[zeromq-dev] Just a simple quick question about ZeroMQ security.

Diego Duclos diego.duclos at palmstonegames.com
Tue Feb 25 12:17:14 CET 2014


There are many ways to securely do password based authentication,
SRP being one of them, though ZMQ currently doesn't implement this.


On Tue, Feb 25, 2014 at 9:53 AM, Goswin von Brederlow <goswin-v-b at web.de>wrote:

> On Tue, Feb 25, 2014 at 06:28:41AM +0900, crocket wrote:
> > As far as I know, there are 3 security mechanisms.
> >
> > 1) public/private key pair
> > 2) password
> > 3) NULL
> >
> > A key pair might be easy for non-technical people to use if we provide
> > easy-to-use softwares.
> > We generate key pairs and inform people that we have generated key
> > pairs for them.
> > They'll use public key as their ID on the internet. However, I don't
> > know whether it'll work out well.
> >
> > A password? I'm not sure how secure it'll be. People often use plain
> passwords.
> >
> > Has anyone found a way to make ZeroMQ security easy for your grandma?
>
> Obviously NULL is pointless. But so is password. A password can be
> captured and reused so anyone can simply steal your account. So that
> leaves public/private key pair.
>
> The way CURVE works in ZMQ you have to know the public key of the
> server before connecting. That garanties that you are talking to the
> right peer and nobody else can read what you are saying.
>
> The client can generate its own key pair yourself on the fly and
> connect to the server. This tells the server the public key of the
> client and it can then do some "create user" dance. E.g. request a
> username, email and other infos from the client and then send a random
> token to the user email address, the user enters the token in the
> client and the client then confirms the "create user" with that token.
> Voila, user created. The server then stores the clients public key and
> user infos for future reference.
>
> Or you can generate the key pair on the server side, better a
> certificate (which is just a nice packaging). Add the servers public
> key in the meta information of the certificate and send this to the
> user in some safe way, e.g. put it on an USB stick and hand deliver.
> :) The client then takes the certificate and extracts the server
> public key as well as its own key pair from it. And you are all set.
>
>
> What remains are the security concerns for the clients private key (or
> the certificate as whole). If anyone manages to steal that the account
> is compromised. If $HOME is on NFS for example that is trivial.
>
> So I suggest not storing the certificate in plain text. Put it into a
> password safe or encrypt it with a password (which you don't store).
> This would be completly client side so the pasword is never
> transmitted over the internet.
>
> MfG
>         Goswin
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140225/31519c0e/attachment.htm>


More information about the zeromq-dev mailing list