[zeromq-dev] Curvezmq Message Replay

Matthew Hawn matthewh at donaanacounty.org
Sat Sep 20 00:38:20 CEST 2014

It appears that messages within a session in zeromq can be replayed.  This does not happen across sessions, but within sessions. Here is a python script to confirm: https://gist.github.com/anonymous/d8b09c98de050dfbd1b4

This can replay either client or server messages

The problem is that the peer does not check the message nonce to detect replay.  Unfortunately,  because of the curvezmq spec, short nonces can potentially be any value. This makes it nearly impossible to track previously used nonces  This is because CurveZMQ specifically loosened the requirements for strictly incrementing short nonces.  The base protocol, CurveCP does require incrementing short nonces for both packet ordering and replay detection.

On the plus side, both curve and libzmq use incrementing short nonces.  Some simple code to store and check against the last nonce received should be trivial and would not cause any interoperability problems with these two libraries.  This would completely solve the problem. However, the CurveZMQ spec would need to be changed to re-include the strictly incrementing short nonces.  Also, any other native libraries would need to ensure  compliance.  

This is only about the short nonces as part of the message packet.  Duplicating the other packets will break from the protocol and is easily detected and handled by the implementations.  The long nonces are used together with the transient keys and cannot be duplicated.   Codes-In-Chaos did mention a replay attack on client sessions.  libzmq and curve are not vulnerable as they both regenerate their cookie key for every connection and persist the server transient key between hello and initiate.

More information about the zeromq-dev mailing list