Curve Key Generation
CurveZMQ is a protocol for secure messaging across the Internet that closely follows the CurveCP security handshake.curve-keygen
is a script that is modeled after ssh-keygen
to generate public and private keys.
curve-keygen --help
usage: curve-keygen [-h] [--mode MODE]
optional arguments:
-h, --help show this help message and exit
--mode MODE `client` or `server`
Implementation idea is borrowed from https://github.com/danielrobbins/ibm-dw-zeromq-2/blob/master/curve-keygen
Certificate naming
We need 2 certificates one for the server and one for the client. The client must know Server’s public key to make a Curve connection. We follow the naming convention as shown below.
server_key_id = "id_server_{}_curve".format(socket.gethostname())
client_key_id = "id_client_{}_curve".format(socket.gethostname())
Generate Server public and private keys
Run the following command
curve-keygen --mode=server
Curve Key Generation uses an OpenSSH like directory ~/.curve
. You should see the certificates generated at this location.
cd ~/.curve
ls -lrt
-rw------- 1 abhishek staff 313 Oct 24 15:13 id_server_Abhisheks-MBP_curve.key_secret
-rw------- 1 abhishek staff 364 Oct 24 15:13 id_server_Abhisheks-MBP_curve.key
drwx------ 2 abhishek staff 68 Oct 24 15:13 authorized_clients
Notice in server
mode, the script also creates a directory called authorized_clients
This will be used when you want the server to respond to only known clients. You will place authorized clients’ public keys in this directory.
Generate Client’s private and public keys
curve-keygen --mode=client
cd ~/.curve
ls -lrt
-rw------- 1 abhishek staff 313 Oct 24 15:20 id_client_Abhisheks-MBP_curve.key_secret
-rw------- 1 abhishek staff 364 Oct 24 15:20 id_client_Abhisheks-MBP_curve.key