Indeed, these messages are used for the handshake and there is no benefit to an attacker to see the handshake happening. You can in any case see it by observing the to and fro messages from client to server if you know the protocol. Also, how would you decrypt if you don't know the command you're receiving?
As for padding, you can of course do this, and it's one of the suggestions in the CurveZMQ spec. It's not an RFC issue. Just add dummy frames to your ZMQ messages. -Pieter On Sat, Oct 12, 2013 at 2:40 PM, shancat <[email protected]> wrote: > I think padding is up to the user and I think those messages are used to > setup encryption. How do you encrypt the messages that are used to setup > encryption? Besides I don't think they need to be encrypted anyway. Could be > wrong on those points but that's what I thought. > > On Oct 12, 2013 11:35 PM, "T. Linden" <[email protected]> wrote: >> >> Hi, >> >> while working with the curve encrypted feature of CZMQ I found that not >> everything is encrypted, see attached snoop (hex dump). ZMQ message >> headers are clear text like "MESSAGE", "HELLO", "READY" and so forth. >> >> Are there any plans to change this in the future, i.e. to encrypt them >> as well? And another thing ocurred to me: the packets didn't seem to be >> padded. So, an attacker could see, which packet has which purpose AND by >> looking at the packet size assume what kind of message might be in >> there. >> >> Yes, I admit this sounds somewhat paranoid :) But that's a virtue these >> days, isn't it? >> >> >> >> >> best regards, >> Tom >> >> -- >> PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt >> S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem >> Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> _______________________________________________ >> zeromq-dev mailing list >> [email protected] >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > > _______________________________________________ > zeromq-dev mailing list > [email protected] > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > -- - Pieter Hintjens CEO of iMatix.com Founder of ZeroMQ community blog: http://hintjens.com _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
