[zeromq-dev] Curvezmq guide on handshake etc. could use some clarifications
Jonas Thiem
jonasthiem at googlemail.com
Mon Sep 22 07:58:23 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Pieter,
Thanks for clearing those things up!
Regarding client verification, I am not entirely sure how the PyZMQ
authenticator works:
http://zeromq.github.io/pyzmq/api/zmq.auth.html#zmq.auth.Authenticator
Does it use the ZAP handler as you described? If I submit a public key
list with the location parameter, will it actually ensure the client
has the according secret key by sending it some challenge value to
decrypt and send back or something? Or is that something which PyZMQ
expects me to do myself?
Regards,
Jonas Thiem
On Sat, Sep 20, 2014 at 10:11 AM, Pieter Hintjens <ph at imatix.com> wrote:
> Hi Jonas,
>
> Sorry for the slow answer.
>
>> 1. Is the initial HELLO from the client to the server
>> unencrypted?
>
> Partially, yes. The client sends an encrypted signature box that
> only the server can decode.
>
>> 2. Is the client ever required to have his secret key to read
>> something during the handshake process?
>
> No, the client long-term secret key is never used. The long term
> public key is sent, encrypted in INITIATE, and is used for
> authentication. In cases where authentication is not done, clients
> are anonymous and their long-term keys are irrelevant. We do not
> use the long term keys (server or client) for messages. All
> traffic is encrypted using transient keys.
>>
>> That would mean for a protocol where sending administration
>> commands under some client identity without necessarily reading
>> the response, curve zmq wouldn't sufficiently ensure the client's
>> identity.
>
>> 3. If the client's identity isn't ensured, does the zmq
>> authenticator - given a list of valid public keys - do this?
>
> The client sends its long term public key encrypted in INITIATE.
> The server can authenticate this, or accept it blindly, as it
> like. In libzmq this happens in the ZAP handler.
>
> -Pieter _______________________________________________ zeromq-dev
> mailing list zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUH7p9AAoJEBIDTbbx8YkeQ94QAMQ2R/D/tBRq4kqrWbYUwmO6
UhvTnu7udbfTdD08rgM4XGt3BlL71tLtl6+xDBDRfwvyCWm4EblA/ms3KHrDpI0r
xozIFHkZOfNRveVXyNxws0bZJ3S23SIiuSEjJW4Mue/H8X5V4GAlQNu4LTtx3boj
bf8F3VEL0y5bmCcb1IWyF4bCZB1H0c1ii3zecouSvVqualpUZfZyqgli7EVRDAcu
yeL05cuD7JH/87YEO0fhi8fHE+OgwNP7ri6DtKrv3+VsfOO3QPF6aUy/ZJuw+6+H
3/XLDtNWDDC+PYHLwsSnF1sgyO8EFxZHHkLLTXt/hr6U6QOEJHyEC3TdL4/5hyuN
sYKbejAbfmE5vv2BwL2J9P3ZiC4VXtxSv8sYMKldr6SdLUg382tYzoHQ7KODxdzF
ZsWX3gIG3HHN/RP8dnm9MDKc+zvHgH+w7AmUpa979s7GYdjJVQQPkAknNI3gVu9h
8SnSGbfRKm0QUfS8iYEkwjnrFOgWzBuK2c8Uk3bMYw9srX1d37tp6RS8PxtlG64Y
ufxV1+T+ElFOzlHnNKBFblLyNE11avGoMQ7wBWWfWC9q1DnYVi3Ow+jdam2/9pds
+v5KliDYmDUSlk3MNEvjw+gAaZNqUJAoIRs41Y0mtueaaluZI2/eJsKZbSly2zXb
ZehDSk8c4+v3o/GFdlr7
=3Q0x
-----END PGP SIGNATURE-----
More information about the zeromq-dev
mailing list