ZeroMQ encryption with CurveZMQ
At the CyberSecurity meeting in Lund (March 2024) we had a talk about ZeroMQ and encryption 1. The patch zmq-encryption-hack.diff implements a very hacky PoC for that.
To be able to integrate that properly the following tasks have to be finished:
-
libsodium does the crypto for CurveZMQ so we need to check if libzmq was compiled with it in CMake, libsodium occupies 420kb on disc for the amd64 platform 5 -
Raise required libzmq version to something which has a fix for 3 -
We currently use the client sockets to connect to multiple server sockets. This does not play well with the 1:1 encryption between the zeromq sockets -
Check if this works with multiple DS -
If not do we have to use two zeromq sockets on the client side per DS? -
Or are there other options?
-
-
We only want to hand out the server public keys if ssl
CORBA transport is used -
The memory regions that contain keys need to be protected in order to not leave them in memory after a process ends. See 5. -
Add a new command ZmqEventSubscriptionChange2 to publish the server's own public key. 4 -
Is it safe to use the longterm keys for like a year? -
JTango interoperability: JTango uses jeromq, see https://gitlab.com/tango-controls/JTango/-/blob/jtango-9-lts/dao/pom.xml#L92 which supports curve
POC:
- cmake --build build/debug --target Catch2Tests && ctest --test-dir build/debug -R "catch2::Scenario: Polled attributes generate change events" --verbose
Edited by Thomas Braun