RE: [fw-wiz] OT: port knocking.. getting there

From: Ben Nagy (ben_at_iagu.net)
Date: 06/21/04

  • Next message: Chris Pugrud: "RE: [fw-wiz] Certification" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 21 Jun 2004 09:37:54 +0200

    Only on slashdot would this kind of rubbish get any airtime. The ONLY thing
    port knocking is any good for is people that want to write malware which
    will not easily be detected by network admins. If I genuinely want to secure
    a host, or use 'dynamic' firewall rules there are half a dozen better
    solutions.

    Not only is the concept stupid, but I looked at the guy's thesis for five
    seconds and his crypto is totally broken - there is a trivial known
    plaintext attack to recover the secret password if you can intercept knocks
    on the wire. The plaintext is [IP addr][port][action] for 4 + 2 + 1 bytes
    each. The last byte is pad - which is cunningly hardwired to null.

    The IP address makes up 4 bytes of a 7 byte plaintext (which is already
    small enough to brute force) and the IP address will be that of the knocking
    host. Wait, it gets worse! The "action" byte is basically "open" or "close"
    and the port bytes don't quite use the full 2^16 range. In other words I
    need to brute force a little less than 17 bits. This is only challenging if
    I want to make like ET and do it with a reprogrammed Speak N Spell.

    It's bad enough I have to endure this on /. Someone buy the guy a copy of
    Applied Cryptography and let's move on.

    ben

    > -----Original Message-----
    [...]
    > http://bsd.slashdot.org/article.pl?sid=04/06/18/0617244&mode=t
    hread&tid=122&tid=126&tid=172&tid=185&tid=190

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Chris Pugrud: "RE: [fw-wiz] Certification"