[zeromq-dev] Authenticated pub/sub - does this approach make sense?

Ian Barber ian.barber at gmail.com
Mon Oct 22 01:19:26 CEST 2012


On Sat, Oct 20, 2012 at 2:16 PM, Merijn Verstraaten
<merijn at inconsistent.nl>wrote:

>
>
> This works, but is inconvenient when group membership is transient
> (requires rekey-ing all subscribers after one client leaves the group). So
> after some thinking I started considering handling subscription server side
> too.
>

I was actually chatting with someone about this the other day. One way to
approach it is to have the message data encrypted with a certain key, which
rotates occasionally (this is a tunable bit, but could be on new
subscription for example, or after a time period). This key itself
is encrypted multiple times, under client specific codes, which are
broadcast when the rotation happens (or could be an OOB side channel
exchange). Of course there's a question of number of clients, tradeoffs
with frequency of change versus data overhead, but you get a good level of
security that you can tune appropriately.

Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20121021/ce52acaa/attachment.htm>


More information about the zeromq-dev mailing list