zeromq 如何与 SSL 协同工作? [英] How does zeromq work together with SSL?
问题描述
我正在考虑使用 zeromq 作为我的应用程序之间的消息传递层.至少在某些情况下,我希望通信是安全的,并且我正在考虑 SSL.
I am considerung to use zeromq as messaging layer between my applications. At least in some cases I want the communication to be secure and I am thinking about SSL.
是否有一些标准的方法来启用 ssl 的 zeromq?据我所知,它不支持开箱即用.
Is there some standard way how to ssl-enable zeromq? As far as I understand it doesn't support it out of the box.
如果我在连接到套接字时只有一个参数就好了 (bool: useSsl) :)
It would be nice if I just had a parameter when connnecting to a socket (bool: useSsl) :)
有什么想法吗?
推荐答案
我知道这不是您问题的真正答案,我将直接使用 RSA 加密消息,然后使用 0mq 发送它们.
Understanding that this is not really an answer to your question, I'm going to be encrypting the messages directly with RSA, before sending them with 0mq.
>
在我选择的平台中没有经过全面测试和实施的更集成的加密方法的情况下,这就是我要使用的方法.0mq 最近刚刚发布了第 4 版,其中包含了加密功能,但它仍被认为是实验性的,语言绑定并不完全支持.
In the absence of a more integrated encryption method that is fully tested and implemented in my platform of choice, that's what I'm going with. 0mq just recently released version 4, which has encryption baked in, but it's still considered experimental and isn't fully supported by the language bindings.
加密消息而不是连接似乎提供了最简单的升级路径,考虑到我们目前必须如何实施加密,我们的目的的区别几乎只是语义.
Encrypting the message, rather than the connection, seems to provide the simplest upgrade path, and the difference for our purposes are pretty much just semantics given how we'd have to implement encryption currently, today.
我现在比我写这篇文章时更了解加密,RSA 不是加密消息数据的合适选择.使用 AES,或者手动共享密钥(这是我们的短期方法),或者像 Jim Miller 的回答那样实施密钥共享方案……但请注意,如果您采用后一种方法,设计和实施密钥共享方案 安全很难.远比你想象的要难.你可以直接实现SSL/TLS(使用消息BIO),其他人也这样做了,也不简单,但至少知道SSL方案是行业标准,因此满足最低安全要求.
I know more about encryption now than I did when I wrote this, RSA is not an appropriate choice for encrypting message data. Use AES, either with manually sharing keys (this is our approach for the short term) or implementing a key sharing scheme as in Jim Miller's answer... but beware if you take the latter approach, designing and implementing a key-sharing scheme securely is hard. Way harder than you'd think. You can implement SSL/TLS directly (using message BIOs), and others have done so, it's also not simple but at least know that the SSL scheme is industry standard and therefore meets a minimum security requirement.
简而言之,在 ZMQ 4 中的椭圆曲线加密被认为是可靠的并成为标准之前,可接受的解决方案"将是通过手动实现 SSL/TLS 连接,如果失败,请使用 AES 128 或 256安全的密钥共享机制(密钥共享是适当使用 RSA 的地方).
In short, before the Elliptic Curve crypto baked into ZMQ 4 is considered reliable and becomes standard, the "accepted solution" would be to implement SSL/TLS over the connection manually, and failing that, use AES 128 or 256 with a secure key sharing mechanism (key sharing is where RSA would appropriately be used).
这篇关于zeromq 如何与 SSL 协同工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
