ZeroMQ API (vii) security

1. No security: Zmq_null (7) 1.1 name

Zmq_null-no security or confidentiality

1.2 Overview

The null mechanism is defined by the ZMTP 3.0 specification: http://rfc.zeromq.org/spec:23. This is the default security mechanism for ZEROMQ sockets.

2. Use user name and password for plain text authentication: Zmq_plain (7) 2.1 Name

Zmq_plain-Clear Text authentication

2.2 Overview

The plain mechanism defines a simple username/password mechanism that allows the server to authenticate the client. Plain does not make any attempt to secure or keep secrets. It is intended for use in internal networks where security requirements are low. The plain mechanism is defined by this document: Http://rfc.zeromq.org/spec:24.

2.3 Usage

To use PLAIN, the server should set the Zmq_plain_server option, and the client should set the Zmq_plain_username and Zmq_plain_password socket options. Which peer binds, which connection, is not relevant.

3. Elliptic curve authentication and encryption: Zmq_curve (7) 3.1 name

Zmq_curve-Security authentication and confidentiality

3.2 Overview

The curve mechanism defines security authentication and confidentiality mechanisms for communication between client and server. The curve is suitable for public networks. The curve mechanism is defined by this document: Http://rfc.zeromq.org/spec:25.

3.3 Client and server roles

Sockets that use curve can be clients or servers at any time, but they cannot be used at the same time. The role is independent of the binding/connection direction.

By setting a new option, the socket can change the role at any time. This role affects all subsequent zmq_connect and Zmq_bind calls.

To become a CURVE server, the application sets the Zmq_curve_server option on the socket and then sets the Zmq_curve_secretkey option to provide its long-term key to the socket. The application does not provide a socket with a long-term public key, which is used only for clients.

To become a CURVE client, the application sets the Zmq_curve_serverkey option with the long-term public key of the server it wants to connect to, or accepts a connection from next. The application then uses its client long-term key pair to set the Zmq_curve_publickey and Zmq_curve_secretkey options.

If the server is authenticated, it is based on the client's long-term public key.

3.4 Key Encoding

The standard representation of a key in source code is 32 bytes of basic 256 (binary) data, or 40 characters of basic 85 data, encoded using the Z85 algorithm defined by http://rfc.zeromq.org/spec:32.

The Z85 algorithm is designed to generate printable key strings for configuration files, command lines, and code. There is a reference implementation in C, located in Https://github.com/zeromq/rfc/tree/master/src.

3.5 Test Key values

for test cases, the client should use this long-term key pair (specified as 16 in Z85):  Public : Bb88471d65e2659b30c55a5321cebb5aab2b70a398645c26dca2b2fcb43fc518[email protected] $w-vo<fvvi]a< ny6t1ed:m$fcg*[ialv{hidsecret:7bb864b489afa3671fbe69101f94b38972f24816dfb01b51656b3fec8dfd0888d:) Q[IlAW !ahhc2ac:9*a}h:p? ([4%wotj%jr%CS Server should use this long-term key pair (specified as 16 in Z85): Public : 54fcba24e93249969316fb617c872bb0c1d1ff14800427c594cbfacf1bc2d652rq:rm>}[email Protected]%[email protected]%fcmmsl/@{h8]yf7secret:8e0bdd697628b91d8f245587ee95c5b04d48963f79259877b49cd9063aead3b7jtkvsb (%) wk0e.x) V>+}o?pnmc{o&4w4b!ni{lh6

4. Generate curve key pair in encrypted text format: Zmq_curve_keypair (3) 4.1 name

Zmq_curve_keypair-Generate a new curve key pair

4.2 Overview

int Zmq_curve_keypair (char * z85_public_key,char * z85_secret_key);

4.3 description

The Zmq_curve_keypair () function returns a newly generated random key pair consisting of a public key and secret key. The caller provides two buffers, with at least 41 eight-bit bytes per buffer, where the method stores the keys. The key is encoded using Zmq_z85_encode (3).

4.4 Return value

If successful, the Zmq_curve_keypair () function returns 0, otherwise returns 1 and sets errno to one of the values defined below.

4.5 Error

The ENOTSUP:LIBZMQ library is not built with encryption support (Libsodium).

5. Convert the encryption key to a 32-byte binary key: Zmq_z85_decode (3) 5.1 name

Zmq_z85_decode-decode the binary key in the Z85 printable text

5.2 Overview

uint8_t * Zmq_z85_decode (uint8_t * dest,const char * string);

5.3 Description

The Zmq_z85_decode () function should decode the string to Dest. The length of the string should be divisible by 5. The dest must be large enough to decode the value (0.8 x strlen (String)). The encoding should follow the ZMQ RFC 32 specification.

5.4 Return value

If successful, the Zmq_z85_decode () function returns DEST, otherwise null is returned.

6. Convert the 32-byte binary curve key to an encrypted text string: Zmq_z85_encode (3) 6.1 name

Zmq_z85_encode-encode the binary key as Z85 printable text

6.2 Overview

char * zmq_z85_encode (char * dest,const uint8_t * data,size_t size);

6.3 Description

The Zmq_z85_encode () function should encode a binary block specified by data and size to a string in Dest. The binary block size must be divisible by 4. For the null terminator, the dest must have enough space for the size * 1.25 plus 1. A 32-byte curve key is encoded as 40 ASCII characters plus a null terminator. The encoding should follow the ZMQ RFC 32 specification.

6.4 Return value

If successful, the Zmq_z85_encode () function returns DEST, otherwise null is returned.

7. Secure authentication and confidentiality: zmq_gssapi7.1 name

ZMQ_GSSAPI-Security authentication and confidentiality

7.2 Overview

The GSSAPI mechanism defines a mechanism for secure authentication and confidentiality of communication between the client and server using the Generic Security Service Application Interface (GSSAPI). The GSSAPI mechanism can be used for both public and private networks. The GSSAPI itself is defined in the IETF RFC-2743: http://tools.ietf.org/html/rfc2743. The ZeroMQ GSSAPI mechanism is defined by the following document: Http://rfc.zeromq.org/spec:38.

7.3 Client and server roles

Sockets that use GSSAPI can be either a client or a server, but cannot use both.

To become a GSSAPI client or server, the application sets the Zmq_gssapi_principal option to provide the socket with the name of the principal for which the GSSAPI certificate should be obtained.

To become a GSSAPI server, the application adds the Zmq_gssapi_server option on the socket.

To become a GSSAPI client, the application set also sets the Zmq_gssapi_service_principal option to the name of the principal of the server to which it intends to connect.

7.4 Optional encryption

By default, the GSSAPI mechanism encrypts all communication between the client and the server. If encryption is not required (for example, on a private network), client and server applications can disable it by setting the Zmq_gssapi_plaintext option. Both the client and the server must set this option to the same value.

ZeroMQ API (vii) security