[zeromq-dev] Question about CurveCP implementation in CZMQ

Pieter Hintjens ph at imatix.com
Sat Oct 12 18:06:56 CEST 2013


Indeed, these messages are used for the handshake and there is no
benefit to an attacker to see the handshake happening. You can in any
case see it by observing the to and fro messages from client to server
if you know the protocol. Also, how would you decrypt if you don't
know the command you're receiving?

As for padding, you can of course do this, and it's one of the
suggestions in the CurveZMQ spec. It's not an RFC issue. Just add
dummy frames to your ZMQ messages.

-Pieter

On Sat, Oct 12, 2013 at 2:40 PM, shancat <shannenlaptop at gmail.com> wrote:
> I think padding is up to the user and I think those messages are used to
> setup encryption. How do you encrypt the messages that are used to setup
> encryption? Besides I don't think they need to be encrypted anyway. Could be
> wrong on those points but that's what I thought.
>
> On Oct 12, 2013 11:35 PM, "T. Linden" <tlinden at cpan.org> wrote:
>>
>> Hi,
>>
>> while working with the curve encrypted feature of CZMQ I found that not
>> everything is encrypted, see attached snoop (hex dump). ZMQ message
>> headers are clear text like "MESSAGE", "HELLO", "READY" and so forth.
>>
>> Are there any plans to change this in the future, i.e. to encrypt them
>> as well? And another thing ocurred to me: the packets didn't seem to be
>> padded. So, an attacker could see, which packet has which purpose AND by
>> looking at the packet size assume what kind of message might be in
>> there.
>>
>> Yes, I admit this sounds somewhat paranoid :) But that's a virtue these
>> days, isn't it?
>>
>>
>>
>>
>> best regards,
>> Tom
>>
>> --
>>     PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
>> S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
>>  Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>



-- 
-
Pieter Hintjens
CEO of iMatix.com
Founder of ZeroMQ community
blog: http://hintjens.com



More information about the zeromq-dev mailing list