[zeromq-dev] Curvezmq guide on handshake etc. could use some clarifications

Pieter Hintjens ph at imatix.com
Sat Sep 20 10:11:41 CEST 2014

Hi Jonas,

Sorry for the slow answer.

> 1. Is the initial HELLO from the client to the server unencrypted?

Partially, yes. The client sends an encrypted signature box that only
the server can decode.

> 2. Is the client ever required to have his secret key to read
> something during the handshake process?

No, the client long-term secret key is never used. The long term
public key is sent, encrypted in INITIATE, and is used for
authentication. In cases where authentication is not done, clients are
anonymous and their long-term keys are irrelevant. We do not use the
long term keys (server or client) for messages. All traffic is
encrypted using transient keys.
>    That would mean for a protocol where sending administration
> commands under some client identity without necessarily reading the
> response, curve zmq wouldn't sufficiently ensure the client's
> identity.

> 3. If the client's identity isn't ensured, does the zmq authenticator
> - given a list of valid public keys - do this?

The client sends its long term public key encrypted in INITIATE. The
server can authenticate this, or accept it blindly, as it like. In
libzmq this happens in the ZAP handler.


More information about the zeromq-dev mailing list