Single Packet Authorization (Linux Journal)
Posted Apr 14, 2007 17:04 UTC (Sat) by mrash
In reply to: Single Packet Authorization (Linux Journal)
Parent article: Single Packet Authorization (Linux Journal)
All of the encryption algorithms you mention as 1:1 plaintext-ciphertext ratio are _symmetric_ ciphers. ElGamal is not a symmetric cipher. While I don't know what the exact ratio is (and I suspect there will be differences depending on the size of the plaintext - especially if the plaintext size is very small), try encrypting a single byte of data with an ElGamal cipher and take a look a how large the ciphertext is. It is not 1 byte.
Your statement about the fact that "port knocking is not designed to guard against an attacker that has full access to your network-traffic and can scan and replay at will" is true because port knocking has such serious limitations. SPA is designed to offer protection from just such an attacker. The fwknop (http://www.cipherdyne.org/fwknop) implementation is written in a buffer safe language (perl) using standard encryption algorithms. While I agree that no software is 100% secure (ever), that is not the point. I'm trying to make the "prove you are a friend before granting access through the firewall" stance as strong as possible.
to post comments)