SlideShare a Scribd company logo

CurveZMQ, ZMTP and other Dubious Characters

P
pieterh

Secure Messaging for the Internet

Technology
1 of 24
CurveZMQ, ZMTP and other Dubious Characters Secure Messaging for the Internet by Pieter Hintjens, CEO, iMatix Berlin Buzzwords 2013, 4 June, 2013
What's the Problem? ● ZeroMQ (ØMQ) defined a new product category ● Message queuing & routing stacks ● JeroMQ, NullMQ, Nano, netty-zmtp, ezmtp ● All have the same problem: clear-text ● Not safe to use on public infrastructure
What do People Do? ● Many apps just use clear text ● Clearly not acceptable for sensitive data ● Salt Stack has its own security system ● Already cracked (chicken-salt) ● IPython uses SSH + HMAC digests ● Has several plausible vulnerabilities
Works in Progress ● TLS encryption above libzmq (Barber) ● TLS transports for libzmq (Young, Naudé) ● DTLS transport for libzmq (Cocagne) ● May deliver, but... ● What about interoperability?
The Right Solution ● Security at the protocol level (ZMTP) ● Extensible security (like SASL) ● Several example mechanisms ● Easy to plug new ones into libzmq ● Perhaps exposed as e.g. dtls://
What's SASL? ● IETF's solution for extensible security ● We used this when designing AMQP ● Client and server negotiate a "mechanism" ● Mechanism does the actual security ● IETF as usual makes it... complex ● We can do it somewhat simpler
The Security Handshake ● Client: HELLO ● Server: WELCOME (mechanism M) ● Client: INITIATE (mechanism M) ● Server: READY ● Client: MESSAGE | Server: MESSAGE
What is "Secure" in 2013? ● Data cannot be tapped (encrypted) ● or created fraudulently (authentic) ● or altered ● or replayed ● Keys cannot be stolen
Basic State of the Art ● Mechanisms must be open ended ● Allows evolution of security over time ● Processing HELLO command must be cheap ● Prevents denial-of-CPU attacks ● HELLO must be larger than WELCOME ● Prevents amplification attacks ● Send no metadata until INITIATE/READY ● Prevents leak of knowledge about peer
Advanced State of the Art ● Perfect forward security ● Data cannot be decrypted even with private keys ● Resists man-in-the-middle manipulation of keys ● Clients cannot be identified ● Client public keys are sent encrypted ● Resists traffic-analysis attacks ● Randomize message sizes & frequencies
Meet CurveCP (Bernstein) ● "Usable Security for the Internet" ● From author of NaCl (=> libsodium) ● Encryption and authentication over UDP ● Also does recovery from packet loss ● Also does a bunch of other stuff ● http://curvecp.org
Some CurveCP Internals ● Elliptic curve encryption, very fast ● Creates short-term keys for each connection ● Unique nonces for each command ● Achieves "advanced state of the art" ● Except defeating traffic analysis ● Which we can add ourselves
Why NaCl is Wonderful ● Perfectly simple API ● Fast and robust ● Preselected key sizes & algorithms ● Packaged as libsodium ● Easy to install, learn, and use
Why CurveCP won't happen ● Tries to do too much, too soon ● The software is complex to use ● Does not "play nice" with existing standards ● Utterly incompatible with SASL, TCP ● Remixed into more plausible MinimalT
Apart from that, Very Nice! ● I took CurveCP's security handshake ● Simplified it and cleaned it up ● Made it transport neutral ● Wrote down as a single protocol document ● http://rfc.zeromq.org/spec:26/CURVEZMQ
Meet CurveZMQ ● An Abstract Security Mechanism ● Specified as a client-server protocol ● Any transport (even avian carrier) ● TCP if we build this into ZMTP ● Or ZeroMQ tcp://, at application level ● http://curvezmq.org
Meet ZMTP ● The ZeroMQ Message Transport Protocol ● Wire protocol for ZeroMQ over TCP ● Fifth RFC now in drafting stage ● In ZeroMQ, JeroMQ, NetMQ, netty-zmtp, ... ● Version 3.0 is quite a big deal ● http://rfc.zeromq.org/spec:23/ZMTP
What's New in ZMTP 3.0? ● Extensible security mechanisms ● Extensible connection metadata ● Endpoint resources (for port sharing) ● Better backwards version detection ● Explicit socket type semantics
ZMTP's security mechanisms ● NULL is just that, empty ● PLAIN does clear-text authentication ● Test clients vs. production systems ● CURVE does CurveZMQ security ● Fully encrypted and authenticated ● <Insert your own here>
libzmq already runs ZMTP 3.0 ● Git master does NULL and PLAIN ● Full backwards compatibility ● Supports extensible mechanisms ● We're now working on CURVE ● Next: DTLS, ...?
Meet ZAP ● The ZeroMQ Authentication Protocol ● Extensible authentication services ● Using ZeroMQ request-reply protocol ● PAM, LDAP, Kerberos, passwd, etc. ● libzmq implements ZAP 1.0 ● http://rfc.zeromq.org/spec:27/ZAP
Get involved ● Read the RFCs on http://rfc.zeromq.org ● Come to Brussels on 21 & 22 June 2013 ● For ZeroMQ Developers' Meetup ● http://zero.mq/bxl ● Talk to us on the zeromq-dev list
Who are we? ● ZeroMQ community including iMatix ● iMatix makes messaging products ● Distributed systems since 1991 ● Original designers of AMQP (2004-07) ● Backers of ZeroMQ community (2007-) ● Authors of most ZeroMQ RFCs
Thanks! ● Buy the O'Reilly ZeroMQ book ● Email me: ph@imatix.com ● Twitter: @hintjens ● Blog: hintjens.com

Recommended

Switch or broker
Switch or brokerSwitch or broker
Switch or brokerpieterh
 
Fosdem 2009
Fosdem 2009Fosdem 2009
Fosdem 2009pieterh
 
RestMS Introduction
RestMS IntroductionRestMS Introduction
RestMS Introductionpieterh
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDXJeff Lindsay
 
ZeroMQ
ZeroMQZeroMQ
ZeroMQStoyan Zhekov
 
ZeroMQ with NodeJS
ZeroMQ with NodeJSZeroMQ with NodeJS
ZeroMQ with NodeJSFernando Sanabria
 
zeromq
zeromqzeromq
zeromqRajan Bhatt
 
Think beyond http
Think beyond httpThink beyond http
Think beyond httpAnkit Rastogi
 

Recommended

Switch or broker
Switch or brokerSwitch or broker
Switch or brokerpieterh
 
Fosdem 2009
Fosdem 2009Fosdem 2009
Fosdem 2009pieterh
 
RestMS Introduction
RestMS IntroductionRestMS Introduction
RestMS Introductionpieterh
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDXJeff Lindsay
 
ZeroMQ
ZeroMQZeroMQ
ZeroMQStoyan Zhekov
 
ZeroMQ with NodeJS
ZeroMQ with NodeJSZeroMQ with NodeJS
ZeroMQ with NodeJSFernando Sanabria
 
zeromq
zeromqzeromq
zeromqRajan Bhatt
 
Think beyond http
Think beyond httpThink beyond http
Think beyond httpAnkit Rastogi
 
Europycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQEuropycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQfcrippa
 
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVMScala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVMRUDDER
 
Zmq in context of openstack
Zmq in context of openstackZmq in context of openstack
Zmq in context of openstackYatin Kumbhare
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqRuben Tan
 
Scala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVMScala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVMRUDDER
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.jsRuben Tan
 
What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...RabbitMQ Summit
 
What is RabbitMQ ?
What is RabbitMQ ?What is RabbitMQ ?
What is RabbitMQ ?AIMDek Technologies
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message BrokerMartin Toshev
 
Messaging for the cloud
Messaging for the cloudMessaging for the cloud
Messaging for the clouddejanb
 
Rabbit mq, amqp and php
Rabbit mq, amqp and phpRabbit mq, amqp and php
Rabbit mq, amqp and phprodeob
 
Rust Primer
Rust PrimerRust Primer
Rust PrimerKnoldus Inc.
 
Amqp Basic
Amqp BasicAmqp Basic
Amqp BasicRahul Agrawal
 
Rabbit MQ
Rabbit MQRabbit MQ
Rabbit MQTran Thanh Thi
 
An update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael KlishinAn update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael KlishinRabbitMQ Summit
 
Messaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQMessaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQAll Things Open
 
Scaling out eclipse hono
Scaling out eclipse honoScaling out eclipse hono
Scaling out eclipse honodejanb
 
AMQP with RabbitMQ
AMQP with RabbitMQAMQP with RabbitMQ
AMQP with RabbitMQSpyros Papageorgiou
 
Message Broker System and RabbitMQ
Message Broker System and RabbitMQMessage Broker System and RabbitMQ
Message Broker System and RabbitMQUniversity of Alabama at Birmingham
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQKnoldus Inc.
 
ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The AnswerIan Barber
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsJames Dennis
 

More Related Content

What's hot

Europycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQEuropycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQfcrippa
 
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVMScala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVMRUDDER
 
Zmq in context of openstack
Zmq in context of openstackZmq in context of openstack
Zmq in context of openstackYatin Kumbhare
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqRuben Tan
 
Scala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVMScala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVMRUDDER
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.jsRuben Tan
 
What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...RabbitMQ Summit
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message BrokerMartin Toshev
 
Messaging for the cloud
Messaging for the cloudMessaging for the cloud
Messaging for the clouddejanb
 
Rabbit mq, amqp and php
Rabbit mq, amqp and phpRabbit mq, amqp and php
Rabbit mq, amqp and phprodeob
 
An update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael KlishinAn update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael KlishinRabbitMQ Summit
 
Messaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQMessaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQAll Things Open
 
Scaling out eclipse hono
Scaling out eclipse honoScaling out eclipse hono
Scaling out eclipse honodejanb
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQKnoldus Inc.
 

What's hot (20)

Europycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQEuropycon2011: Implementing distributed application using ZeroMQ
Europycon2011: Implementing distributed application using ZeroMQ
 
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVMScala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
Scala.io 2013 - Scala and ZeroMQ: Events beyond the JVM
 
Zmq in context of openstack
Zmq in context of openstackZmq in context of openstack
Zmq in context of openstack
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
 
Scala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVMScala and ZeroMQ: Events beyond the JVM
Scala and ZeroMQ: Events beyond the JVM
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.js
 
What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...What we've learned from running thousands of production RabbitMQ clusters - L...
What we've learned from running thousands of production RabbitMQ clusters - L...
 
What is RabbitMQ ?
What is RabbitMQ ?What is RabbitMQ ?
What is RabbitMQ ?
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message Broker
 
Messaging for the cloud
Messaging for the cloudMessaging for the cloud
Messaging for the cloud
 
Rabbit mq, amqp and php
Rabbit mq, amqp and phpRabbit mq, amqp and php
Rabbit mq, amqp and php
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
 
Amqp Basic
Amqp BasicAmqp Basic
Amqp Basic
 
Rabbit MQ
Rabbit MQRabbit MQ
Rabbit MQ
 
An update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael KlishinAn update from the RabbitMQ team - Michael Klishin
An update from the RabbitMQ team - Michael Klishin
 
Messaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQMessaging Standards and Systems - AMQP & RabbitMQ
Messaging Standards and Systems - AMQP & RabbitMQ
 
Scaling out eclipse hono
Scaling out eclipse honoScaling out eclipse hono
Scaling out eclipse hono
 
AMQP with RabbitMQ
AMQP with RabbitMQAMQP with RabbitMQ
AMQP with RabbitMQ
 
Message Broker System and RabbitMQ
Message Broker System and RabbitMQMessage Broker System and RabbitMQ
Message Broker System and RabbitMQ
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQ
 

Viewers also liked

ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The AnswerIan Barber
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsJames Dennis
 
Build reliable, traceable, distributed systems with ZeroMQ
Build reliable, traceable, distributed systems with ZeroMQBuild reliable, traceable, distributed systems with ZeroMQ
Build reliable, traceable, distributed systems with ZeroMQRobin Xiao
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencyThomas Jackson
 
Software Architecture using ZeroMQ - techmesh 2012
Software Architecture using ZeroMQ - techmesh 2012Software Architecture using ZeroMQ - techmesh 2012
Software Architecture using ZeroMQ - techmesh 2012pieterh
 
Git Without Branches - Simple, Smooth, Scalable
Git Without Branches - Simple, Smooth, ScalableGit Without Branches - Simple, Smooth, Scalable
Git Without Branches - Simple, Smooth, Scalablepieterh
 
Revolutionary Open Source
Revolutionary Open SourceRevolutionary Open Source
Revolutionary Open Sourcepieterh
 
Social architecture-101
Social architecture-101Social architecture-101
Social architecture-101pieterh
 
Software Architecture over ZeroMQ
Software Architecture over ZeroMQSoftware Architecture over ZeroMQ
Software Architecture over ZeroMQpieterh
 
FOSDEM 2011 - 0MQ
FOSDEM 2011 - 0MQFOSDEM 2011 - 0MQ
FOSDEM 2011 - 0MQpieterh
 
Solar Charge Controller
Solar Charge ControllerSolar Charge Controller
Solar Charge ControllerBharat Biyani
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Overview of ZeroMQ
Overview of ZeroMQOverview of ZeroMQ
Overview of ZeroMQpieterh
 

Viewers also liked (16)

ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The Answer
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 Labs
 
Build reliable, traceable, distributed systems with ZeroMQ
Build reliable, traceable, distributed systems with ZeroMQBuild reliable, traceable, distributed systems with ZeroMQ
Build reliable, traceable, distributed systems with ZeroMQ
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrency
 
Software Architecture using ZeroMQ - techmesh 2012
Software Architecture using ZeroMQ - techmesh 2012Software Architecture using ZeroMQ - techmesh 2012
Software Architecture using ZeroMQ - techmesh 2012
 
Git Without Branches - Simple, Smooth, Scalable
Git Without Branches - Simple, Smooth, ScalableGit Without Branches - Simple, Smooth, Scalable
Git Without Branches - Simple, Smooth, Scalable
 
Revolutionary Open Source
Revolutionary Open SourceRevolutionary Open Source
Revolutionary Open Source
 
Social architecture-101
Social architecture-101Social architecture-101
Social architecture-101
 
LDAP
LDAPLDAP
LDAP
 
Software Architecture over ZeroMQ
Software Architecture over ZeroMQSoftware Architecture over ZeroMQ
Software Architecture over ZeroMQ
 
FOSDEM 2011 - 0MQ
FOSDEM 2011 - 0MQFOSDEM 2011 - 0MQ
FOSDEM 2011 - 0MQ
 
Solar Charge Controller
Solar Charge ControllerSolar Charge Controller
Solar Charge Controller
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
3 apache-avro
3 apache-avro3 apache-avro
3 apache-avro
 
Overview of ZeroMQ
Overview of ZeroMQOverview of ZeroMQ
Overview of ZeroMQ
 

Similar to CurveZMQ, ZMTP and other Dubious Characters

Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQICS
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a gamejackpot201
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of DevicesKai Hudalla
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0Mike Belshe
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBenjamin Cabé
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....Sadia Textile
 
VSCP & Friends Presentation Eindhoven
VSCP & Friends Presentation EindhovenVSCP & Friends Presentation Eindhoven
VSCP & Friends Presentation EindhovenAke Hedman
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkMahmoud Said
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenterssuser4b98f0
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 

Similar to CurveZMQ, ZMTP and other Dubious Characters (20)

Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQ
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of Devices
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
VSCP & Friends Presentation Eindhoven
VSCP & Friends Presentation EindhovenVSCP & Friends Presentation Eindhoven
VSCP & Friends Presentation Eindhoven
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalk
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

CurveZMQ, ZMTP and other Dubious Characters

  • 1. CurveZMQ, ZMTP and other Dubious Characters Secure Messaging for the Internet by Pieter Hintjens, CEO, iMatix Berlin Buzzwords 2013, 4 June, 2013
  • 2. What's the Problem? ● ZeroMQ (ØMQ) defined a new product category ● Message queuing & routing stacks ● JeroMQ, NullMQ, Nano, netty-zmtp, ezmtp ● All have the same problem: clear-text ● Not safe to use on public infrastructure
  • 3. What do People Do? ● Many apps just use clear text ● Clearly not acceptable for sensitive data ● Salt Stack has its own security system ● Already cracked (chicken-salt) ● IPython uses SSH + HMAC digests ● Has several plausible vulnerabilities
  • 4. Works in Progress ● TLS encryption above libzmq (Barber) ● TLS transports for libzmq (Young, Naudé) ● DTLS transport for libzmq (Cocagne) ● May deliver, but... ● What about interoperability?
  • 5. The Right Solution ● Security at the protocol level (ZMTP) ● Extensible security (like SASL) ● Several example mechanisms ● Easy to plug new ones into libzmq ● Perhaps exposed as e.g. dtls://
  • 6. What's SASL? ● IETF's solution for extensible security ● We used this when designing AMQP ● Client and server negotiate a "mechanism" ● Mechanism does the actual security ● IETF as usual makes it... complex ● We can do it somewhat simpler
  • 7. The Security Handshake ● Client: HELLO ● Server: WELCOME (mechanism M) ● Client: INITIATE (mechanism M) ● Server: READY ● Client: MESSAGE | Server: MESSAGE
  • 8. What is "Secure" in 2013? ● Data cannot be tapped (encrypted) ● or created fraudulently (authentic) ● or altered ● or replayed ● Keys cannot be stolen
  • 9. Basic State of the Art ● Mechanisms must be open ended ● Allows evolution of security over time ● Processing HELLO command must be cheap ● Prevents denial-of-CPU attacks ● HELLO must be larger than WELCOME ● Prevents amplification attacks ● Send no metadata until INITIATE/READY ● Prevents leak of knowledge about peer
  • 10. Advanced State of the Art ● Perfect forward security ● Data cannot be decrypted even with private keys ● Resists man-in-the-middle manipulation of keys ● Clients cannot be identified ● Client public keys are sent encrypted ● Resists traffic-analysis attacks ● Randomize message sizes & frequencies
  • 11. Meet CurveCP (Bernstein) ● "Usable Security for the Internet" ● From author of NaCl (=> libsodium) ● Encryption and authentication over UDP ● Also does recovery from packet loss ● Also does a bunch of other stuff ● http://curvecp.org
  • 12. Some CurveCP Internals ● Elliptic curve encryption, very fast ● Creates short-term keys for each connection ● Unique nonces for each command ● Achieves "advanced state of the art" ● Except defeating traffic analysis ● Which we can add ourselves
  • 13. Why NaCl is Wonderful ● Perfectly simple API ● Fast and robust ● Preselected key sizes & algorithms ● Packaged as libsodium ● Easy to install, learn, and use
  • 14. Why CurveCP won't happen ● Tries to do too much, too soon ● The software is complex to use ● Does not "play nice" with existing standards ● Utterly incompatible with SASL, TCP ● Remixed into more plausible MinimalT
  • 15. Apart from that, Very Nice! ● I took CurveCP's security handshake ● Simplified it and cleaned it up ● Made it transport neutral ● Wrote down as a single protocol document ● http://rfc.zeromq.org/spec:26/CURVEZMQ
  • 16. Meet CurveZMQ ● An Abstract Security Mechanism ● Specified as a client-server protocol ● Any transport (even avian carrier) ● TCP if we build this into ZMTP ● Or ZeroMQ tcp://, at application level ● http://curvezmq.org
  • 17. Meet ZMTP ● The ZeroMQ Message Transport Protocol ● Wire protocol for ZeroMQ over TCP ● Fifth RFC now in drafting stage ● In ZeroMQ, JeroMQ, NetMQ, netty-zmtp, ... ● Version 3.0 is quite a big deal ● http://rfc.zeromq.org/spec:23/ZMTP
  • 18. What's New in ZMTP 3.0? ● Extensible security mechanisms ● Extensible connection metadata ● Endpoint resources (for port sharing) ● Better backwards version detection ● Explicit socket type semantics
  • 19. ZMTP's security mechanisms ● NULL is just that, empty ● PLAIN does clear-text authentication ● Test clients vs. production systems ● CURVE does CurveZMQ security ● Fully encrypted and authenticated ● <Insert your own here>
  • 20. libzmq already runs ZMTP 3.0 ● Git master does NULL and PLAIN ● Full backwards compatibility ● Supports extensible mechanisms ● We're now working on CURVE ● Next: DTLS, ...?
  • 21. Meet ZAP ● The ZeroMQ Authentication Protocol ● Extensible authentication services ● Using ZeroMQ request-reply protocol ● PAM, LDAP, Kerberos, passwd, etc. ● libzmq implements ZAP 1.0 ● http://rfc.zeromq.org/spec:27/ZAP
  • 22. Get involved ● Read the RFCs on http://rfc.zeromq.org ● Come to Brussels on 21 & 22 June 2013 ● For ZeroMQ Developers' Meetup ● http://zero.mq/bxl ● Talk to us on the zeromq-dev list
  • 23. Who are we? ● ZeroMQ community including iMatix ● iMatix makes messaging products ● Distributed systems since 1991 ● Original designers of AMQP (2004-07) ● Backers of ZeroMQ community (2007-) ● Authors of most ZeroMQ RFCs
  • 24. Thanks! ● Buy the O'Reilly ZeroMQ book ● Email me: ph@imatix.com ● Twitter: @hintjens ● Blog: hintjens.com