On Fri, 2017-12-15 at 09:48 -0500, Kent Borg wrote: > On 12/15/2017 07:01 AM, Luca Boccassi wrote: > > Premise: I am not a security expert. > > Me neither. I know just enough to have some hints of ways I could > screw > myself. > > > Using the same key pair for both endpoints should be the equivalent > > of > > using a pre-shared key, so per-se it shouldn't have any > > consequences. > > > > Apart from the obvious ones with deployment, double exposure of the > > private key (one machine gets compromised == all machines are > > compromised) and so on, which you already identified. > > My worry is over the math of the key exchange (magic that allows two > nodes to agree on a session key in such a way that an eavesdropper > can't > figure it out). If both sides are using the same keys does anything > breakdown in that math? > > I am afraid of something like: > > "Oh, my God! If those values are equal this second part of the > equation cancels out and > an observer can easily infer the session key!" > > Rather rarefied territory, I know. Any suggestions of whom else I > might > ask...? > > Thanks, > > -kb, the Kent who also tried Perry Metzger's cryptography list but > hasn't gotten an answer there yet.
As far as I remember (haven't looked at the code in a good while) the session keys are not derived from the public keys. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
