CurveZMQ, ZMTP and other Dubious Characters

5,971 views
5,652 views

Published on

Secure Messaging for the Internet

Published in: Technology

CurveZMQ, ZMTP and other Dubious Characters

  1. 1. CurveZMQ, ZMTP and otherDubious CharactersSecure Messaging for the InternetbyPieter Hintjens, CEO, iMatixBerlin Buzzwords 2013, 4 June, 2013
  2. 2. Whats the Problem?● ZeroMQ (ØMQ) defined a new productcategory● Message queuing & routing stacks● JeroMQ, NullMQ, Nano, netty-zmtp, ezmtp● All have the same problem: clear-text● Not safe to use on public infrastructure
  3. 3. What do People Do?● Many apps just use clear text● Clearly not acceptable for sensitive data● Salt Stack has its own security system● Already cracked (chicken-salt)● IPython uses SSH + HMAC digests● Has several plausible vulnerabilities
  4. 4. Works in Progress● TLS encryption above libzmq (Barber)● TLS transports for libzmq (Young, Naudé)● DTLS transport for libzmq (Cocagne)● May deliver, but...● What about interoperability?
  5. 5. The Right Solution● Security at the protocol level (ZMTP)● Extensible security (like SASL)● Several example mechanisms● Easy to plug new ones into libzmq● Perhaps exposed as e.g. dtls://
  6. 6. Whats SASL?● IETFs solution for extensible security● We used this when designing AMQP● Client and server negotiate a "mechanism"● Mechanism does the actual security● IETF as usual makes it... complex● We can do it somewhat simpler
  7. 7. The Security Handshake● Client: HELLO● Server: WELCOME (mechanism M)● Client: INITIATE (mechanism M)● Server: READY● Client: MESSAGE | Server: MESSAGE
  8. 8. What is "Secure" in 2013?● Data cannot be tapped (encrypted)● or created fraudulently (authentic)● or altered● or replayed● Keys cannot be stolen
  9. 9. Basic State of the Art● Mechanisms must be open ended● Allows evolution of security over time● Processing HELLO command must be cheap● Prevents denial-of-CPU attacks● HELLO must be larger than WELCOME● Prevents amplification attacks● Send no metadata until INITIATE/READY● Prevents leak of knowledge about peer
  10. 10. Advanced State of the Art● Perfect forward security● Data cannot be decrypted even with private keys● Resists man-in-the-middle manipulation of keys● Clients cannot be identified● Client public keys are sent encrypted● Resists traffic-analysis attacks● Randomize message sizes & frequencies
  11. 11. Meet CurveCP (Bernstein)● "Usable Security for the Internet"● From author of NaCl (=> libsodium)● Encryption and authentication over UDP● Also does recovery from packet loss● Also does a bunch of other stuff● http://curvecp.org
  12. 12. Some CurveCP Internals● Elliptic curve encryption, very fast● Creates short-term keys for each connection● Unique nonces for each command● Achieves "advanced state of the art"● Except defeating traffic analysis● Which we can add ourselves
  13. 13. Why NaCl is Wonderful● Perfectly simple API● Fast and robust● Preselected key sizes & algorithms● Packaged as libsodium● Easy to install, learn, and use
  14. 14. Why CurveCP wont happen● Tries to do too much, too soon● The software is complex to use● Does not "play nice" with existing standards● Utterly incompatible with SASL, TCP● Remixed into more plausible MinimalT
  15. 15. Apart from that, Very Nice!● I took CurveCPs security handshake● Simplified it and cleaned it up● Made it transport neutral● Wrote down as a single protocol document● http://rfc.zeromq.org/spec:26/CURVEZMQ
  16. 16. Meet CurveZMQ● An Abstract Security Mechanism● Specified as a client-server protocol● Any transport (even avian carrier)● TCP if we build this into ZMTP● Or ZeroMQ tcp://, at application level● http://curvezmq.org
  17. 17. Meet ZMTP● The ZeroMQ Message Transport Protocol● Wire protocol for ZeroMQ over TCP● Fifth RFC now in drafting stage● In ZeroMQ, JeroMQ, NetMQ, netty-zmtp, ...● Version 3.0 is quite a big deal● http://rfc.zeromq.org/spec:23/ZMTP
  18. 18. Whats New in ZMTP 3.0?● Extensible security mechanisms● Extensible connection metadata● Endpoint resources (for port sharing)● Better backwards version detection● Explicit socket type semantics
  19. 19. ZMTPs security mechanisms● NULL is just that, empty● PLAIN does clear-text authentication● Test clients vs. production systems● CURVE does CurveZMQ security● Fully encrypted and authenticated● <Insert your own here>
  20. 20. libzmq already runs ZMTP 3.0● Git master does NULL and PLAIN● Full backwards compatibility● Supports extensible mechanisms● Were now working on CURVE● Next: DTLS, ...?
  21. 21. Meet ZAP● The ZeroMQ Authentication Protocol● Extensible authentication services● Using ZeroMQ request-reply protocol● PAM, LDAP, Kerberos, passwd, etc.● libzmq implements ZAP 1.0● http://rfc.zeromq.org/spec:27/ZAP
  22. 22. Get involved● Read the RFCs on http://rfc.zeromq.org● Come to Brussels on 21 & 22 June 2013● For ZeroMQ Developers Meetup● http://zero.mq/bxl● Talk to us on the zeromq-dev list
  23. 23. Who are we?● ZeroMQ community including iMatix● iMatix makes messaging products● Distributed systems since 1991● Original designers of AMQP (2004-07)● Backers of ZeroMQ community (2007-)● Authors of most ZeroMQ RFCs
  24. 24. Thanks!● Buy the OReilly ZeroMQ book● Email me: ph@imatix.com● Twitter: @hintjens● Blog: hintjens.com

×