[zeromq-dev] Curvezmq guide on handshake etc. could use some clarifications

Pieter Hintjens ph at imatix.com
Mon Sep 22 08:49:59 CEST 2014


The authenticator uses the same model as CZMQ's zauth module. That is,
you provide it with the list of valid client keys, and the rest
happens automatically.

On Mon, Sep 22, 2014 at 7:58 AM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pieter,
>
> Thanks for clearing those things up!
>
> Regarding client verification, I am not entirely sure how the PyZMQ
> authenticator works:
> http://zeromq.github.io/pyzmq/api/zmq.auth.html#zmq.auth.Authenticator
>
> Does it use the ZAP handler as you described? If I submit a public key
> list with the location parameter, will it actually ensure the client
> has the according secret key by sending it some challenge value to
> decrypt and send back or something? Or is that something which PyZMQ
> expects me to do myself?
>
> Regards,
> Jonas Thiem
>
> On Sat, Sep 20, 2014 at 10:11 AM, Pieter Hintjens <ph at imatix.com> wrote:
>> Hi Jonas,
>>
>> Sorry for the slow answer.
>>
>>> 1. Is the initial HELLO from the client to the server
>>> unencrypted?
>>
>> Partially, yes. The client sends an encrypted signature box that
>> only the server can decode.
>>
>>> 2. Is the client ever required to have his secret key to read
>>> something during the handshake process?
>>
>> No, the client long-term secret key is never used. The long term
>> public key is sent, encrypted in INITIATE, and is used for
>> authentication. In cases where authentication is not done, clients
>> are anonymous and their long-term keys are irrelevant. We do not
>> use the long term keys (server or client) for messages. All
>> traffic is encrypted using transient keys.
>>>
>>> That would mean for a protocol where sending administration
>>> commands under some client identity without necessarily reading
>>> the response, curve zmq wouldn't sufficiently ensure the client's
>>> identity.
>>
>>> 3. If the client's identity isn't ensured, does the zmq
>>> authenticator - given a list of valid public keys - do this?
>>
>> The client sends its long term public key encrypted in INITIATE.
>> The server can authenticate this, or accept it blindly, as it
>> like. In libzmq this happens in the ZAP handler.
>>
>> -Pieter _______________________________________________ zeromq-dev
>> mailing list zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJUH7p9AAoJEBIDTbbx8YkeQ94QAMQ2R/D/tBRq4kqrWbYUwmO6
> UhvTnu7udbfTdD08rgM4XGt3BlL71tLtl6+xDBDRfwvyCWm4EblA/ms3KHrDpI0r
> xozIFHkZOfNRveVXyNxws0bZJ3S23SIiuSEjJW4Mue/H8X5V4GAlQNu4LTtx3boj
> bf8F3VEL0y5bmCcb1IWyF4bCZB1H0c1ii3zecouSvVqualpUZfZyqgli7EVRDAcu
> yeL05cuD7JH/87YEO0fhi8fHE+OgwNP7ri6DtKrv3+VsfOO3QPF6aUy/ZJuw+6+H
> 3/XLDtNWDDC+PYHLwsSnF1sgyO8EFxZHHkLLTXt/hr6U6QOEJHyEC3TdL4/5hyuN
> sYKbejAbfmE5vv2BwL2J9P3ZiC4VXtxSv8sYMKldr6SdLUg382tYzoHQ7KODxdzF
> ZsWX3gIG3HHN/RP8dnm9MDKc+zvHgH+w7AmUpa979s7GYdjJVQQPkAknNI3gVu9h
> 8SnSGbfRKm0QUfS8iYEkwjnrFOgWzBuK2c8Uk3bMYw9srX1d37tp6RS8PxtlG64Y
> ufxV1+T+ElFOzlHnNKBFblLyNE11avGoMQ7wBWWfWC9q1DnYVi3Ow+jdam2/9pds
> +v5KliDYmDUSlk3MNEvjw+gAaZNqUJAoIRs41Y0mtueaaluZI2/eJsKZbSly2zXb
> ZehDSk8c4+v3o/GFdlr7
> =3Q0x
> -----END PGP SIGNATURE-----
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list