AHAC: Advanced Network-Hiding Access Control Framework

Abstract

In the current context of rapid Internet of Things (IoT) and cloud computing technology development, the Single Packet Authorization (SPA) protocol faces increasing challenges, such as security threats from Distributed Denial of Service (DDoS) attacks. To address these issues, we propose the Advanced Network-Hiding Access Control (AHAC) framework, designed to enhance security by reducing network environment exposure and providing secure access methods. AHAC introduces an independent control surface as the access proxy service and combines it with a noise generation mechanism for encrypted access schemes, replacing the traditional RSA signature method used in SPA protocols. This framework significantly improves system security, reduces computational costs, and enhances key verification efficiency. The AHAC framework addresses several limitations inherent in SPA: users need to know the IP address of resources in advance, exposing the resource address to potential attacks; SPA’s one-way authentication mechanism is insufficient for multi-level authentication in dynamic environments; deploying the knocking module and protected resources on the same host can lead to resource exhaustion and service unavailability under heavy loads; and SPA often uses high-overhead encryption algorithms like RSA2048. To counter these limitations, AHAC separates the Port Knocking module from the access control module, supports mutual authentication, and implements an extensible two-way communication mechanism. It also employs ECC and ECDH algorithms, enhancing security while reducing computational costs. We conducted extensive experiments to validate AHAC’s performance, high availability, extensibility, and compatibility. The experiments compared AHAC with traditional SPA in terms of time cost and performance.

1. Introduction

In the era of information proliferation, network security has become a critical concern for nations, organizations, and individuals alike. As network technologies evolve rapidly, traditional perimeter-based security models are becoming inadequate in managing increasingly sophisticated and dynamic threats to network integrity. The concept of zero-trust security has gained prominence in response to these challenges. The foundational principle of zero trust [1] is “never trust, always verify”, which dictates that no entity, whether inside or outside the network, should be automatically trusted; instead, every access request must undergo stringent authentication and authorization.

The architectural pillars of mainstream zero-trust implementations include Software-Defined Perimeter (SDP) [2], Identity and Access Management (IAM) [3], and Micro-Segmentation (MSG) [4,5]. SDP has revolutionized network security by surpassing traditional boundaries and establishing access controls based on identities, environmental conditions, and contextual data, introducing a transformative approach to securing networks [6]. Within SDP, the Single Packet Authorization (SPA) protocol [7,8] is a mechanism used to enable secure communication between components. SPA is an approach that hides services from unauthorized users, allowing access to a specific service or resource only upon the successful authorization of a single packet. SPA aligns with the zero trust principle and fine-grained access control, providing independent authorization information for each packet. It enhances system security by minimizing the trust range and improving access control granularity [9]. This approach significantly reduces the attack surface and enhances security.

However, despite its advantages, SPA has shown significant limitations in practical applications. This is particularly true in complex network environments. These limitations include its simplistic single-packet, one-way data transmission model, security vulnerabilities from coupling the knocking and access control modules, substantial computational overhead from using high-level encryption algorithms, and lack of a high-availability design. These issues not only compromise the protocol’s effectiveness but also expose network systems to risks such as eavesdropping and Distributed Denial of Service (DDoS) attacks.

However, with the continuous development of network technology and more complex scenarios, the SPA protocol has gradually exposed many obvious defects and limitations in practical application, mainly in the following aspects [10]:

(1)

Users need to know the IP addresses of resources in advance to access them, which exposes the resource’s address. This exposure can lead to security risks such as eavesdropping and DDoS attacks.

(2)

The SPA protocol’s one-way authentication mechanism does not provide enough information for multi-level authentication. In dynamic and real-time changing environments, one-way authentication fails to timely acquire and process dynamic information, resulting in insufficient authentication capabilities.

(3)

Since the knocking module and protected resources are deployed on the same host, heavy concurrent knocking verification can consume the host’s computing and bandwidth resources. This may lead to server crashes, rendering network stealth services and protected resource services unavailable.

(4)

The SPA protocol often uses encryption algorithms higher than RSA2048 to ensure algorithm security, leading to significant performance overhead.

To address these limitations of the SPA protocol, we propose an AHAC framework. Our approach introduces an independent control surface as the access proxy service and combines it with a noise generation mechanism to encrypt the access scheme. This solution effectively mitigates the security issues inherent in SPA and replaces the RSA signature method used in traditional SPA protocols. By enhancing the network’s ability to hide services, AHAC improves overall system security, reduces computational costs, and significantly enhances key verification efficiency. AHAC represents a substantial refinement of SPA’s security architecture and encryption protocols, enhancing security, performance, stability, and extensibility. This framework employs a distributed and scalable architecture that seamlessly integrates with existing zero-trust frameworks such as SDP and MSG, providing robust protection for both north–south and east–west network traffic. The main contributions of the paper are summarized as follows:

(1)

In the AHAC framework, the separation of the Port Knocking module from the access control module, combined with mutual authentication, allows users to access resources without prior knowledge of their IP addresses. This approach enables users to customize mapping relationships, thereby ensuring that actual IP addresses remain undisclosed.

(2)

To cope with complex scenarios and multi-level security requirements, we have implemented an extensible two-way communication mechanism, which not only provides richer expansion capabilities for data communication connections but also transmits the contents of the resource requestor’s door-knocking request packet to the authorized service provider for advanced authentication and privilege qualification, thus providing stricter and more granular identity authentication and privilege control.

(3)

We separate the Port Knocking module from the access control module; thus, the two modules can be deployed to different network entities. By doing this, we not only avoid knocking verification occupying the computing and bandwidth resources of the host where the protected resources are located but also allow for on-demand elastic expansion of the knocking module, and access control module, achieving cluster and load balancing to meet the response requirement of services under high concurrency and high load conditions.

(4)

We replace the RSA signature in the SPA protocol by introducing Noise Protocol into encrypted access and combining random Elliptic Curve Cryptography (ECC) key pair and Elliptic Curve Difference Hellman Key Exchange (ECDH) algorithms, which not only enhances security but also reduces calculation cost and improves verification efficiency.

The remainder of this paper is structured as follows. Section 2 explores the evolution of network-hiding technology and provides background on related research. Section 3 defines key terms central to the AHAC framework, establishing a theoretical foundation for subsequent discussions. Section 4 elaborates on the overall architecture and processing flow of the AHAC framework, and introduces the Noise Protocol within this framework. In Section 5, we validate the feasibility and effectiveness of the AHAC framework through experiments. Finally, Section 6 summarizes the entire paper and discusses future research directions.

2. Related Work

The most critical aspect of network services is the security of port access. However, issues arise when ports are left open or access is allowed without proper authentication, making it easier for unauthorized users to access the server. Currently, numerous domestic and international scholars have conducted extensive research on network-hiding technologies. Overall, these technologies have primarily evolved through three stages: the first generation is represented by Port Knocking, the second generation is represented by Single Packet Authorization (SPA), and generation 2.5 consists of enhanced SPA technologies. Both Port Knocking and SPA are access control technologies. Port Knocking only reveals network-protected resources to users who can prove knowledge of a pre-shared port sequence. SPA is a technique designed to protect hidden network services from unauthorized users.

Port Knocking uses the port fields in TCP and UDP packet headers to transmit information. While Port Knocking can effectively restrict access to services, it still has many limitations [10,11,12]. First, encrypted knocking sequences inevitably involve information transmission, and the information volume depends on the encryption algorithm used. Second, out-of-order data delivery complicates decryption, and the service-side mechanism for reordering out-of-sequence packets can be problematic. Third, the limited data transmission capability of Port Knocking makes it challenging to effectively defend against replay attacks, as a malicious third party can easily disrupt the knocking sequence by injecting an additional data packet disguised as part of the client’s port sequence. Finally, any Intrusion Detection System (IDS) capable of monitoring traffic between the client and server can easily detect the knocking sequence as a port scan.

SPA and its enhanced technologies represent a relatively new protocol that retains all the benefits of Port Knocking while addressing its limitations [13,14]. SPA and its enhancements provide similar security advantages for protecting services that use packet filters configured with a default-drop policy. SPA and its enhanced technologies offer clever solutions to the many restrictions of Port Knocking. These solutions enable SPA and its enhanced technologies to resolve replay issues, support data transmission rates with asymmetric encryption, thwart simple spoofing attacks, and evade IDS detection that monitors for network port scans.

Therefore, we summarize the current research status of the three developmental stages of network-hiding technologies as follows:

2.1. Port Knocking

Port Knocking [11] is a method proposed in the early 21st century to enhance network service security. It leverages a simple but powerful concept: access requests are authenticated through a series of specific port “hits” before a network connection is established [15]. The core advantage of this method is that it can achieve secure access control to services without revealing the existence of the service, thereby effectively hiding network services and reducing the potential attack surface. Port Knocking can be implemented in a variety of ways [16,17]. The most common method is to use a specialized daemon (such as knocked) to run on the server and listen for knocking attempts on the network. Port Knocking should be viewed as part of a multi-layered defense strategy rather than a comprehensive security solution. When designing and implementing a knock-knock strategy, one should consider how it can be combined with other security measures (such as strong password policies, two-factor authentication, encrypted communications, etc.) to enhance overall security [18]. However, Port Knocking technology has shortcomings such as a single point of failure, complex operation, and poor compatibility.

2.2. SPA

SPA is an improved version of Port Knocking that requires only a single encrypted authentication packet to complete the “knocking” process. Compared to traditional Port Knocking, SPA provides higher security and lower network noise, the authentication packet can contain more authentication information, and it can better resist replay attacks. It is also better protected against replay attacks. In contrast to traditional Port Knocking, which accomplishes the authentication process with a single packet instead of a series of port knocks, SPA packets are typically encrypted and contain authentication information such as user credentials, request timestamps, and requested actions (such as a request to open a specific port) [19,20,21,22].

The core idea of SPA is that only a single data packet is authorized to establish a secure connection after successful knock-on authentication. This innovative mechanism ensures the security and reliability of network connections, laying a solid foundation for building a more robust zero-trust network environment. At present, scholars have conducted extensive and in-depth research on SPA technology. Among them, references [23,24] cleverly utilized single-packet authorization technology and successfully implemented a Port Knocking mechanism. This mechanism effectively hides resources, making it impossible for attackers to know the communication port of the business system without completing Single Packet Authorization, thereby significantly reducing the likelihood of successful attacks. Ref. [25] thoroughly studied the single-packet authorization technology constructed a comprehensive dynamic authorization mechanism based on it, and comprehensively considered multiple factors, such as identity, environment, behavior, software, and hardware, to ensure that the 5G terminals can securely and efficiently access healthcare resources under the conditions of minimal authorization, micro-isolation, dynamic authorization, and continuous monitoring. Ref. [26] shows through empirical research that the zero-trust firewall based on single-packet authorization can realize the dynamic authorization mechanism of the firewall based on the authentication credentials provided by the client, which not only effectively mitigates the security threats faced by traditional firewalls, but also significantly improves the control capability of network security. Ref. [13] proposes the application of SPA single-packet authorization and endogenous security architecture to zero-trust authentication systems to improve the reliability, dynamism, and diversity of system defense.

2.3. SPA Enhancement

In terms of enhancing SPA, current research mainly focuses on improving the SPA authentication mechanism. Ref. [27] proposes a lightweight Port Knocking scheme to resist TCP replay attacks and port scanning. Ref. [28] proposed an OpenSPA scheme that supports custom access policies. Ref. [29] proposes a new single-packet authentication method HSPA. It can transparently authenticate remote clients and addresses two main issues in its design: resource shortage attacks and a lack of correlation between the authentication and establishment processes. The studies [30] use the time synchronization HTOP mechanism to improve single-packet authorization authentication technology to enhance the security of the SDP architecture. The first communication packet between the SDP client and the SDP gateway under the SDP architecture is the SPA authentication packet. However, to resist DDoS attacks, the study [31] proposed that symmetric cryptography should be used to build a lightweight single-packet authorization mechanism instead of using public keys. This is a cryptosystem, so the security of distribution and storage of SPA keys is crucial. Ref. [32] proposed a “Honeykeys” deception mechanism to reduce the risk of key leakage caused by centralized storage of SPA keys but did not consider the security of SPA key distribution. Ref. [33] used the HKDF scheme based on the key derivation function and HMAC to achieve symmetric key distribution. Ref. [34] implements key agreements among multiple participants based on secure multi-party computation.

Through the comprehensive analysis of relevant domestic literature mentioned above, it can be found that the current zero-trust security protection mainly relies on single-mode Single Packet Authorization (SPA) technology, which mainly provides hiding protection and demonstration for the services of the device itself. However, the application scenarios of SPA technology are mainly limited to data centers, and its extensibility is relatively insufficient, making it difficult to meet the increasingly complex and changing network security needs. Therefore, in the process of promoting the development of zero-trust security protection technology, it is necessary to further explore and research more flexible and scalable solutions to cope with the constantly changing network security challenges.

3. Preliminaries

Definition 1.

Zero Trust is a network security concept that prioritizes resource protection. It assumes that trust is not inherent in any part of the network, and access to resources should not be based on the trustworthiness of the subject or the resource itself. Instead, trust connections between subjects and resources should be established from scratch through continuous environmental awareness and dynamic trust assessment to implement access control.

Definition 2.

Port Knocking is a communication technique where a requesting party sends packets containing information about its identity, device, and target resource. These packets are used for identity and privilege legitimacy verification before establishing a data communication connection.

Definition 3.

A Noise Protocol is a set of algorithms that introduce randomness into the encryption and decryption processes during communication. This randomness helps to avoid a fixed computational paradigm, making it difficult for attackers to crack. It enhances security for data transmission by providing a dynamic and unpredictable encryption scheme.

Definition 4.

Network-Hiding Access Control is a security measure designed to protect resources in a computer network from unauthorized access. This access control method hides critical resources, such as servers, databases, or sensitive information, from potential attackers. Techniques such as network isolation, encryption, and authentication are used to ensure that only authorized users or devices can access these resources, thereby enhancing network security and preventing unauthorized access and data breaches.

Definition 5.

Mutual Authentication, also known as two-way authentication or client authentication, is a network security mechanism used to ensure that the connection established between two parties in communication is trustworthy. In Mutual Authentication, not only does the server authenticate the client’s identity, but the client also authenticates the server’s identity. This two-way verification helps prevent man-in-the-middle attacks and other security threats, ensuring that both parties in communication are legitimate and trustworthy.

4. Methods

4.1. Architecture

The scalable architecture designed in the AHAC framework consists of multiple key components, including Agent, Network-Hiding Server (Server), Access Control (AC) system, Authorization Service Provider (ASP), and Protected Resources, as shown in Figure 1. These components communicate user authorization information, the true location of protected resources, and release policies through precise and efficient interactions, thereby achieving secure hiding and access control of servers where data resources are located in the network environment.

The functions of each component are described as follows.

AHAC Agent (Agent): This component is responsible for initiating the request. It can take various forms, including an SDK, process, client application, mobile app, browser extension, or even a server backend service and other independent programs.

Network-Hiding Server (Server): This component is specifically responsible for processing and verifying knock requests. It typically exists as a server program. The server not only verifies knock requests but can also interact with external authorization service providers to perform authentication operations and ensure the security and legitimacy of requests. Additionally, it controls network invisibility and access control to allow precise control and management of the access control system.

Authorization Service Provider (ASP): In this extensible architecture, the ASP is a service interface provided by the resource owner to implement authentication and authorization of identities, devices, and policies, and to provide the real access address of protected resources. The services provided by authorization service providers typically include identity authentication services, device verification services, and policy permission verification services. The communication interface between the Server and the network-hiding authorization service provider can use an HTTPS API or a customized TCP communication protocol to ensure the synchronization of verification interactions.

Access Control (AC): The AC is the execution component of access control, which is usually implemented as a server program. The AC enforces a default “deny all” security policy and ensures the network invisibility of protected resources. It is responsible for granting access rights (such as IP address, port number, etc.) to authorized Agents, revoking access rights from Agents that have lost authorization, and executing release actions for Agents based on parameters returned by the Server.

Protected Resource: This refers to valuable assets that resource providers are committed to closely guarding. These resources can exist in various forms, including but not limited to data API interfaces, data application servers, gateways, routers, and load balancers for cluster services.

4.2. Workflow

The workflow between the Agent, the Server, the AC as well as the ASP, and the protected resource is shown in Figure 2. This process is designed to ensure that the Agent must pass the authentication and authorization process before accessing the protected resources, to ensure legitimate access to the resources.

According to the Network-Hiding Access process of AHAC shown in Figure 2, the specific implementation details are as follows:

(1)

The Agent (such as client, browser, etc.) initiates access to protected resources by sending a port-knock packet (i.e., KNK packet) to the Network-Hiding Server (i.e., Server). The goal is to obtain authorization to access protected resources, ensuring that Agents have legal and compliant access rights.

(2)

When the Server receives a KNK packet from the Agent, it quickly parses the PK packet to obtain a series of key pieces of information, including the Agent’s identification, device details, ASP that is requesting access, and information about the target resource (hereinafter collectively referred to as the Agent information).

(3)

The Server will quickly summarize the obtained Agent information and accurately locate the corresponding ASP server (generally an enterprise IAM system) based on the ASP information. Subsequently, the Server will initiate a request authenticate query for the Agent to the ASP server (i.e., QRY message).

(4)

The ASP server will perform authentication processes on the Agent information submitted by the Agent. Once authenticated, the ASP server will grant the Agent access to the target resource and reply with a message (i.e., AUT message) including key information such as the real IP address and port number of the target resource. Additionally, to ensure secure access, the ASP server will also provide other authorization information, such as tokens, so that the Agent can carry out subsequent operations smoothly.

(5)

After completing the authentication, the Server initiates an access request (i.e., sends a DOP message) to the AC system where the target resource is located. This step ensures that the Agent can successfully access the target resource after obtaining the necessary authorization.

(6)

Upon receiving the access request from the Server, the AC verifies to ensure that the requested target resource matches the protected resource. Once authenticated, the AC immediately opens the connection channel from the Agent to the protected resource, allowing the Agent to access it. The AC replies to the Server with the timeliness and security control information (i.e., DRT message) of this access.

(7)

After the Server confirms that the AC has successfully granted access, it will respond with an ACK packet, providing the Agent with the real address of the protected resource and the valid duration for access.

(8)

At this point, the Agent has successfully obtained regular access to the target resource. However, it is important to note that this access authorization is not permanent. Before the authorization period expires, the Agent must initiate a new knocking request in advance and repeat steps 1 to 7 to renew resource access permissions, ensuring continuous and stable access.

(9)

(Optional) The detailed logs generated during the entire interaction and data communication process will be securely and efficiently uploaded to the regulatory authorities for strict compliance audits.

4.3. Cryptographic Protocols

Compared to commonly used digital signature schemes, the advanced framework proposed in this paper utilizes a lightweight Noise Protocol for mutual identity verification. This key negotiation protocol combines random key pairs with the ECDH algorithm. The Noise Protocol implicitly authenticates the identities of interacting parties during the generation of the final key. It is well suited for single-session data encryption and decryption applications due to the introduction of random key pairs at each interaction. Additionally, the algorithm uses a much shorter key length than the RSA algorithm to provide the same level of security. For example, RSA2048 encryption requires a 256-byte public key, whereas ouralgorithm requires only 32 bytes for equivalent security. Therefore, the ECDH algorithm is more secure than RSA signatures, with smaller key sizes, shorter ciphertext lengths, and lower computational overhead.

The Noise Protocol is a modular framework that can decompose the entire protocol into multiple interchangeable modules, allowing for combination and replacement. The Noise Protocol supports various types of encryption algorithms and hash functions, enabling flexible configuration based on specific requirements. In the AHAC framework, the device key can be randomly generated by software or obtained from a U-key or digital certificate. AHAC utilizes the Noise Protocol for mutual authentication and data encryption between parties, and defines an extended 64-byte (512-bit) public key in the packet header for steganographic access, accommodating future cryptographic algorithm updates. The AHAC supports the use of Chinese National Cryptographic Algorithms (SM2, SM3, SM4, etc.) for two-way authentication and encrypted communication.

4.4. Comparison of Advantages and Disadvantages of Different Methods

Port Knocking, SPA, and AHAC represent three distinct approaches to network authentication and security. Port Knocking, typically implemented using Python and Bash, relies on pre-shared port sequences for authentication. It is simple and lightweight, making it suitable for basic access control and low-to-medium load scenarios. However, its security and extensibility are limited due to the lack of encryption and reliance on the secrecy of knocking sequences.

SPA, on the other hand, uses strong encryption algorithms such as RSA and AES to enhance security. Implemented in C and C++, SPA involves more complexity than Port Knocking, integrating encrypted packets and firewall configurations. It offers better performance due to single-packet interactions but still faces potential issues such as IP amplification. SPA is generally compatible with various systems and is suitable for high-security scenarios like remote server access and secure gateway authentication.

AHAC provides the most advanced and robust solution, combining the Noise Protocol with key pairs and the ECDH algorithm for mutual authentication. It supports multiple programming languages, including C/C++, Python, Java, and Go, and offers an advanced, scalable architecture. AHAC enhances device verification, defends against replay attacks, and addresses IP amplification issues. Its optimized performance, high availability, and high extensibility make it ideal for environments requiring strong authentication and encryption, such as enterprise IAM systems and secure resource access. AHAC’s compatibility with multiple platforms and future cryptographic developments further underscores its superiority over traditional methods.

To better understand the differences and advantages of various access control technologies like Port Knocking, SPA, and AHAC, we compare the dimensions of development language, communication, architecture, authentication, encryption, performance, network stealth, availability, extensibility, compatibility, security, and use cases, as shown in

Table 1. Comparison of Port Knocking, SPA, and AHAC.

	Port Knocking	SPA and Enhancement	AHAC
Dev Language	Python, Bash	C, C++	C/C++, Python, Java, Go
Communication	Port sequences	Single package authorization	Noise Protocol, ECDH
Architecture	Simple, client-server	Complex, encrypted packets, firewall	Advanced, scalable, Noise Protocol
Authentication	Basic Port Knocking	UDP knocking, IP amplification issue	Device fingerprint, UDP and TCP knocking
Encryption	None	RSA, AES	Noise Protocol, and ECDH
Performance	Low overhead	Moderate overhead, efficient	Optimized, minimal overhead
Ability for Network-Hiding	Ports for services/applications	Ports for services/applications	Domains, IPs, and Ports
Availability	Low to medium load	Higher load	High availability, scalable clusters
Extensibility	Limited	Complex implementation	FIDO + AHAC, highly scalable, easy integration
Compatibility	Most systems	Various systems, may need integration	High, multi-platform, future-proof
Security	Basic, sequence secrecy	Strong encryption, key management risk	Address hidden, mutual authentication
Use Case	Basic access control	High-security scenarios	Scalable, high-security environments

.

This shows that the AHAC framework performs much better than the other two technologies.

5. Experiments and Analysis

5.1. Experimental Setting

Based on the AHAC framework proposed above, we carried out corresponding experimental settings aligned with the research motivation of this article. The goals primarily focused on verifying the performance, high availability, extensibility, and compatibility of AHAC. Additionally, the time cost and performance of the AHAC encryption algorithm were compared and analyzed in detail against SPA. In this setup, both the server and client environments used the Linux operating system. The hardware configuration included an Intel Core™ i5-3470 CPU @ 3.22GHz × 4 processor, Mesa Intel HD Graphics 2500 (IVB GT1) graphics card, with 8.0 GiB memory and 1.0 TB disk capacity.

5.2. Performance Testing and Analysis

5.2.1. Comparison of Overhead

SPA uses the RSA encryption algorithm, while AHAC employs the ECC encryption algorithm. We compared the cost-effectiveness of RSA and ECC in terms of security strength and key length, as shown in

Table 2. Comparison of RSA and ECC encryption agorithms in SPA and AHAC for cost-effectiveness.

Security Intensity (Bits)	SPA (Minimum Public Key Length (Bits))	AHAC (Minimum Public Key Length (Bits))	AHAC vs. SPA (Secret Key Length Ratio)	Validity
80	1024	160–223	1:6	Until 2010
112	2048	224–255	1:9	Until 2030
128	3072	256–383	1:12	Beyond 2031
192	7680	384–511	1:20
256	15,360	512+	1:30

. Under the same security standards, the key length of the ECC algorithm is significantly shorter than that of the RSA algorithm. Additionally, the ciphertext size generated by RSA message signatures is roughly equivalent to the key length. Therefore, when verifying the identity of network messages, using shorter ECC random keys (32 bytes or 64 bytes) for ECDH exchange, compared to transmitting large RSA2048 message signatures (256 bytes) for verification, AHAC not only incurs lower computational overhead but also more efficiently conserves valuable bandwidth resources. This strategy demonstrates that AHAC has significant advantages over SPA in improving system efficiency and resource utilization.

We designed an experiment to measure the encryption and decryption time of RSA and ECC, with specific data presented in

Table 3. Comparison of time overhead of AHAC vs. SPA.

Cycle Times	SPA	AHAC
1	0.34 s	687 μs
10	2.48 s	3.60 ms
100	27.54 s	0.03 s
200	61.18 s	0.06 s
500	136.23 s	0.16 s
1000	287.61 s	0.32 s
10,000	2832.42 s	3.81 s

. In the experiment, we tested the performance of both algorithms in different scenarios by increasing the number of encryption and decryption cycles. It can be observed that as the number of cycles increases, the encryption and decryption time for both RSA and ECC gradually rises. However, it is noteworthy that the time overhead for ECC is significantly less than that for RSA. Particularly as the number of cycles increases, the advantage of ECC becomes more pronounced, with RSA’s time overhead reaching up to approximately 800 times that of ECC. This stark contrast in data highlights the significant efficiency advantage of AHAC in encryption and decryption, providing robust data support for selecting a more efficient encryption algorithm in practical applications.

5.2.2. Performance Comparison

To test the performance of AHAC, we constructed an experimental environment as shown in Figure 3. In the same experimental environment, we validated the load performance of AHAC and SPA. This environment consists of two core deployment areas: the Agent Deployment Area and the Network-Hiding Deployment Area.

The Network-Hiding Deployment Area integrates two key components: the Network-Hiding Server (i.e., Server) and the Application Server. We specifically selected three machines with uniform configurations, each equipped with a 4-core CPU and 8GB of RAM, to ensure the stability and consistency of the testing environment. On the agent server, we launched agent services that sent Port Knocking requests to the Server at a frequency of once per second. Meanwhile, on the Server, we deployed the JMeter component to simulate and monitor the performance of the Server. On the Application Server side, we launched JMeter services to monitor the data changes in performance resource consumption of the Server in real-time.

We selected 1, 10, 20, 30, 40, and 50 Agents to conduct performance tests on AHAC and SPA. As shown in Figure 4, the horizontal axis represents the number of Agents selected in the experiment, and the vertical axis reflects the CPU usage rate during the tests.

The experimental results reveal that as the number of Agents increases, the CPU load for both AHAC and SPA shows an upward trend. However, as the number of Agents increases, AHAC demonstrates a significant performance advantage, with its CPU load approximately maintaining half the level of SPA.

The experimental results prove AHAC’s superior performance in handling different numbers of Agents. Compared to SPA, AHAC achieves lower CPU load under the same experimental conditions, thereby enhancing overall operational efficiency.

In summary, from a theoretical perspective, AHAC should be able to improve performance by about 1000 times compared to SPA. However, in the actual testing environment, its performance improvement was only about 1-fold compared to SPA. After analysis, the main reasons for the performance decline of AHAC in practical scenarios are as follows:

First, network overhead significantly impacts performance. Second, garbage collection issues cannot be ignored. In a recent report, the White House Office of the National Cyber Director (ONCD) strongly recommended that developers adopt “memory-safe programming languages” and advised against using C and C++. Therefore, considering code security and the feasibility of implementing encryption algorithms, we chose the memory-safe Go language for development. However, the garbage collection mechanism of the Go language may cause some performance loss. Finally, differences in the hardware environment used in the experiment can also be an important factor affecting performance.

5.3. High Availability

One of the implementation goals of AHAC is high availability for secure access. In AHAC, the Port Knocking module and the access control module are designed in a distributed architecture. This not only prevents the Port Knocking verification from consuming the computing and bandwidth resources of the host where the protected resources reside but also allows the Port Knocking module to scale elastically on demand. Similarly, the access control module and the protected resources can also scale elastically on demand to achieve load balancing, meeting the requirements for rapid response under high concurrency and high load conditions. Due to the distributed deployment of the Port Knocking module, even in the event of network failures or data center outages, the data resource requester can quickly and seamlessly switch to other Port Knocking services without affecting functionality or response speed. Therefore, in the high availability architecture design of AHAC, the Port Knocking verification servers and the access control services are deployed on different physical hosts, as shown in the network topology diagram, Figure 5. This strategic layout significantly enhances the system’s robustness and effectively reduces the potential impact on overall system availability in the event of a service failure. By deploying in a distributed manner, we ensure service isolation, so that even if one service is attacked or fails, other services can continue to operate normally without being affected by external attacks.

Additionally, AHAC supports horizontal elastic scaling of the Port Knocking verification services, allowing the system to flexibly and dynamically adjust the number of service instances based on real-time load conditions. This feature endows AHAC with exceptional elasticity and extensibility, ensuring that even under high load challenges, the services can maintain rapid response and stable availability. Each service instance is capable of handling Port Knocking requests and maintaining business sessions. This design not only significantly enhances the system’s processing capability but also improves its fault tolerance, thereby ensuring business continuity and stability. The load capacity test results of AHAC high-availability servers under different numbers of Agents are shown in Figure 6. As illustrated in the figure, the distributed server deployment reduces the load on each server, resulting in a significant improvement over SPA and enhanced security.

The Port Knocking verification service, provided by ASP, not only undertakes the critical tasks of authentication and access control but also manages the dynamic allocation of the IP addresses of the access control systems and their associated hosts. This dynamic allocation mechanism can flexibly adjust the distribution of resources based on real-time network load and resource utilization, thereby significantly enhancing the system’s load-balancing capabilities. More importantly, since the IP address allocation is no longer limited to a static mode, our system can more efficiently handle individual server failures by intelligently and automatically redistributing traffic to servers that are functioning normally. This capability significantly improves the overall system’s availability and stability.

5.4. Extensibility Verification

As an access control technology, AHAC provides a foundational guarantee for the principles of trustworthiness, controllability, reliability, and verifiability in data communication. Considering the diversity and complexity of data communication scenarios and environments, AHAC must also be highly extensible to meet custom requirements in different contexts. The extensibility of AHAC is reflected in the following aspects:

Bidirectional Communication Mechanism: Unlike SPA’s unidirectional Port Knocking mechanism, AHAC’s bidirectional Port Knocking communication mechanism offers richer expansion capabilities for data communication connections. Data resource providers can use this mechanism to hide the real IP addresses of resources, achieving complete resource invisibility. Additionally, this mechanism can be used for encryption key exchange and transmission of computing parameters before and during data communication, enabling secure access for privacy computing, data spaces, and other collaborative data scenarios.

Authorization Service Provider (ASP) Interface: AHAC can pass the content of the Port Knocking request packets from the resource requesters to the authorization service provider for advanced identity authentication and permission verification. This allows for stricter and more fine-grained identity authentication and access control to handle complex scenarios and multi-level security requirements.

Flexible Data Resource Identification: Compared to the domain name-based internet host identification method, AHAC’s resource identification can be any string, including Chinese, English, and symbols. This provides a more descriptive method for data resource providers. Therefore, AHAC can include DNS resolution capabilities, offering a more secure, encrypted, and private domain name resolution service for data communication.

Consequently, the extensibility architecture of the AHAC framework mainly includes two typical application scenarios: integration with DNS and integration with FIDO. The specific descriptions are as follows:

5.4.1. Integration with DNS

As a fundamental service on the Internet, DNS has played a vital role in the operation of websites, but its security has long been neglected. DNS uses an unreliable UDP protocol, which has significant security vulnerabilities. Attackers can easily exploit these vulnerabilities to launch attacks, leading to security issues such as DNS hijacking, cache poisoning, denial of service attacks, and random subdomain/non-existent domain name attacks.

Therefore, strengthening DNS security risk prevention and control capabilities is crucial. After integrating AHAC, DNS resolution is ensured through the bidirectional encryption channel of AHAC, ensuring confidentiality and tamper resistance. In addition, since only authenticated individuals are allowed to successfully resolve, it can effectively defend against security issues such as DDoS attacks and hijacking. The specific implementation scheme is shown in Figure 7. AHAC can significantly improve the security performance of DNS and provide users with more secure and reliable DNS services. The processing steps are as follows:

(1)

The Agent (such as a client, browser, etc.) initiates a request to the Network-Hiding Server (i.e., Server) using a domain name.

(2)

Once the Server receives the domain name data packet request from the Agent, it immediately sends an authentication query request to the application authentication server to verify the legality and permissions of the request.

(3)

Upon receiving the authentication request message from the Server, the authentication server undergoes a strict verification process. Once the identity is confirmed to be authentic and valid, it grants access permissions. Subsequently, the authentication server promptly replies to the Server with an authorized access credential containing critical information such as the real IP address and port number of the target resource.

(4)

After successfully passing the authentication query, the Server quickly initiates an access request to the access control system of the target resource. This request aims to ensure that the Agent can access the required target resource seamlessly, facilitating subsequent operations.

(5)

Upon receiving the access request from the Server, the access control system immediately performs a rigorous verification procedure. This process ensures that the requested target resource matches the protected resource exactly, thereby ensuring the security and reliability of the system. Once verified, the AC system swiftly establishes a connection channel from the Agent to the protected resource, allowing unobstructed access.

(6)

Once the AC system successfully grants access to the Agent, the Server promptly confirms this operation and returns the IP address and port information of the target resource. These details are then quickly transmitted to the Agent, enabling it to accurately locate and access the protected resource (i.e., Application).

(7)

After receiving the IP address and port information of the Application, the Agent immediately initiates normal business access to the Application, achieving efficient and secure resource interaction.

5.4.2. Integration with FIDO

FIDO effectively addresses identity authentication on the web, but server vulnerabilities can still be exploited by hackers to bypass FIDO authentication, directly invade the server, and steal or damage data.

By integrating FIDO with AHAC, this shortcoming is well mitigated, providing a more comprehensive solution for internet exposure defense. The implementation scheme is shown in Figure 8, with the specific implementation steps as follows.

(1)

The User Agent (i.e., Agent) sends a Port Knocking packet to the Network-Hiding Server (i.e., Server) aiming to attempt access to sensitive resources within sessions that have been authenticated but with relatively lower assurance levels.

(2)

Upon receiving the Port Knocking packet, the Server forwards the resource access request to the Application Provider.

(3)

The Application Provider responds and sends a reply message to the Server while redirecting the Port Knocking message to a trusted authentication authority to request a higher assurance FIDO-based authentication.

(4)

After receiving the Application Provider’s response, the Server passes the redirection indicator to the Agent.

(5)

Upon receiving the redirection message, the Agent directly opens the FIDO authentication page.

(6)

The Server, upon receiving the Agent’s FIDO authentication page, promptly initiates a FIDO authentication request to the authentication authority.

(7)

The FIDO server completes the FIDO request and responds after receiving the request message.

(8)

The authentication authority, after a rigorous FIDO verification process, returns a FIDO-based authentication response to the Server.

(9)

Once the FIDO identity is confirmed to be authentic and valid, and the authentication is successful, the Server requests the Access Control (i.e., AC) system to open the Application Provider’s port to accept the Agent’s connection.

(10)

The Server notifies the Agent of the successful authentication and provides the IP/port for resource access.

(11)

The AC system successfully grants access permission to the Agent.

(12)

The Agent establishes a connection with the Application Provider to access the resources.

5.5. Compatibility

Compared to the SPA protocol, one of the important goals of the AHAC framework is to achieve good compatibility. In terms of encryption algorithms, AHAC adopts the Noise Protocol framework and is compatible with both international cryptographic algorithms (RSA, SHA256, AES, etc.) and Chinese cryptographic algorithms (SM2, SM3, SM4, etc.). The encryption time for data will vary depending on the length of the data packet header. In terms of hardware and software systems, AHAC is compatible with major domestic and international CPU hardware and operating system software, including Kunpeng, x86, Loongson, Shenwei, and others. In terms of standards, AHAC complies with the relevant specifications of the “U.S. Department of Defense Zero Trust Reference Architecture” and the Chinese standard “Information Security Technology—Zero Trust Reference Architecture” and is compatible with them.

5.6. Security Analysis of the AHAC Framework

The AHAC framework provides several key improvements in network security, which are specifically designed to address the limitations of traditional access control mechanisms such as SPA and Port Knocking. Below, we analyze the AHAC framework from various network security angles. By separating the Port Knocking module from the access control module, AHAC enhances security by distributing the attack surface. This separation ensures that even if one module is compromised, the overall system integrity remains intact. AHAC employs a two-way authentication mechanism, ensuring that both parties in the communication process are verified. This mutual authentication minimizes the risk of unauthorized access and provides a robust method to confirm the identity of both users and resources. AHAC uses ECC for creating random key pairs, which provides strong security with smaller key sizes compared to traditional RSA algorithms. ECC’s efficiency helps reduce computational overhead while maintaining high security. Additionally, AHAC utilizes ECDH for secure key exchanges, enhancing the security of the communication setup by ensuring that cryptographic keys are exchanged securely over public channels. By introducing the Noise Protocol, AHAC adds randomness to encryption processes, making it difficult for attackers to predict or break encryption patterns. This further secures the communication between parties. The separation of the knocking and access control modules also helps mitigate the risk of DDoS attacks. Since the knocking verification does not consume the host’s resources where the protected services are located, the impact of DDoS attacks on the primary service is minimized. The use of advanced cryptographic techniques and the Noise Protocol in AHAC ensures that even if an attacker intercepts the communication, replay attacks are less likely to succeed due to the dynamic nature of the encryption keys and the authentication process. AHAC’s design allows for on-demand elastic expansion, which can handle high concurrency and high load conditions without degrading performance. This feature is critical in maintaining availability and performance during peak usage or attack scenarios. By distributing the access control and Port Knocking processes across different network entities, AHAC supports effective load balancing. This ensures that no single point of the network becomes a bottleneck, thereby enhancing overall system resilience.

AHAC Application Scenario Test

The Mini Program H5 page accesses a government system. The target defense API server is the application server and its resources. AHAC’s JS SDK has been embedded in the Mini Program H5 page. The AHAC access control component has been deployed on the API server (Linux). The scope of the Mini Program Government System scenario diagram is shown in Figure 9.

The experimental results demonstrate the effectiveness of the AHAC service in enhancing network security. As shown in Figure 10, before enabling AHAC, the scanning tool detected 30 exposed ports on the API server. After activation, no exposed ports were detected, achieving a “network cable unplugging” security effect. Figure 10 illustrates that abnormal or invalid network traffic decreased from 37 percent to 2 percent post-AHAC activation. By integrating the AHAC SDK and enabling zero trust, the server address is dynamically returned and no longer exposed in the front-end code, effectively protecting against DDoS attacks. AHAC used in governmental scenarios is shown in Figure 10.

6. Conclusions

This paper introduces the Advanced Network-Hiding Access Control (AHAC) framework, which is a novel strategy designed to enhance network security by hiding infrastructure addresses and refining access controls within a zero trust framework. Our comprehensive evaluations demonstrate that AHAC significantly outperforms Single Packet Authorization (SPA) in terms of performance, extensibility, and overall security efficacy. The integration of Noise Protocol encryption and ECC not only strengthens security measures but also optimizes computational resources, making it particularly advantageous in environments with resource constraints. The superiority of ECC over RSA in encryption and decryption speeds is highlighted, showcasing its effectiveness in scenarios requiring high computational efficiency. AHAC’s architecture also exhibits high availability and fault tolerance, especially noted in its capacity for dynamic extensibility and effective resource distribution. In summary, AHAC marks a substantial advancement in the field of network security, providing scalable and efficient solutions well-suited for contemporary digital challenges. The foundational principles and technologies of AHAC are poised to exert a profound impact on future security architectures and strategies. Integrating this framework with Decentralized Digital Identity (DID) research presents a promising avenue, potentially addressing secure access control for individuals and devices from different organizations and countries when accessing critical data resources. Looking forward, we plan to apply AHAC in more practical scenarios, particularly in complex network security environments with high data security requirements, such as cross-border secure data access scenarios. Furthermore, we will validate this method in multiple dimensions, including security, data transmission efficiency, resistance to spoofing attacks, and the ability to counter detection systems.