[zeromq-dev] Any way to get key used for router connection

Pieter Hintjens ph at imatix.com
Mon Aug 17 12:35:30 CEST 2015


Have you studied the security examples I wrote?

- read http://hintjens.com/blog:48 and http://hintjens.com/blog:49
- don't use ROUTER identity, the field is really a routing key and has
nothing to do with peer identity
- look at how CZMQ's zauth works, and look at the RFC for the ZAP
protocol (http://rfc.zeromq.org/spec:27)

On Mon, Aug 17, 2015 at 5:43 AM, Charles West <crwest at ncsu.edu> wrote:
> Hello!
>
> I'm building the second version of a open source differential GPS sharing
> software (pylongps.com).  I've run into a bit of a snag though.
>
> Does anyone know of a good way to get the key associated with a CURVE router
> connection?  ZAP authentication can check if a key is on the whitelist, but
> it doesn't appear to provide more than a go/no go.  I need to be able to
> check the key associated with a specific ROUTER connection so that I can
> limit what the owner of a particular connection key can do (people with one
> key can't pretend to be someone else).
>
> My original idea was to use the ZMQ_IDENTITY field to set the connection ID
> to a superset of the connection key, then just have the ZAP handler verify
> the connection ID contained the key at the beginning.  Further ID processing
> would then be done via the connection ID at the router socket.  However, the
> ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't
> possible.  Further reading of the mailing list indicates that the
> ZMQ_IDENTITY isn't suppose to propagate like that anyway.
>
> The brute force solution would be to force a authentication exchange using a
> signing key and a nonce at the router (router sends nonce, client signs or
> encrypts it and sends it back).  Thats basically doing a whole handshake on
> top of the ZMQ_CURVE protocol, which seems rather overkill.
>
> Does anyone know of a better approach?
>
> Thanks,
> Charlie West
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>



More information about the zeromq-dev mailing list