[zeromq-dev] Any way to get key used for router connection

Charles West crwest at ncsu.edu
Mon Aug 17 16:03:10 CEST 2015

Hey Pieter,

Thank you for taking the time to respond.

I have read both of the blog entries, the source for zauth and based my
code off of the specification for the ZAP protocol.  The closest/most
relevant documentation I saw was your discussion with Stephen Eley in the
"Confirm authentication and retrieve metadata?" thread.

If I may ask, is there some obvious way that I am missing to get the key
associated with a connection with a Router in ZMQ 4.0.4 (the zmq available
in the Ubuntu repositories)?  Alternatively, is there any good way to
figure out which router connection a ZAP request refers to?

I apologize if I have missed something obvious, but the examples I have
seen seem focused on go/no go authentication rather than keys with
different levels of permissions.

Charlie West

On Mon, Aug 17, 2015 at 6:35 AM, Pieter Hintjens <ph at imatix.com> wrote:

> Have you studied the security examples I wrote?
> - read http://hintjens.com/blog:48 and http://hintjens.com/blog:49
> - don't use ROUTER identity, the field is really a routing key and has
> nothing to do with peer identity
> - look at how CZMQ's zauth works, and look at the RFC for the ZAP
> protocol (http://rfc.zeromq.org/spec:27)
> On Mon, Aug 17, 2015 at 5:43 AM, Charles West <crwest at ncsu.edu> wrote:
> > Hello!
> >
> > I'm building the second version of a open source differential GPS sharing
> > software (pylongps.com).  I've run into a bit of a snag though.
> >
> > Does anyone know of a good way to get the key associated with a CURVE
> router
> > connection?  ZAP authentication can check if a key is on the whitelist,
> but
> > it doesn't appear to provide more than a go/no go.  I need to be able to
> > check the key associated with a specific ROUTER connection so that I can
> > limit what the owner of a particular connection key can do (people with
> one
> > key can't pretend to be someone else).
> >
> > My original idea was to use the ZMQ_IDENTITY field to set the connection
> ID
> > to a superset of the connection key, then just have the ZAP handler
> verify
> > the connection ID contained the key at the beginning.  Further ID
> processing
> > would then be done via the connection ID at the router socket.  However,
> the
> > ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't
> > possible.  Further reading of the mailing list indicates that the
> > ZMQ_IDENTITY isn't suppose to propagate like that anyway.
> >
> > The brute force solution would be to force a authentication exchange
> using a
> > signing key and a nonce at the router (router sends nonce, client signs
> or
> > encrypts it and sends it back).  Thats basically doing a whole handshake
> on
> > top of the ZMQ_CURVE protocol, which seems rather overkill.
> >
> > Does anyone know of a better approach?
> >
> > Thanks,
> > Charlie West
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20150817/83795687/attachment.htm>

More information about the zeromq-dev mailing list