by John Hayes, co-founder and CTO
We are occasionally asked if BlackRidge Transport Access Control (TAC) isn’t just another form of port knocking. While both TAC and port knocking provide forms of authentication before allowing network packets to proceed, the similarities end there. TAC is far more scalable, easier to deploy with fewer operational limitations and provides quantifiable security that insures a minimum level of security regardless of the number of clients operating.
Atomic Session Authentication
The first important distinction between TAC and port knocking is that TAC is atomic with respect to TCP session establishment. Specifically, a TAC token is included in packets containing a TCP SYN. With port knocking, the knocks are separate packets that must be associated with each other by their common source IP address.
The second important distinction is that TAC is applied on a per session basis, while port knocking can only operate on a source IP address. All TAC tokens for an authentication instance are associated with the same session (same source IP address, source port, destination IP address and destination port). In port knocking, only the source IP address can be used to associate multiple knocks with each other. This limits the applicability of port knocking when multiple port knocking clients are mapped to the same source IP address by a device-performing client NAT.
With client NAT (Network Address Translation), multiple unique clients appear to have the same source IP address. When multiple port knocking clients are mapped to the same source IP address and perform port knocking at the same time, the port knocking enforcement point does not have enough information to disentangle individual knocks, resulting in authentication failures. Other network activity such as port scanning can also interfere with port knocking. TAC does not suffer from this limitation, because authentication occurs on a per session basis, not on a per address basis. This allows TAC to individually authenticate multiple independent concurrent sessions from a single source IP address.
Scalability and Probability
The next distinction between TAC and port knocking is the amount of information conveyed. A TAC token can carry 32 or 64 bits of information. With TAC, the token information is carried in the TCP SEQ and ACK fields, each of which is 32 bits in length. With port knocking, only the destination port can be used to convey the knock information and this field is 16 bits in length. Operationally, the information carrying capacity of the port field may be less than 16 bits due to some capacity being consumed by reserved ports.
The amount of information conveyed is important whenever a statistical authentication scheme is deployed on a large scale. The quantity of information is necessary to know since it is assumed that each TAC token or port knocking sequence is unique and used only once; otherwise it could be trivially copied. As the number of clients employing a statistical authentication scheme increases, so does the likelihood of guessing a valid token or knock sequence, thus decreasing the overall security of the system. To counter this, all TAC enforcement points have an adjustable probability threshold providing a floor to the likelihood of guessing a token, thereby insuring a minimum level of security regardless of the number of clients operating.
Multiple Enforcement Points
Another distinction is that TAC can provide authentication at multiple points along the session path while port knocking only functions at a single location. A TAC token is conveyed in the same packet as the TCP SYN and accompanies the TCP SYN until it is accepted to establish a session or discarded. Because of this, the TAC token can be evaluated at multiple points along the session path, allowing for the establishment of multiple perimeters and enforcement points. With port knocking, the knocks are consumed by the port knocking enforcement point, preventing the deployment of multiple perimeters.
TAC and port knocking also differ in their “level of observability”. The TAC token is essentially a pseudo random number; the output of a cryptographic hash with changing inputs. The TAC token replaces the TCP initial sequence number provided by the client’s TCP/IP protocol stack. A packet containing a TCP SYN and a TAC token cannot be differentiated from a packet containing a TCP SYN without a TAC token. With port knocking, each knock is a separate packet and is readily visible. The lack of response of knocks to closed ports may make the knocking appear to be a randomized port scan and may also further hinder the ability to monitor port scanning activity by other network security devices.
A last distinction between TAC and port knocking is TAC’s ability to perform mutual authentication. TAC’s authentication is atomic in packets containing a TCP SYN; likewise TAC also places a second TAC token in the response packet containing the TCP SYN/ACK, providing the mutual authentication between the client and the server. This allows a client using TAC to detect and thwart imposter servers before any user data is sent. Port knocking cannot provide mutual authentication.
When comparing TAC and port knocking, one must concede that TAC is more scalable, operationally robust and provides a quantifiable level of security regardless of the number of clients making it a superior option in securing the environment.