On 12/15/2017 07:01 AM, Luca Boccassi wrote:
Premise: I am not a security expert.
Me neither. I know just enough to have some hints of ways I could screw
myself.
Using the same key pair for both endpoints should be the equivalent of
using a pre-shared key, so per-se it shouldn't have any consequences.
Apart from the obvious ones with deployment, double exposure of the
private key (one machine gets compromised == all machines are
compromised) and so on, which you already identified.
My worry is over the math of the key exchange (magic that allows two
nodes to agree on a session key in such a way that an eavesdropper can't
figure it out). If both sides are using the same keys does anything
breakdown in that math?
I am afraid of something like:
"Oh, my God! If those values are equal this second part of the
equation cancels out and
an observer can easily infer the session key!"
Rather rarefied territory, I know. Any suggestions of whom else I might
ask...?
Thanks,
-kb, the Kent who also tried Perry Metzger's cryptography list but
hasn't gotten an answer there yet.
_______________________________________________
zeromq-dev mailing list
[email protected]
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
