[openamq-dev] Encryption/C++ API

Russell Adams RLAdams at AdamsInfoServ.Com
Fri Apr 18 22:43:58 CEST 2008 

> There are a number of different requirements - privacy, tamper
> resistance, authentication.  The methods for doing each of these vary,
> and the effort needed also depends.
> 
> My own preference - if I was building a secure internet-based network
> using OpenAMQ - would be to do end-to-end encryption, and place this
> entirely in the client API, above WireAPI.  The protocol does have
> some security hooks, e.g. for secure authentication of AMQP
> applications to the broker, and these would also be needed.
> Disclaimer: I am not a security expert.
> 
> Using an existing security library like OpenSSL, we'd expect to be
> able to deliver a working security framework in a few weeks at most.
> The difficulties would be, IMO, (a) mixing secure and non-secure on
> the same network, (b) the performance hit in high-volume / low-latency
> situations, and (c) distribution of certificates.  Again, IANASE, and
> the best answer probably depends on the actual application demands.

Using SSL encryption & signing on messages at the client level makes
plenty of sense to me. That could also be integrated with
retransmission logic.

Has anyone worked on a security framework that could be used in this
manner already?

This hit close to home for a need I had, and have been researching
alternatives among the open MQ implementations.

> 
> It may also be possible - but we'd need to check - to use the existing
> clients over an ssh tunnel to the broker.  Finally, the classic
> fallback is to use VPNs so that remote clients are effectively brought
> into the LAN.  This is especially plausible if one also uses OpenAMQ
> federation, so the VPN connects two brokers and not N clients to a
> remote broker.

Stunnel or SSH are both acceptable for insulating the server and
protocol from the internet and insecure networks, but that doesn't
replace message level security.

I'd like to see an "untrusted" broker on the net that passes around
encrypted & signed messages between clients.

Thanks.


------------------------------------------------------------------
Russell Adams                            RLAdams at AdamsInfoServ.com

PGP Key ID:     0x1160DCB3           http://www.adamsinfoserv.com/

Fingerprint:    1723 D8CA 4280 1EC9 557F  66E8 1154 E018 1160 DCB3

More information about the openamq-dev mailing list