Single Packet Authorization
Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.
As per its name, Single Packet Authorization (SPA) communicates all of the necessary information in a single encrypted authorization packet (usually using TCP, UDP or ICMP). This is in contrast with older methods of Port Knocking where the client would have to send large numbers of packets to different ports on the server in order to transmit information.
Upon receiving a valid authorization packet, the server can validate the integrity of the packet as well as the identity of the client. Once authenticated, and based on a set of pre-defined rules, the packet can request the server to open a particular port in its firewall for a pre-determined amount of time (eg. 10 seconds). This would then allow the client to establish a TCP connection to the listening service, which would remain open after the firewall port was closed. This is just one example of basic SPA functionality, and some implementations offer more advanced and unique actions that can be performed post-authentication.
Due to the flawed nature of original port knocking methods, or a lack of understanding of the core principles behind Single Packet Authorization, it’s sometimes thought of as security through obscurity. There are several reasons why SPA doesn’t fall under the ‘security through obscurity’ banner, and I cover these in section 4.1 of my thesis (below).
In 2006 I wrote my Masters thesis on the topics of Port Knocking and Single Packet Authorization, since then SPA has already evolved quite a bit.
I’m working on restoring this page to contain all kinds of information about Single Packet Authorization. Check back soon.
In the meantime, have a look at the SPA Resources page.
Join the discussion by visiting the Single Packet Authorization forum!
Here’s a video I put together of SPA in action using fwknop: