[zeromq-dev] Encryption (OpenSSL/TLS)
Blair Bethwaite
blair.bethwaite at monash.edu
Fri Oct 1 01:33:12 CEST 2010
Hi list,
We're experimenting with zmq at the moment and I've been thinking a
little about this general issue too...
On 1 October 2010 05:05, John Flanagan <flanagan.ffs at gmail.com> wrote:
> There are three overall approaches:
>
> 1) VPN level encryption, handled UNDER zmq.
> 2) SSL level encryption, handled BY zmq
> 3) message level encryption, handled ON TOP OF zmq.
Succinct summary. I'd like to add a couple of talking points:
Option (1) is clearly the most robust solution, however _deploying_ it
in the wild is not so easy. In our use case we can only expect to have
administrative access to one box in a large connected system running
over heterogeneous systems. If anyone knows of a good way to create a
static-linked binary including transparent VPN under zmq we'd love to
hear about it.
Option (3) should be considered weak. Even assuming key-negotiation
etc. can be handled out-of-band easily, this approach is still open to
man-in-the-middle and replay attacks which could break or cause
serious disruption to the system.
Cheers,
~Blair
--
Blair Bethwaite
Researcher, Developer, SysAdmin, Nimrod and Grid support specialist
Monash eScience and Grid Engineering Lab (http://www.messagelab.monash.edu.au/)
(+613) 9903 2800
More information about the zeromq-dev
mailing list