Single Packet Authorization with simpleSPA
I was just made aware of simpleSPA, a recently-released Java implementation of Single Packet Authorization by Chris Chrysler. The package provides a Linux-only server-side daemon, and a Linux and Windows client. Although I haven’t testing it yet, I assume the client will also work on Mac OS X. This implementation requires a Linux server as it relies on iptables being the firewall. simpleSPA uses two RSA keys in order to encrypt the authentication information. The first key encrypts the username of the user requesting access, while the second key is used to encrypt a pre-shared key and a timestamp (for freshness). The resulting authorization packet is then sent via UDP to the server. Although a timestamp is used, there doesn’t appear to be an explicit check for previously-received packets (ie. using a hash), so there may be some for time-limited replay attacks. Because RSA and public-keys are used, it’s a shame to see that it doesn’t use digital signatures to protect the payload.
simpleSPA does not allow for dynamic configuration of the firewall. As such, upon receiving a valid authorization packet (using Jpcap to sniff the wire), the server looks at a pre-defined config file that defines the firewall port(s) to be opened for the requesting user. Furthermore the port is opened for the IP that made the request, thus not allowing the client to embed an IP within the request and open a port out-of-band. The author states that this implementation is primarily an academic proof-of-concept at this point, and so is nowhere near as complete as other implementations such as fwknop (Perl/C) and Aldaba (C). It is nice, however, to see continued research and development into SPA as well as a Java implementation!
Creating a Secure Mac/PC Portable USB Drive
Ever since the release of the IronKey I’ve been drooling over the device (good thing it’s waterproof I guess). Due to not wanting to pay so much for a USB key, I decided to make my own. I grabbed myself a 32GB USB key, and got to work on making it as close to the IronKey as possible.
BackTrack 4 r2 “Nemesis” Released
[Update 10/5/2011] BT4r2 is now superceded by the new and improved BackTrack 5!
BackTrack 4 r2 (codename “Nemesis”) has been released and brings a number of updates aimed at improving “desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment”.
Updates include an updated kernel (2.6.35.8) with improved wireless support, USB 3.0, faster responsiveness, pruned and new packages, and a new BackTrack wiki for more documentation and support.
Users with existing BT4 installs/VMs can simply perform an update using:
apt-get update && apt-get dist-upgrade
BackTrack 4 r2 is available as a 2GB ISO, or 2.4GB VMWare image, on the downloads page (the BT4 download links appear to have been removed in favour of BT5).
Chronic dev team releases greenpois0n jailbreak
The chronic dev team (@chronicdevteam) have released greenpois0n, their iOS jailbreak tool featuring an implementation of geohot’s bootrom exploit. Downloads are available for Mac OS X, Windows and Linux. It also only works on iOS 4.1.
This release of greenpois0n supports:
– iPhone 4
– iPhone 3G S
– iPod touch (4th Generation)
– iPod touch (3rd Generation)
– iPad
Soon there will be another release, adding things like support for:
– Apple TV (2nd Generation)
– iPod touch (2nd Generation)
[Updated 4/2/2011] greenpois0n updated to jailbreak iOS 4.2.1
BackTrack 4 R1 Public Release
Following a limited pre-distribution at BlackHat in Las Vegas, muts and the guys at Offensive Security have released the final version of BackTrack 4 R1. The changes are primarily kernel update (2.6.34) and improved wireless drivers. All packages have been updated, and a full Fluxbox desktop environment has also been added – see screenshot below and others here.
BackTrack is an Ubuntu-based Linux distribution geared towards hackers/penetration testers, and comes with a variety of pre-installed security tools. The distro can be used as a Live-DVD, or installed like a normal Linux install. BackTrack 4 was released 6 months ago, on the 9th January 2010. The roadmap for the project can be found here.
The R1 ISO weighs in at 2GB and the VMWare image is 2.5GB. Both downloads are available here.
ipt_pkd – Single Packet Authorization iptables Extension
I stumbled onto the ipt_pkd project recently, although apparently it’s been around since 2007. ipt_pkd is an iptables extension that allows you to do hash-based Single Packet Authorization directly within the iptables firewall. The project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. The knock program (either a Python script or Windows exe) is used to send a UDP authorization packet.
The authorization packet consists of a SHA-256 hash of the following parameters: packet source port number, current time, some random data and a secret key. The current time and random bytes are then sent in the clear so that the server can recreate the hash. The final knock packet is 64 bytes long consisting of an 8-byte header, 4-byte id, 8-byte time, 12-byte random value, and the 32-byte SHA-256 hash.
The daemon does do some replay protection by storing valid hashes it has received and comparing newly received hashes against that list. It also does a verification of the timestamp to check for freshness.
I haven’t yet had the chance to try this one out or assess the security of the implementation, but it’s interesting to see an implementation in the form of an kernel module/iptables extension. If anyone’s tried this out I’d be interested to hear about it.