Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-14 Thread John Lane Schultz 
That’s very cool that (almost) any random number can be used for the private 
key and the public key can be easily derived from the private one!

See?  I am quite clueless about the details of ECC. ;)

John

On Feb 14, 2018, at 4:05 AM, paddor  wrote:

Hi John,

One cool thing about Curve25519 is that, given the secret key, the public key 
can be derived from it. And it seems that you actually you can use random bytes 
for the secret key (almost). Only a few bits in the first and last byte are 
fixed. Here an excerpt from [1]:

> Computing secret keys. Inside your program, to generate a 32-byte Curve25519 
> secret key, start by generating 32 secret random bytes from a 
> cryptographically safe source: mysecret[0], mysecret[1], ..., mysecret[31]. 
> Then do
> 
> mysecret[0] &= 248;
> mysecret[31] &= 127;
> mysecret[31] |= 64;
> 
> to create a 32-byte Curve25519 secret key mysecret[0], mysecret[1], ..., 
> mysecret[31].

Of course the conversion tool would have to print the public key so you can 
collect those centrally.

Yes, it might be too much effort if you want to keep using the existing PKI 
as-is. Having used ZMQ for a while now, I'd say it's worth the effort! ;-)

Regards,
Patrik

[1] https://cr.yp.to/ecdh.html

___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-14 Thread Luca Boccassi 
On Wed, 2018-02-14 at 00:17 -0500, John Lane Schultz wrote:
> Hi Luca,
> 
> Thanks for the update.  I was holding out hope that someone might
> have taken a crack at it already.
> 
> Yes, TLS is a pretty complicated protocol that supports tons of
> different cipher suites and options.  I certainly wouldn’t recommend
> reimplementing the protocol natively inside 0MQ.
> 
> I’m just curious about how hard it would be for 0MQ to use (and
> expose) a D/TLS implementation instead of TCP / UDP?
> 
> I’m guessing the primary obstacles would be dependence on an external
> D/TLS library (which maybe could be addressed with conditional
> compilation), how to have a simple 0MQ API that exposes the
> functionality / configurability of the D/TLS transport, and possibly
> objections to the security models (e.g. - X509 certs, CAs, HMAC then
> encrypt, etc.) of TLS itself.
> 
> Thanks,
> John

We already support a number of optional transports that require
external libraries, like PGM and NORM, so that would not be a problem.
If anyone wants to implement it, they would be most welcome.

In terms of difficulty, plugging in a new transport is not simple
plug but neither is too hard - apart from the new mechanism
subclass, which should be not too difficult as the interface is fairly
small, it would need some changes in a few other places - with those we
can help eventually.

> On Feb 13, 2018, at 5:42 PM, Luca Boccassi 
> wrote:
> 
> Hi,
> 
> The situation is the same - security is only supported through Curve
> or
> Kerberos.
> 
> Not for any particular reason if not that nobody has contributed any
> other implementation. This is probably due to the fact that SSL is
> awfully, awfully complex (but I understand your requirements.
> 

-- 
Kind regards,
Luca Boccassi

signature.asc
Description: This is a digitally signed message part
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-14 Thread paddor 
Hi John,

One cool thing about Curve25519 is that, given the secret key, the public key 
can be derived from it. And it seems that you actually you can use random bytes 
for the secret key (almost). Only a few bits in the first and last byte are 
fixed. Here an excerpt from [1]:

> Computing secret keys. Inside your program, to generate a 32-byte Curve25519 
> secret key, start by generating 32 secret random bytes from a 
> cryptographically safe source: mysecret[0], mysecret[1], ..., mysecret[31]. 
> Then do
> 
>  mysecret[0] &= 248;
>  mysecret[31] &= 127;
>  mysecret[31] |= 64;
> 
> to create a 32-byte Curve25519 secret key mysecret[0], mysecret[1], ..., 
> mysecret[31].

Of course the conversion tool would have to print the public key so you can 
collect those centrally.

Yes, it might be too much effort if you want to keep using the existing PKI 
as-is. Having used ZMQ for a while now, I'd say it's worth the effort! ;-)

Regards,
Patrik

[1] https://cr.yp.to/ecdh.html


> On 14 Feb 2018, at 08:32, John Lane Schultz  
> wrote:
> 
> Hi Patrik,
> 
> I’m not terribly familiar with the details of elliptic curve cryptography 
> myself.
> 
> Even so, there must be a strong EC relationship (inversion?) between the 
> public and private parts of each key pair, just like there is for RSA key 
> pairs.  I highly doubt that simply using a random-ish transform of RSA 
> parameters will yield proper ECC key pairs.
> 
> I probably could automate the creation of a parallel PKI system, but then it 
> would need to be mapped to, maintained, watered, and fed alongside our X509 / 
> CA PKI infrastructure.  I doubt I want to take on that burden simply to 
> reduce my socket programming pains.
> 
> Thanks,
> John
> 
> On Feb 13, 2018, at 8:06 PM, Patrik VV.  wrote:
> 
> Hi
> 
> WARNING: I’m no infosec expert.
> 
> I’m just thinking out loud, so please bear with me. To my understanding, the 
> keys used by the crypto primitives (NaCl/TweetNaCl) used in CurveZMQ are just 
> 32 secret bytes. You already have about 2000 secrets for those 2000 
> identities, their current format just isn’t usable. Can’t you just convert 
> those secrets to 32 secret bytes each using a cryptographically secure hash 
> function? Of course it should be a hash function that gives you a hash of 32 
> bytes or more to avoid losing entropy.
> 
> I’m sure you could automate this process and store the converted identities 
> as zcerts using CZMQ. See [1]
> 
> Regards,
> Patrik
> 
> [1] http://czmq.zeromq.org/czmq-master:zcert
> 
> On 13 Feb 2018, at 23:42, Luca Boccassi  wrote:
> 
>> On Tue, 2018-02-13 at 17:03 -0500, John Lane Schultz wrote:
>>> I’m new to 0MQ, so please excuse my ignorance about it.  I read the
>>> guide book, the blog entries on CurveZMQ, looked at the directory of
>>> 0MQ GitHub repositories, and googled around to see if anyone had
>>> added a D/TLS layer into 0MQ. I didn’t find much of anything.
>>> 
>>> I did find the email below from 4 years ago, that seems to answer a
>>> similar question from back then.  Is it still the situation that 0MQ
>>> doesn’t readily support using D/TLS to secure its communications?
>>> 
>>> I ask because we have an existing PKI managing more than 2000
>>> distributed identities and we use D/TLS to secure our mutually
>>> authenticated (the “Ironhouse Pattern") point-to-point
>>> communications.  If it matters, we use Ephemeral Diffie-Hellman key
>>> exchanges with long term RSA keys.
>>> 
>>> From my reading, 0MQ looks really appealing to get away from low-
>>> level programming OpenSSL D/TLS, UDP, and TCP sockets, but not being
>>> able to use our existing security infrastructure would probably be a
>>> deal breaker.
>>> 
>>> I’d greatly appreciate any information on the current state of
>>> affairs of 0MQ security layers and whether or not adding D/TLS
>>> support to 0MQ is reasonable or not.
>>> 
>>> Thanks!
>>> John
>> 
>> Hi,
>> 
>> The situation is the same - security is only supported through Curve or
>> Kerberos.
>> 
>> Not for any particular reason if not that nobody has contributed any
>> other implementation. This is probably due to the fact that SSL is
>> awfully, awfully complex (but I understand your requirements.
>> 
>>> From ph at imatix.com  Fri Oct  4 00:46:06 2013
>>> From: ph at imatix.com (Pieter Hintjens)
>>> Date: Fri, 4 Oct 2013 00:46:06 +0200
>>> Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
>>> In-Reply-To: >> y.corp.yahoo.com>
>>> References: >> .corp.yahoo.com>
>>> Message-ID:

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-13 Thread John Lane Schultz 
Hi Patrik,

I’m not terribly familiar with the details of elliptic curve cryptography 
myself.

Even so, there must be a strong EC relationship (inversion?) between the public 
and private parts of each key pair, just like there is for RSA key pairs.  I 
highly doubt that simply using a random-ish transform of RSA parameters will 
yield proper ECC key pairs.

I probably could automate the creation of a parallel PKI system, but then it 
would need to be mapped to, maintained, watered, and fed alongside our X509 / 
CA PKI infrastructure.  I doubt I want to take on that burden simply to reduce 
my socket programming pains.

Thanks,
John

On Feb 13, 2018, at 8:06 PM, Patrik VV.  wrote:

Hi

WARNING: I’m no infosec expert.

I’m just thinking out loud, so please bear with me. To my understanding, the 
keys used by the crypto primitives (NaCl/TweetNaCl) used in CurveZMQ are just 
32 secret bytes. You already have about 2000 secrets for those 2000 identities, 
their current format just isn’t usable. Can’t you just convert those secrets to 
32 secret bytes each using a cryptographically secure hash function? Of course 
it should be a hash function that gives you a hash of 32 bytes or more to avoid 
losing entropy.

I’m sure you could automate this process and store the converted identities as 
zcerts using CZMQ. See [1]

Regards,
Patrik

[1] http://czmq.zeromq.org/czmq-master:zcert

On 13 Feb 2018, at 23:42, Luca Boccassi  wrote:

> On Tue, 2018-02-13 at 17:03 -0500, John Lane Schultz wrote:
>> I’m new to 0MQ, so please excuse my ignorance about it.  I read the
>> guide book, the blog entries on CurveZMQ, looked at the directory of
>> 0MQ GitHub repositories, and googled around to see if anyone had
>> added a D/TLS layer into 0MQ. I didn’t find much of anything.
>> 
>> I did find the email below from 4 years ago, that seems to answer a
>> similar question from back then.  Is it still the situation that 0MQ
>> doesn’t readily support using D/TLS to secure its communications?
>> 
>> I ask because we have an existing PKI managing more than 2000
>> distributed identities and we use D/TLS to secure our mutually
>> authenticated (the “Ironhouse Pattern") point-to-point
>> communications.  If it matters, we use Ephemeral Diffie-Hellman key
>> exchanges with long term RSA keys.
>> 
>> From my reading, 0MQ looks really appealing to get away from low-
>> level programming OpenSSL D/TLS, UDP, and TCP sockets, but not being
>> able to use our existing security infrastructure would probably be a
>> deal breaker.
>> 
>> I’d greatly appreciate any information on the current state of
>> affairs of 0MQ security layers and whether or not adding D/TLS
>> support to 0MQ is reasonable or not.
>> 
>> Thanks!
>> John
> 
> Hi,
> 
> The situation is the same - security is only supported through Curve or
> Kerberos.
> 
> Not for any particular reason if not that nobody has contributed any
> other implementation. This is probably due to the fact that SSL is
> awfully, awfully complex (but I understand your requirements.
> 
>> From ph at imatix.com  Fri Oct  4 00:46:06 2013
>> From: ph at imatix.com (Pieter Hintjens)
>> Date: Fri, 4 Oct 2013 00:46:06 +0200
>> Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
>> In-Reply-To: > y.corp.yahoo.com>
>> References: > .corp.yahoo.com>
>> Message-ID:

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-13 Thread John Lane Schultz 
Hi Luca,

Thanks for the update.  I was holding out hope that someone might have taken a 
crack at it already.

Yes, TLS is a pretty complicated protocol that supports tons of different 
cipher suites and options.  I certainly wouldn’t recommend reimplementing the 
protocol natively inside 0MQ.

I’m just curious about how hard it would be for 0MQ to use (and expose) a D/TLS 
implementation instead of TCP / UDP?

I’m guessing the primary obstacles would be dependence on an external D/TLS 
library (which maybe could be addressed with conditional compilation), how to 
have a simple 0MQ API that exposes the functionality / configurability of the 
D/TLS transport, and possibly objections to the security models (e.g. - X509 
certs, CAs, HMAC then encrypt, etc.) of TLS itself.

Thanks,
John

On Feb 13, 2018, at 5:42 PM, Luca Boccassi  wrote:

Hi,

The situation is the same - security is only supported through Curve or
Kerberos.

Not for any particular reason if not that nobody has contributed any
other implementation. This is probably due to the fact that SSL is
awfully, awfully complex (but I understand your requirements.

-- 
Kind regards,
Luca Boccassi
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-13 Thread Patrik VV. 
Hi

WARNING: I’m no infosec expert.

I’m just thinking out loud, so please bear with me. To my understanding, the 
keys used by the crypto primitives (NaCl/TweetNaCl) used in CurveZMQ are just 
32 secret bytes. You already have about 2000 secrets for those 2000 identities, 
their current format just isn’t usable. Can’t you just convert those secrets to 
32 secret bytes each using a cryptographically secure hash function? Of course 
it should be a hash function that gives you a hash of 32 bytes or more to avoid 
losing entropy.

I’m sure you could automate this process and store the converted identities as 
zcerts using CZMQ. See [1]

Regards,
Patrik

[1] http://czmq.zeromq.org/czmq-master:zcert

> On 13 Feb 2018, at 23:42, Luca Boccassi  wrote:
> 
>> On Tue, 2018-02-13 at 17:03 -0500, John Lane Schultz wrote:
>> I’m new to 0MQ, so please excuse my ignorance about it.  I read the
>> guide book, the blog entries on CurveZMQ, looked at the directory of
>> 0MQ GitHub repositories, and googled around to see if anyone had
>> added a D/TLS layer into 0MQ. I didn’t find much of anything.
>> 
>> I did find the email below from 4 years ago, that seems to answer a
>> similar question from back then.  Is it still the situation that 0MQ
>> doesn’t readily support using D/TLS to secure its communications?
>> 
>> I ask because we have an existing PKI managing more than 2000
>> distributed identities and we use D/TLS to secure our mutually
>> authenticated (the “Ironhouse Pattern") point-to-point
>> communications.  If it matters, we use Ephemeral Diffie-Hellman key
>> exchanges with long term RSA keys.
>> 
>> From my reading, 0MQ looks really appealing to get away from low-
>> level programming OpenSSL D/TLS, UDP, and TCP sockets, but not being
>> able to use our existing security infrastructure would probably be a
>> deal breaker.
>> 
>> I’d greatly appreciate any information on the current state of
>> affairs of 0MQ security layers and whether or not adding D/TLS
>> support to 0MQ is reasonable or not.
>> 
>> Thanks!
>> John
> 
> Hi,
> 
> The situation is the same - security is only supported through Curve or
> Kerberos.
> 
> Not for any particular reason if not that nobody has contributed any
> other implementation. This is probably due to the fact that SSL is
> awfully, awfully complex (but I understand your requirements.
> 
>> From ph at imatix.com  Fri Oct  4 00:46:06 2013
>> From: ph at imatix.com (Pieter Hintjens)
>> Date: Fri, 4 Oct 2013 00:46:06 +0200
>> Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
>> In-Reply-To: > y.corp.yahoo.com>
>> References: > .corp.yahoo.com>
>> Message-ID:

Re: [zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

2018-02-13 Thread Luca Boccassi 
On Tue, 2018-02-13 at 17:03 -0500, John Lane Schultz wrote:
> I’m new to 0MQ, so please excuse my ignorance about it.  I read the
> guide book, the blog entries on CurveZMQ, looked at the directory of
> 0MQ GitHub repositories, and googled around to see if anyone had
> added a D/TLS layer into 0MQ. I didn’t find much of anything.
> 
> I did find the email below from 4 years ago, that seems to answer a
> similar question from back then.  Is it still the situation that 0MQ
> doesn’t readily support using D/TLS to secure its communications?
> 
> I ask because we have an existing PKI managing more than 2000
> distributed identities and we use D/TLS to secure our mutually
> authenticated (the “Ironhouse Pattern") point-to-point
> communications.  If it matters, we use Ephemeral Diffie-Hellman key
> exchanges with long term RSA keys.
> 
> From my reading, 0MQ looks really appealing to get away from low-
> level programming OpenSSL D/TLS, UDP, and TCP sockets, but not being
> able to use our existing security infrastructure would probably be a
> deal breaker.
> 
> I’d greatly appreciate any information on the current state of
> affairs of 0MQ security layers and whether or not adding D/TLS
> support to 0MQ is reasonable or not.
> 
> Thanks!
> John

Hi,

The situation is the same - security is only supported through Curve or
Kerberos.

Not for any particular reason if not that nobody has contributed any
other implementation. This is probably due to the fact that SSL is
awfully, awfully complex (but I understand your requirements.

> From ph at imatix.com  Fri Oct  4 00:46:06 2013
> From: ph at imatix.com (Pieter Hintjens)
> Date: Fri, 4 Oct 2013 00:46:06 +0200
> Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
> In-Reply-To:  y.corp.yahoo.com>
> References:  .corp.yahoo.com>
> Message-ID: