[zeromq-dev] Encryption (OpenSSL/TLS)
Burak Arslan
burak.arslan at arskom.com.tr
Fri Oct 1 09:41:43 CEST 2010
On 10/01/10 03:47, Brian Granger wrote:
> Great topic...
>
>> 1) VPN level encryption, handled UNDER zmq.
>> 2) SSL level encryption, handled BY zmq
>> 3) message level encryption, handled ON TOP OF zmq.
i would not rely solely on network-level security (vpn) for 0mq traffic,
as it's still vulnerable to inside attacks.
using connection level security (ssl, tls) would do the job only if your
nodes are trusted end-to-end. note that this includes your originator
node. if you're getting e.g. a soap request via http, and passing it
around with 0mq, implementing connection-level security between zeromq
nodes will protect you from inside attacks, but won't protect you
against malicious clients. so you need a sort of message authentication
scheme anyway.
message level encryption is the fastest and most secure way to secure
0mq communication. and once you implement this, you don't need to do the
rest, which makes your network more robust by both simplifying your
network setup and making it operate faster (only endpoints need to worry
about cryptographic operations)
connection-level encryption won't help you conceal message patterns, as
they could be deduced from your traffic patterns. there's no way (nor
any real benefit) of completely concealing the messaging patterns.
in short, once 0mq gets robust enough to survive outside the corporate
firewall, it's secure enough for its purposes. any other security
precaution should be implemented on top of it, via message signcryption.
best regards
burak
More information about the zeromq-dev
mailing list