Single Packet Authorization (Linux Journal)
Posted Mar 11, 2007 21:32 UTC (Sun) by ekj
Parent article: Single Packet Authorization (Linux Journal)
I'm extremely skeptical of any "security"-product designed by people who sprout useless crap like:
For instance, the raw ElGamal algorithm used by GnuPG doubles the plain-text size when encrypting data. Even though GnuPG also utilizes compression (which can sometimes reduce the size of the cipher text to below the original size of the plain text), the typically large key size of GnuPG keys implies that the cipher text for even the smallest messages will be in the hundreds of bytes.
Stupidity ^ 3.
First, all major encryption-algorithms are 1:1 in size plaintext-ciphertext, it doesn't matter if you encrypt using AES, triple-Des, Twofish or Blowfish, in all cases the ciphertext is going to be exactly as large as the plaintext. Thus, the entire rationale, that "ciphertext is large" is plain and simple bullshit.
Secondly, port-knocking ain't really designed to guard against an attacker that has full access to your network-traffic and can scan and replay at will. It's designed to make automated scanning and zero-day automated exploits just that little bit more difficult. A 5-port knocking-sequence has 80 bits of entropy, the odds that a random scanner gets it rigth are 1:2^80, which is adequate for repelling most automated attacks.
Third, moving crypto into this layer actively *hurts* security. The point is to have a guardian that is so simple that you can feel completely confident that the guardian itself has no bugs.
The moment you have a crypto-application listening on udp:6112 (or whatever) for a magical packet, you're not much better off than just letting sshd do the same job on a tcp-port. The *sole* remaining possibly useful idea is the idea: "Don't let an attacker know that you're even listening until he has successfully convinced you he is a friend".
to post comments)