I have a use case coming up that requires secure communication between two remote nodes that have an arbitrary number of message relayers sitting in between them. In this particular case, some of those machines will be using unrouteable IPs so most of the traditional SSL tunneling solutions used in these kinds of situations won't be easily applicable. I haven't heard of many other approaches to secure communications with ZeroMQ so I started looking into embedding DTLS packets within ZeroMQ messages. The results of my initial investigations were encouraging so I put together a github repo containing a minimal, proof-of-concept implementation (https://github.com/cocagne/zdtls) and figured I'd share it with the list in case anyone else has an interest in this area.
One somewhat annoying limitation of DTLS is that the message sizes are restricted by the constraints of UDP packets. I've been toying with an idea to get around this: 1. Generate a random AES encryption key and Initialization Vector 2. Encrypt your message using the key and IV 3. Prefix this with a message part that contains a DTLS packet who's content is: (IV, key, Encrypted Message Hash) In theory, successful processing of the DTLS packet would prove the authenticity of the prefix, the embedded hash would, in turn, prove the authenticity of the encrypted message part, and the IV & Key would then be used to decrypt it. Though of course, I'm not a cryptographer so there's probably 100 things wrong with that idea. ;-) Tom _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
