Advances In Single Packet Authorization (Build It!) presented at ShmooCon 2006

by Michael Rash,

Tags: Security Access Monitoring Exploitation

Summary : This talk will demonstrate some recent advances in Single Packet Authorization (SPA) as implemented by fwknop. In particular, a working demonstration of code that implements the following new capabilities will be presented:
A patch to OpenSSH that integrates the fwknop client directly.
Integration of GPG key rings as an optional replacement for the symmetric Rijndael algorithm.
The ability to require additional authorization credentials such as those required by LDAP and UNIX crypt() on the server side.
These new features will be included in fwknop-0.9.6 which will be released at ShmooCon.
Single Packet Authorization is becoming an increasingly important method of protecting arbitrary network services through the use of a kernel level filtering mechanism such as Netfilter in the Linux kernel. After all, even OpenSSH, which is developed by some of the best security programmers around, occasionally contains remotely exploitable vulnerabilities from time to time. Cryptographically tying access to these services to a packet filter and a passively monitoring ethernet sniffer means that an attacker cannot even talk to the TCP stack on the system where a service is running without first supplying a valid authorization packet. Hence, access to vulnerable code paths is drastically reduced, and makes even the exploitation of 0-day vulnerabilities more difficult. More information on fwknop can be found at: