Michael Rash, Security Researcher

Cipherdyne Projects in the News    [Summary View]

« Previous

Single Packet Authorization Site,

Single Packet Authorization Site, Sebastien Jeanquier, who wrote his Master's Thesis about port knocking and Single Packet Authorization, has started a security site and blog at This thesis was the first to make a strong academic argument for why neither port knocking or SPA suffer from the age-old "security through obscurity" problem, and made several suggestions for the improvement of the fwknop implementation of SPA. An introductory post on the new site states:

Security is time-consuming, and it deals heavily with hidden threats. Due to this demanding and unknown nature, many people commonly do one of two things. They either try to forget all about it, or they make the wrong choices.

I've created this site out of my passion for security and, being a long time Mac user, applying the two together feels only natural with the growing number of Mac users, and an ever-greater demand for security.

Sebastien was instrumental in helping to port fwknop to Mac OS X, and hopefully his new site will drive the adoption of SPA technology for Mac users. Be sure to check out his post on Securing Leopard, and Digg it if you like!

Richard Bejtlich References Single Packet Authorization

Richard Bejtlich References fwknop Richard Bejtlich, founder of TaoSecurity, has made a posting to his blog that references Single Packet Authorization in the context of making it more difficult to discover and communicate with SSHD from arbitrary IP addresses. One of the points he makes in his blog posting is that it is important to force a would-be attacker to fight your fight instead of allowing an attacker to dictate the stage on which a battle is fought. For example, if an attacker possesses a zero-day exploit for SSHD, then the mere ability to access SSHD from an arbitrary source is taking a dangerous risk. One of Richard's readers posted a particularly cogent comment about the concept of "security through obscurity":

As for changing the port for SSH - my belief is that at times we get so hung up on the tags - "security by obscurity" that we cease to see the valid strategies that they can cover. Simply because we denigrate the people who rely solely on it doesn't mean that it isn't part of a valid defensive scheme.

I completely agree. Fortunately however, Single Packet Authorization does not suffer from security through obscurity. SPA essentially ties access through a default-drop packet filter to a protected service via strong cryptographic means. A nice byproduct of this is that services are not advertised to the world, but this is a consequence of the default-drop packet filter. The security of SPA does not rely on keeping the mechanism secret and hoping that it is not discovered; all source code to every SPA implementation that I am aware of is open and published to the world. SPA is no more security through obscurity than passwords or encryption algorithms themselves.

CipherDyne Blogspot Page Created

CipherDyne Blogspot Page Created The current CipherDyne website is managed by a set of custom perl scripts that creates and edits a series of static HTML pages. This eliminates CGI scripts, which is good for security, but it means that people cannot leave comments for stories that are posted to the CipherDyne blog. I have created a parallel blog on Blogspot so that comments can be tied to stories. Another consequence is that Google searches for content related to CipherDyne projects and concepts may become more effective depending on how the new blog is indexed. The content on the new blog will be largely the same as the original, but occasionally I may post some stories there that are more speculative in nature than the generally technical or "software release" posts on the main blog. If people have comments about the stories, please post them on the new blog for all to see. In the spirit of open source development, this is the best way to share new ideas about the topics discussed here.


Both Ron Gula and Raffael Marty have tagged my blog, so this post is my enthusiastic participation in this activity. Five things about me that relatively few people know:

1. In 1997, I enrolled in the Ph.D. program in pure mathematics at the University of Maryland after finishing my undergraduate degree also in mathematics at the same university. At the same time, I was working at Digex, Inc., and discovered that I was extremely interested in computer security. The consequence was that I changed my degree path to a Master's in applied mathematics with a concentration in computer security. (Oh, and this degree was a lot easier to achieve and more practical at the same time.)
2. Every summer, I try to make it to the Blackhat Briefings and Defcon, which are held in Las Vegas. This is convenient because it means I can usually go see Zion National Park, which is the best thing about Vegas. The park is under a three hour drive from the city, and features some of the tallest sandstone cliffs in the world along with a world famous hike called The Narrows.
3. Valgrind is an invaluable tool for anyone who develops C applications. I'm using it to help verify proper operation of an IDS product that runs on Linux.
4. I collect rocks and minerals, and have a keen interest in geology. It has always fascinated me how geologists look at solid land features (such as mountain ranges) almost as a fluid because of the time scales they are accustomed to thinking in.
5. Whenever I visit a major city, I try to see as many museums as possible. I'm partial to natural history museums, and the Smithsonian Museum of Natural History in Washington D.C. is certainly one of the best.

I'm tagging the following people:

Tenable Network Security and Log Parser for psad Events

Tenable psad Parser Tenable Network Security under the direction of Ron Gula has released a parser library for their Log Correlation Engine (LCE) so that syslog events from psad can be imported and analyzed. As the adoption of Linux systems continues to accelerate in both the commercial and non-commercial sectors, people are increasingly in a position to run the iptables firewall to enhance their security posture. With the verbose logging format offered by iptables, it is possible to detect a significant number of different attacks that involve the network and transport layer headers. psad automates this detection process, and now the output of psad can be integrated with Tenable's product line. For more information, see the blog post on the Tenable Blog.

Fwknop Client in MacPorts

Fwknop in MacPorts Blair Zajac has added the fwknop client into the MacPorts software repository. This makes it easy to install the client piece of fwknop on Mac OS X systems without having to download and install from sources. Although fwknop cannot run on Mac OS X because iptables is not ported to it, you can still use fwknop in order to authenticate to a remote Linux system that is running fwknop in server mode.

Netfilter Development Mailing List Thread on Port Knocking

Netfilter Port Knocking The netfilter-devel mailing list is the main discussion forum for technical development issues surrounding Netfilter and iptables. Recently, a thread entitled "new match extension to implement port knocking" appeared on this list in which a new Netfilter match is proposed to accomplish in-kernel port knocking and an HMAC variation of Single Packet Authorization. A proof of concept implementation is available here. While building some port knocking/SPA functionality into the kernel can be useful for some applications, I think this strategy is not generally flexible or scalable enough for many SPA deployments. Still, it is an interesting concept, and goes to show that people are interested in authenticating to default-drop packet filters in order to provide network services with an added layer of security.

M.S. Thesis on SPA at the University of London

M.S. Thesis on SPA Sebastien Jeanquier has completed a Master's Degree in Information Security with the Information Security Group (ISG) at Royal Holloway College, University of London His Thesis is entitled "An Analysis of Port Knocking and Single Packet Authorization" and can be downloaded here. He has started a website dedicated to the concepts of port knocking and Single Packet Authorization. Fwknop is given significant coverage in his thesis (some excellent points Sebastien makes about things to enhance in fwknop have been addressed in the fwknop-0.9.8 release after discussion with him).

HowtoForge on Setting Up Bastille-Linux On CentOS

HowtoForge has published a Howto on configuring Bastille-Linux on the CentOS. The Howto is entitled "Securing the CentOS Perfect Setup with Bastille" and includes information on how to configure the Port Scan Attack Detector (psad).

Richard Bejtlich on Fwknop

Richard Bejtlich on Fwknop Richard Bejtlich, founder of TaoSecurity, has made a posting to his blog about the article I wrote for the USENIX ;login: Magazine entitled "Single Packet Authorization with Fwknop" The SPA concept is catching on!
« Previous