Your SlideShare is downloading. ×
Single Packet Authorization - Slides English
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Single Packet Authorization - Slides English

766

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
766
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Single Packet Authorization Increasing Security in SSH Leandro Almeida lcavalcanti.almeida@gmail.com     III ENSOL Liberdade no Extremo João Pessoa­PB 19,20 e 21 de Junho de 2009
  • 2. Who is this guy? ● ● Degree in Computer Network ● Post­graduate in Information  Security ● Security Analist    
  • 3. AGENDA ● SSH ● Firewall ● Port Knocking ● Single Packet Authorization ● FWKNOP ● Video ● Questions    
  • 4. Who here uses SSH?    
  • 5. Do you think the SSH  secure?    
  • 6. ● CERT® Advisory CA­2002­18 OpenSSH  Vulnerabilities in Challenge Response Handling ● USN­649­1: OpenSSH vulnerabilities ● OpenSSH Security Advisory: cbc.adv ­ Plaintext  Recovery Attack Against SSH CPNI­957037 ● CPNI Vulnerability Advisory SSH – CPNI­957037 ● openssh vulnerability CVE­2008­0166,  http://www.ubuntu.com/usn/usn­612­1   ● SSH is an application and have flaws  
  • 7. When someone comes and says... If you are not safe places a  Firewall    
  • 8. Search / Design a solution to  your problem    
  • 9. Otherwise an attacker can  succeed!    
  • 10. There is a light at the  end of the tunnel    
  • 11. ● Port Knocking ● Literally “door knocking” ● The technique is built on a  sequence of packages pre­ determined ● If the sequence is wrong, nothing  (SSH access) will be released ● Use the fields reserved for the  TCP/UDP ●  Does not use encryption    
  • 12. 1º Moment: Blue 2º Moment: Red 3º Moment: green    
  • 13. Problems...    
  • 14. The encryption can not be  used    
  • 15. Packets may arrive out of order,  which breaks a string An attacker may be sending  packets to random ports, breaking   the sequence Susceptible to attack by replay    
  • 16. And now? Who can save  us...    
  • 17. Single Packet Authorization    
  • 18. It is a technique based a Port Knocking ● The SPA inherits the strengths and  addresses the major flaws of Port Knocking The application that implements the SPA is  FWKNOP (FireWall KNock OPerator)  The FWKNOP is Free Software maintained by  Michael Rash http://cipherdyne.org/fwknop/    
  • 19. Only one packet is sent Correcting the problem of delivery  out of order Uses the field­related data of the package Correcting the problem of encryption ● Creates a temporary rule in the firewall,  allowing access only to client There is not the possibility of using the  same package in a range of pre­determined  time (default 60s)  – Correction of attacks on Replay    
  • 20. Ability to encrypt packets with keys Symmetrical (Rijndael) – Asymmetric (GPG + ElGamal) Makes the deciphering of the packages  to verify IP  address  of  the  packet    with  the IP address of the encrypted ● Addition  of  a  block  of  random  content  generated  for  each  packet,  thus  allowing the encryption single    
  • 21. Packet SPA    
  • 22. Scenario testing    
  • 23. 1º Moment: Without SPA    
  • 24. 2º Moment: With SPA    
  • 25. SSH Access Released o/    
  • 26.    
  • 27.    
  • 28. Thanks! Leandro Almeida Blog:leandro­cavalcanti.blogspot.com Email:lcavalcanti.almeida@gmail.com    
  • 29. References ● http://www.cipherdyne.org/fwknop/ ● http://www.linuxjournal.com/article /9565 ● http://www.linux.com/archive/featur e/135100 ● http://www.jsena.info/downloads/pal estras/JansenSena_FISL9_Single_Pack et_Authorization.pdf ●    

×