Skip to content

Zero Trust SPA V2 Protocol

The Single Packet Authorization (SPA) module has been upgraded to Version 2. This version introduces stringent security measures designed specifically for enterprise environments, mitigating advanced network threats like Replay Attacks and IP Spoofing.

Why SPA V2?

Traditional Port Knocking suffers from "Knock Sniffing". If an attacker observes the sequence of knocks, they can replicate it.

SPA Version 1 solved this by using a cryptographic payload (Ed25519 Signature + TOTP). However, an attacker could still intercept the UDP packet and rapidly "replay" it from their own IP address within the TOTP window (30 seconds).

SPA V2 solves this by introducing IP Binding and Replay Caching.

Protocol Mechanics

1. The Packet Structure

The V2 payload structure is strictly defined:

  • Version (uint8): Must be 2.
  • Timestamp (int64): For TOTP validation.
  • ClientIP (16 bytes): The actual IP address of the client requesting access.
  • Signature (64 bytes): Ed25519 signature over the payload data.

2. IP Binding Validation

When the spa-client generates a packet, it injects its own public IP into the ClientIP field.

The Verifier on the server performs a dual-check:

  1. It parses the ClientIP from the encrypted payload.
  2. It inspects the UDP header of the incoming network packet to extract the actualClientIP.

If ClientIP != actualClientIP, the packet is instantly rejected. This completely destroys IP Spoofing attempts.

3. The Replay Cache

Even if an attacker spoofs their IP (which is difficult but possible on local networks), they cannot replay the packet.

The Verifier maintains a Thread-Safe Replay Cache:

  • It hashes the entire incoming packet payload (SHA-256).
  • It stores this hash in memory for 5 minutes (sync.Map).
  • If another packet arrives with the identical hash, it is marked as DUPLICATED and dropped.

Constant-Time Comparison

To prevent Timing Attacks where an attacker measures the server's response time to guess valid tokens character-by-character, SPA V2 utilizes crypto/subtle.ConstantTimeCompare in Go, and XOR loops in the eBPF C code.

This ensures the processing time is identical whether the packet is valid or invalid.

Phantom Grid is an open-source Zero Trust security framework.