GithubHelp home page GithubHelp logo

xiaosen83 / spa Goto Github PK

View Code? Open in Web Editor NEW

This project forked from chocof/spa

0.0 1.0 0.0 32 KB

A mechanism for achieving authentication over closed network ports

License: MIT License

Python 100.00%

spa's Introduction

SPA (Single Packet Authorization)

Description

Most network protocols establish a connection before authorization with client takes place. The problem with this is that open ports are visible to outsiders and therefore are susceptible to network attacks.

The first solution to this problem was the Port Knocking Protocol. The client, in order to open and sustain a TLS connection with the server, would first have to send some packets to a predefined sequence of ports. However this protocol was also susceptible to a list of attacks

SPA is a solution that maintains the basic Port Knocking's idea (authorize -> connect) while trying to solve its problems.

Start

Implementation

Packet

This implementation is based on fwknop' version of SPA as well as the RFC 4226. A SPA packet payload has the following fields :

  • AID(32B): agent ID which is a unique ID for the device. (UUID is recommended)
  • Password(32B): user password
  • Random(4B): Random number created in order to find doubles and avoid MiTM attacks
  • MD5 Hash(16B): MD5 Hash of the following fields. Used in order to detect changes to initial payload
  • New Seed(32B): Seed to be used in the next client-server interaction
  • IP(4B): Client IP to be allowed in firewall
  • Port(4B): Port to allow tcp connections The whole payload is then encrypted via AES256 using the common seed(32B) shared between the server and the client.

The server runs the SPA server daemon. This thread blocks access to all ports and monitors the network for SPA packets. Once an SPA packet has been received it tries to authenticate it. Once the packet is authenticated it allows the client to connect to the given port and ip.

spa_lib

Client

get_public_ip()

Returns the client's public IP

get_network_ip()

Returns the client's network IP

port_is_open(ip, port)

Check if SPA worked and SPA server has allowed firewall access

generate_seed(l)

Generate random string of size l

send_spa(aid, password, seed, new_seed, ip, port, server_ip)

  • AID : ID of the client
  • password : password of the client
  • seed : seed to encrypt the packet with
  • new_seed : seed to be used in the next transaction (must be 32 bytes, best use designated function)
  • ip, port : IP and port to request access to (in order to get IP use one of the designated fucntions)
  • server_ip : the ip of the SPA server

Usage

Ideally the client shall try to authenticate itself. The server changes the shared seed only if authentication was successful therefore the client shall change the encryption seed only once it is authenticated

Example:

aid = "92de863e74dbbe8d9b8da1e2a476ca6f"
password = "mypassword"
seed = "46facea6c4f41fdd11e8acf9646e69b2"
new_seed = spa_lib.generate_seed(32)
ip = spa_lib.get_public_ip()
server_ip = "30.205.223.69"
port = 443

while True:
	spa_lib.send_spa(aid, password, seed, new_seed, ip, port, server_ip)
	if spa_lib.port_is_open(server_ip, port):
		break

# store new key for next transaction
user_files.store(me, {seed : new_seed})

Server

Class spaListener(interface, block_all, change_seeds, allowed_ips, fw_label,

db_host, db_user, db_passwd, db, db_port)

This is the SPA Server. It runs as a background daemon threads, blocks access to all of the system's ports, listens for SPA packets and authenticates clients.

  • interface : interface to listen to for packets
  • block_all : block or firewall connections (default : True)
  • change_seeds : change each client's seed to new_seed after successful authentication (default : True)
  • allowed_ips : a list with ips to allow (in case where the block_all option is set)
  • fw_label : the label to add to new firewall rules as a comment (default : 'spa_server')
  • db_host, db_user, db_passwd, dp_port : Credentials used to connect to the database in which client data are stored
start()

Start daemon thread

block()

Block program execution until the SPA server closes

terminate()

Terminate the SPA server

is_alive()

Check if SPA server is alive

add_firewall_entry(ip, label, ctstate)

Add a new firewall entry

  • ip : IP to allow firewall entry to
  • label : label for new ALLOW rule
  • ctstate : Set rule to accept NEW,ESTABLISHED or both (default : 'NEW, ESTABLISHED')
set_client_established(label)

Sets the rule with the corresponding label to accept connections only from ESTABLISHED clients

add_client(password, seed)

Creates a new client to the database with the corresponding password and seed. The seed must be 32 bytes (use the generate_key function)

edit_client(aid, password)

Edits the password of the client with the specified id

remove_client(aid)

Removes the client with the specified id

set_new_seed(aid, seed)

Changes the used shared seed for the client with the specified id

use_old_seed(aid)

Instructs the SPA server to use the previously used shared secret seed to decrypt client messages for the client with the corresponding id

Usage

The user has to first initialize the SPA server and then start the SPA daemon thread.

interface = 'wlan0'
block_all = True
change_seeds = True
allowed_ips = "127.0.0.1"
fw_label = "my_firewall"
#mysql creds
db_host="localhost"
db_user="root"
db="spa_db"
db_passwd="drowssap"
db_port=3316

s = spa_lib.spaListener(interface, block_all, change_seeds, allowed_ips, fw_label,
		db_host, db_user, db_passwd, db, db_port)
#initiate daemon thread
s.start()

try:
	s.block()
except KeyboardInterrupt as err:
	s.terminate()

Project not yet completed

This project is still under development

spa's People

Contributors

chocof avatar

Watchers

Kevin Wang avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.