[zeromq-dev] DTLS over ZeroMQ

Tom Cocagne tom.cocagne at gmail.com
Sat Mar 2 09:12:50 CET 2013


I have a use case coming up that requires secure communication between
two remote nodes that have an arbitrary number of message relayers
sitting in between them. In this particular case, some of those
machines will be using unrouteable IPs so most of the traditional SSL
tunneling solutions used in these kinds of situations won't be easily
applicable. I haven't heard of many other approaches to secure
communications with ZeroMQ so I started looking into embedding DTLS
packets within ZeroMQ messages. The results of my initial
investigations were encouraging so I put together a github repo
containing a minimal, proof-of-concept implementation
(https://github.com/cocagne/zdtls) and figured I'd share it with the
list in case anyone else has an interest in this area.

One somewhat annoying limitation of DTLS is that the message sizes are
restricted by the constraints of UDP packets. I've been toying with an
idea to get around this:

1. Generate a random AES encryption key and Initialization Vector
2. Encrypt your message using the key and IV
3. Prefix this with a message part that contains a DTLS packet who's
content is: (IV, key, Encrypted Message Hash)

In theory, successful processing of the DTLS packet would prove the
authenticity of the prefix, the embedded hash would, in turn, prove
the authenticity of the encrypted message part, and the IV & Key would
then be used to decrypt it. Though of course, I'm not a cryptographer
so there's probably 100 things wrong with that idea. ;-)

Tom



More information about the zeromq-dev mailing list