Challenge-response port knocking for TCP
Thomas Shaddack
shaddack at ns.arachne.cz
Fri Mar 19 23:21:26 PST 2004
The idea of advertising opportunistic crypto presence in TCP/SYN inspired
me to another one: authenticated connection handshake for TCP protocol.
Scenario: Application listening on port P of server S, only for
authenticated users.
Unknown user sends TCP/SYN to S:P, gets back TCP/RST, with challenge in
MD5 field of TCP options. The user doesn't support this scheme, so
considers the port closed.
Unknown-now known user sends TCP/SYN, gets back TCP/RST with the
challenge, sends another TCP/SYN, this time with calculated response using
a shared secret, again in TCP MD5 option field, gets back TCP/SYNACK.
The random challenge should be sent back in all TCP/RST packets, otherwise
port scanning will still be possible.
Is it a good idea? Could it work? Why not?
More information about the cypherpunks-legacy
mailing list