Open Access

ARTICLE

Port-Based Pre-Authentication Message Transmission Scheme

Sunghyun Yu, Yoojae Won^*

Department of Computer Science and Engineering, Chungnam National University, Daejeon, 34134, Republic of Korea

* Corresponding Author: Yoojae Won. Email:

(This article belongs to the Special Issue: Machine learning and Blockchain for AIoT: Robustness, Privacy, Trust and Security)

Computer Modeling in Engineering & Sciences 2025, 143(3), 3943-3980. https://doi.org/10.32604/cmes.2025.064997

Received 28 February 2025; Accepted 21 May 2025; Issue published 30 June 2025

Abstract

Pre-Authentication and Post-Connection (PAPC) plays a crucial role in realizing the Zero Trust security model by ensuring that access to network resources is granted only after successful authentication. While earlier approaches such as Port Knocking (PK) and Single Packet Authorization (SPA) introduced pre-authentication concepts, they suffer from limitations including plaintext communication, protocol dependency, reliance on dedicated clients, and inefficiency under modern network conditions. These constraints hinder their applicability in emerging distributed and resource-constrained environments such as AIoT and browser-based systems. To address these challenges, this study proposes a novel port-sequence-based PAPC scheme structured as a modular model comprising a client, server, and ephemeral Key Management System (KMS). The system employs the Advanced Encryption Standard (AES-128) to protect message confidentiality and uses a Hash-Based Message Authentication Code (HMAC-SHA256) to ensure integrity. Authentication messages are securely fragmented and mapped to destination port numbers using a signature-based avoidance algorithm, which prevents collisions with unsafe or reserved port ranges. The server observes incoming port sequences, retrieves the necessary keys from the KMS, reconstructs and verifies the encrypted data, and conditionally updates firewall policies. Unlike SPA, which requires decrypting all incoming payloads and imposes server-side overhead, the proposed system verifies only port-derived fragments, significantly reducing computational burden. Furthermore, it eliminates the need for raw socket access or custom clients, supporting browser-based operation and enabling protocol-independent deployment. Through a functional web-based prototype and emulated testing, the system achieved an F1-score exceeding 95% in detecting unauthorized access while maintaining low resource overhead. Although port sequence generation introduces some client-side cost, it remains lightweight and scalable. By tightly integrating lightweight cryptographic algorithms with a transport-layer communication model, this work presents a conceptually validated architecture that contributes a novel direction for interoperable and scalable Zero Trust enforcement in future network ecosystems.

---

Keywords

---