[zeromq-dev] Any way to get key used for router connection
Pieter Hintjens
ph at imatix.com
Mon Aug 17 12:35:30 CEST 2015
Have you studied the security examples I wrote?
- read http://hintjens.com/blog:48 and http://hintjens.com/blog:49
- don't use ROUTER identity, the field is really a routing key and has
nothing to do with peer identity
- look at how CZMQ's zauth works, and look at the RFC for the ZAP
protocol (http://rfc.zeromq.org/spec:27)
On Mon, Aug 17, 2015 at 5:43 AM, Charles West <crwest at ncsu.edu> wrote:
> Hello!
>
> I'm building the second version of a open source differential GPS sharing
> software (pylongps.com). I've run into a bit of a snag though.
>
> Does anyone know of a good way to get the key associated with a CURVE router
> connection? ZAP authentication can check if a key is on the whitelist, but
> it doesn't appear to provide more than a go/no go. I need to be able to
> check the key associated with a specific ROUTER connection so that I can
> limit what the owner of a particular connection key can do (people with one
> key can't pretend to be someone else).
>
> My original idea was to use the ZMQ_IDENTITY field to set the connection ID
> to a superset of the connection key, then just have the ZAP handler verify
> the connection ID contained the key at the beginning. Further ID processing
> would then be done via the connection ID at the router socket. However, the
> ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't
> possible. Further reading of the mailing list indicates that the
> ZMQ_IDENTITY isn't suppose to propagate like that anyway.
>
> The brute force solution would be to force a authentication exchange using a
> signing key and a nonce at the router (router sends nonce, client signs or
> encrypts it and sends it back). Thats basically doing a whole handshake on
> top of the ZMQ_CURVE protocol, which seems rather overkill.
>
> Does anyone know of a better approach?
>
> Thanks,
> Charlie West
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
More information about the zeromq-dev
mailing list