[zeromq-dev] Curve: Potential DoS with error commands ?

Goswin von Brederlow goswin-v-b at web.de
Fri Jul 4 16:34:00 CEST 2014


On Thu, Jul 03, 2014 at 09:24:59PM +0200, Pieter Hintjens wrote:
> I guess the error command could be encrypted with the server long term
> private key, yes.
> 
> On Thu, Jul 3, 2014 at 8:15 PM, Diego Duclos
> <diego.duclos at palmstonegames.com> wrote:
> > I've been reading up the Curve spec with more detail, and the way the error
> > packet currently works caught me by surprise. Couldn't a crafted TCP packet
> > with an error command be sent to a client ? Tricking it into thinking the
> > server has denied it's credentials when it has done no such thing ?
> > This allows someone with the ability to listen in but not block packets to
> > do denial of service, which wouldn't be the case if the error packet was
> > authenticated & encrypted.

What if the error was that the servers public key didn't fit?

MfG
	Goswin



More information about the zeromq-dev mailing list