[zeromq-dev] Question about CurveCP implementation in CZMQ

shancat shannenlaptop at gmail.com
Sun Oct 13 00:14:23 CEST 2013


As Pieter and I said, just add padding but I think in the spec (curvezmq or
curvecp) it's suggested to also send garbage data when you're not sending
real data. To make traffic analysis harder
On Oct 13, 2013 3:07 AM, "Pieter Hintjens" <ph at imatix.com> wrote:

> Indeed, these messages are used for the handshake and there is no
> benefit to an attacker to see the handshake happening. You can in any
> case see it by observing the to and fro messages from client to server
> if you know the protocol. Also, how would you decrypt if you don't
> know the command you're receiving?
>
> As for padding, you can of course do this, and it's one of the
> suggestions in the CurveZMQ spec. It's not an RFC issue. Just add
> dummy frames to your ZMQ messages.
>
> -Pieter
>
> On Sat, Oct 12, 2013 at 2:40 PM, shancat <shannenlaptop at gmail.com> wrote:
> > I think padding is up to the user and I think those messages are used to
> > setup encryption. How do you encrypt the messages that are used to setup
> > encryption? Besides I don't think they need to be encrypted anyway.
> Could be
> > wrong on those points but that's what I thought.
> >
> > On Oct 12, 2013 11:35 PM, "T. Linden" <tlinden at cpan.org> wrote:
> >>
> >> Hi,
> >>
> >> while working with the curve encrypted feature of CZMQ I found that not
> >> everything is encrypted, see attached snoop (hex dump). ZMQ message
> >> headers are clear text like "MESSAGE", "HELLO", "READY" and so forth.
> >>
> >> Are there any plans to change this in the future, i.e. to encrypt them
> >> as well? And another thing ocurred to me: the packets didn't seem to be
> >> padded. So, an attacker could see, which packet has which purpose AND by
> >> looking at the packet size assume what kind of message might be in
> >> there.
> >>
> >> Yes, I admit this sounds somewhat paranoid :) But that's a virtue these
> >> days, isn't it?
> >>
> >>
> >>
> >>
> >> best regards,
> >> Tom
> >>
> >> --
> >>     PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
> >> S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
> >>  Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>
> >> _______________________________________________
> >> zeromq-dev mailing list
> >> zeromq-dev at lists.zeromq.org
> >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >
>
>
>
> --
> -
> Pieter Hintjens
> CEO of iMatix.com
> Founder of ZeroMQ community
> blog: http://hintjens.com
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131013/60c05f21/attachment.htm>


More information about the zeromq-dev mailing list