection was primarily based on popularity. This report covers two port-knocking and SPA solutions - knockd and fwknop. In addition, another PK implementation by a computer security researcher known as Moxie Marlinspike is also being examined and compared. It can be found under the name knockknock. 1.6 Target group Given the fact that port-knocking and its derivatives are not