Sorry, but it seems that you did not read what I wrote.
1) The point is to avoid the handshake of tcp since that would reveal that a service is running, in fact to avoid the server responding to packets on specific ports to arbitrary clients since this reveals the existence of the server. udp does not use handshake and can carry data. Sending three udp-packets as you propose corresponds to the tcp-handshake.
If you use ssh, then you first do a 3-way handshake in tcp, then you exchange keys, and then starts the encrypted session. The handshake is needed since in order to exchange the keys, we need an established connection.
To avoid the handshake keys would have to be exchanged beforehand. Some stranger cannot use any piece of hardware from anywhere, if that was needed, one could issue single use keys for the clients.
2) As I wrote one problem would be to find good data for the packet, and good data should of course prevent spoofing.
Such good data could be the source ip and source user name. This good data would be signed by the user private key and encrypted by the server public key.
Since we have chosen good data, an intruder cannot simply copy the packet payload, but needs both a public key of the server and a private key to which the server has the public key in order to craft packets.
Good data could also be a signature of the packet header, but that may technically be more difficult to do - I think then we are approaching ipv6.
I really don't see the point. It seems far easier to try bruteforce port knocking than try bruteforce user/password combinations.
As mentionened seems that nmap will get some extra features soon if this becomes popular.
The only interesting really is the idea of having services running behind a closed port and actually able to respond.
But then, this could be done using udp that actually contained data, identifying the client, and encrypted ofcourse.
Idea (sorry if this might get a bit off topic): The server knows it's clients, it has a public key of each client, and each client has been equipped with a public encryption key of the server.
Know the client can send a signed packet encrypted with the server public key for the server to verify.
On success the server will open for connections for that client. In any case there will be sent no respond to the udp packet.
The result is the same, the server appears not to be listening on any ports, yet capable of accepting new connections.
But in this case the client does not gain access using some preknown knocking sequence, but actually identifying itself using encryption.
The problem seems to be manageing keys, and then to select a set of data to be signed and encrypted such that client is fully identified. (and keeping it all in one datagram is probably also a good idea).
But isn't that worth the trouble for the extra security? Does this give extra security?
In Denmark an average resently graduate engenier can expect about USD 4500-5000/month when starting in a new job.
PHK - haven't met him personally but - is highly skilled with 10 years experience hacking freebsd code, not an average resent graduate.
Of the USD 5500 he has to pay VAT 25%. That leaves him with USD 4400/month gross, this is the salery you should compare against. A salery less than that of a recent graduate.
The deal you are offered is extremely good! In terms of price for work. If you don't want that work done - don't donate.
Or donate to something else like the freebsdfoundation if you have more confidence in phk.
Otherwise, I suggest you weigh this investment against the loss in case the solution will wait yet another year. It's a difficult task, but do consider.
Regards, Erik - a dane, but not the red on:-)
PS: Of course, you can reduce cost of living moving to other parts of the world - I'd love to work on a beach in Brazil, surf the waves by day, surf slashdot by night;-), maybe this is the solution OSS developers should consider to make the fundings sufice.
OK, so you know your own password and you can allow yourself to access your data. So, how about making a controled intrusion attempt?
Try to see if you can obtain your own password over the wires or wireless. You know what you are looking for but it may be more difficult than you think, and hence you can avoid making a scene of yourself:-)
Record the whole session, so you can replay it in front of the admin. A demo is often very instructive when people seem reluctant to believe you.
You cannot be accused of hacking since all you have done is granted yourself access to your own data.
This way you have not disclosed sensitive information or violated others privacy. Publishing other peoples ids and passwords online is a very bad idea, even if intended as a proof of concept. Respect the privacy of others, even if you find it is not properly protected.
If it doesn't succeed the objective, go to the press, school paper or other and demonstrate replay the intrusion.
Ntop is good to get the general picture of what is going on on your network, can run a webservice with graphics and stuff, that kind of things always keeps your CEO happy - uhh he makes charts and graphics, must be important:-)
Snort is my favourite utility over tcpdump, I think it is easier to use, and also, it can be used for IDS - there are plenty of rules on www.snort.org and www.whitehats.com.
Both snort and ntop are free, so I guess they are not very usefull to you;-)
I regular leave the house, outside the world is actually in true 3D, zillions of colors and a resolution beyond what you can imagine. And there is an ongoing reality show - they call it.. guess what: Reality!
Really, maybe you - yes you, I don't consider myself to be one of you guys - really like to try living in some sort of pre-alpha version of the matrix.
So whats next for you guys? Have your pizza feeded through your bellybutton?
I can imagine how your body continues to grow fatter and fatter untill you can't even get through the door.
Slashdot Mirror
Sorry, but it seems that you did not read what I wrote.
1) The point is to avoid the handshake of tcp since that would reveal that a service is running, in fact to avoid the server responding to packets on specific ports to arbitrary clients since this reveals the existence of the server. udp does not use handshake and can carry data. Sending three udp-packets as you propose corresponds to the tcp-handshake.
If you use ssh, then you first do a 3-way handshake in tcp, then you exchange keys, and then starts the encrypted session. The handshake is needed since in order to exchange the keys, we need an established connection.
To avoid the handshake keys would have to be exchanged beforehand. Some stranger cannot use any piece of hardware from anywhere, if that was needed, one could issue single use keys for the clients.
2) As I wrote one problem would be to find good data for the packet, and good data should of course prevent spoofing.
Such good data could be the source ip and source user name. This good data would be signed by the user private key and encrypted by the server public key.
Since we have chosen good data, an intruder cannot simply copy the packet payload, but needs both a public key of the server and a private key to which the server has the public key in order to craft packets.
Good data could also be a signature of the packet header, but that may technically be more difficult to do - I think then we are approaching ipv6.
OK, so data are encrypted, and the port sequence change.
But:
1) The point of the port-knocking as I understand is that you don't have an allways open port. Your idea throws away that.
2) Your idea still implies a common secret known by all clients.
I would prefer a public-key based encryption/signature scheme as proposed. And drop the port knocking completely
I really don't see the point. It seems far easier to try bruteforce port knocking than try bruteforce user/password combinations.
As mentionened seems that nmap will get some extra features soon if this becomes popular.
The only interesting really is the idea of having services running behind a closed port and actually able to respond.
But then, this could be done using udp that actually contained data, identifying the client, and encrypted ofcourse.
Idea (sorry if this might get a bit off topic): The server knows it's clients, it has a public key of each client, and each client has been equipped with a public encryption key of the server.
Know the client can send a signed packet encrypted with the server public key for the server to verify.
On success the server will open for connections for that client. In any case there will be sent no respond to the udp packet.
The result is the same, the server appears not to be listening on any ports, yet capable of accepting new connections.
But in this case the client does not gain access using some preknown knocking sequence, but actually identifying itself using encryption.
The problem seems to be manageing keys, and then to select a set of data to be signed and encrypted such that client is fully identified. (and keeping it all in one datagram is probably also a good idea).
But isn't that worth the trouble for the extra security? Does this give extra security?
Do the calculus again - it is not net salary.
:-)
;-), maybe this is the solution OSS developers should consider to make the fundings sufice.
In Denmark an average resently graduate engenier can expect about USD 4500-5000/month when starting in a new job.
PHK - haven't met him personally but - is highly skilled with 10 years experience hacking freebsd code, not an average resent graduate.
Of the USD 5500 he has to pay VAT 25%. That leaves him with USD 4400/month gross, this is the salery you should compare against. A salery less than that of a recent graduate.
The deal you are offered is extremely good! In terms of price for work. If you don't want that work done - don't donate.
Or donate to something else like the freebsdfoundation if you have more confidence in phk.
Otherwise, I suggest you weigh this investment against the loss in case the solution will wait yet another year. It's a difficult task, but do consider.
Regards, Erik - a dane, but not the red on
PS: Of course, you can reduce cost of living moving to other parts of the world - I'd love to work on a beach in Brazil, surf the waves by day, surf slashdot by night
OK, so you know your own password and you can allow yourself to access your data. So, how about making a controled intrusion attempt?
:-)
Try to see if you can obtain your own password over the wires or wireless. You know what you are looking for but it may be more difficult than you think, and hence you can avoid making a scene of yourself
Record the whole session, so you can replay it in front of the admin. A demo is often very instructive when people seem reluctant to believe you.
You cannot be accused of hacking since all you have done is granted yourself access to your own data.
This way you have not disclosed sensitive information or violated others privacy. Publishing other peoples ids and passwords online is a very bad idea, even if intended as a proof of concept. Respect the privacy of others, even if you find it is not properly protected.
If it doesn't succeed the objective, go to the press, school paper or other and demonstrate replay the intrusion.
Ntop is good to get the general picture of what is going on on your network, can run a webservice with graphics and stuff, that kind of things always keeps your CEO happy - uhh he makes charts and graphics, must be important :-)
;-)
Snort is my favourite utility over tcpdump, I think it is easier to use, and also, it can be used for IDS - there are plenty of rules on www.snort.org and www.whitehats.com.
Both snort and ntop are free, so I guess they are not very usefull to you
I regular leave the house, outside the world is actually in true 3D, zillions of colors and a resolution beyond what you can imagine. And there is an ongoing reality show - they call it .. guess what: Reality!
Really, maybe you - yes you, I don't consider myself to be one of you guys - really like to try living in some sort of pre-alpha version of the matrix.
So whats next for you guys? Have your pizza feeded through your bellybutton?
I can imagine how your body continues to grow fatter and fatter untill you can't even get through the door.
It must be unpleasant to be you...