Security/Encryption with PUB/SUB?

[Noah]

I'm trying to add security to my existing NetMQ app which makes heavy use of PUB/SUB sockets between multiple clients connected to multiple servers.

Secure Channel (http://somdoron.com/2013/05/securing-netmq/) seems to only make sense with socket combos other than PUB/SUB, where you can maintain an instance of a SecureChannel for every client server combination and reference it for decoding/encoding messages.

Browsing around I came across http://zeromq.org/deleted:topics:pubsub-security, which looks interesting but immediately seems to have a practical sticking point:

Quote from http://zeromq.org/deleted:topics:pubsub-security:

• It sends an AUTHENTICATE command to the master. The body consists of the desired domain, minion name, and minion signature. The minion signature consists of the six letters "MINION", encrypted using the minion's private key. The body is encrypted using the master's public key.

This is saying to encode the signature with the RSA minion private key (in my case using a 4096 bit key, resulting in a 512 byte encrypted buffer), then combine that with the name and domain, and encrypt it again using the master's RSA public key. This does not work as it implies encrypting more than 512 bytes (http://stackoverflow.com/a/5586652). 

Anybody have any insight or guidance for securing PUB/SUB in NetMQ? Or clarifications for any/all misunderstandings I may have here?

Thanks.

[Doron Somech]

I think the easiest thing is to implement pubsub by hand over the security of NetMQ.

Also If you control the computers at both sides you can use something like stunnel.

ZeroMQ v4 introduce built-in security, however this is not available in NetMQ yet, anyway if you want to help porting it let me know.

--
You received this message because you are subscribed to the Google Groups "netmq-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netmq-dev+...@googlegroups.com.
To post to this group, send email to netm...@googlegroups.com.
Visit this group at https://groups.google.com/group/netmq-dev.
For more options, visit https://groups.google.com/d/optout.

[Noah]

Ok- thanks for the input. What do you think about using SecureChannel to do a handshake on a dealer/router socket combo (similar to the article on zeromq) and use it to exchange a symmetric key that is used to encrypt all PUB messages? 

Porting some ZeroMQ code to NetMQ would be fun, Not sure where I would find the time. Maybe I'll talk to the employer about that.  

[Brian Behm]

@Noah, were you able to get the SecureChannel to work with PUB messages?

Brian