What are some of the suggested ways to share Zrok tokens?

In the private video shared: https://www.youtube.com/watch?v=yfEVnRbbDfE&list=PLMUj_5fklasLuM6XiCNqwAFBuZD1t2lO2&index=10, Ken (apologies if the name is incorrect) demonstrates copying and pasting a token from one terminal to another. However, in a remote-use scenario, what are some recommended methods for transmitting such tokens?

1 Like

Ken here! It sounds like you are looking for a distributed secrets manager. zrok is built on OpenZiti which is a layer 4 transport. zrok has modes that are specifically for HTTP as well as application-neutral transport, e.g. TCP tunnel.

Are you interested in building something on zrok for your use case? You could certainly build a distributed secrets manager on zrok. The "pastebin" zrok SDK sample is a good place to start.

If you don't plan to build something, but want a quick solution, I'd be happy to outline that with you here too. Would your use case be more fitting for a CLI or API?

Hi Ken, I'm sorry for the late reply. I probably made some wrong assumptions about circular logic involved, ie. two peers need to share a secret to connect to each other but then how does one send that secret to the other? I can't remember which video I was watching either. I'm probably way off the deep end here.

Oh, no problem at all. It sounds like you're describing the classic bootstrapping problem, a.k.a. the bottom turtle problem of cryptographic identity.

Transmitting a secret token, like a zrok access or enablement token, is outside the purview of zrok. Any existing cryptographic identity could be used to secure the token in transit, e.g. a PGP encryption key pair. PGP (e.g., GnuPG) provides mechanisms for asymmetric key pairs where only the public key (which is not a secret) is shared with the sender, and only the private key is able to decrypt the token.

Here's a representative scenario.

Alice has previously verified the key belonging to bob@acme.example.org. Alice reserves a zrok private share, and encrypts the token for Bob's key.

zrok reserve private localhost:3000 |& gpg --encrypt --armor --recipient bob@acme.example.org
-----BEGIN PGP MESSAGE-----

hQIMA/PlZelEa9USAQ/+MrV/I5VC5VnlFpNGDsCZn/8nGK5DWJioZu85jU6fevmC
j3zjYNWLhn/+Ivtaa0M70wveQc3UoF1OhgkkNFPIcVWuaOxP6zxRxHCZFjM+yRNK
Ie37oR9YgR+Gs7UBOPgcor5feo7S50VDObCEj7L8S0CoawHP700TKrs3NSOhfXz0
w5zN8RHKUvvI4ypPPjfe6GWQuM9ytJHRtTecEZyg76m5+pnho5qKn49zrRGD056J
KPKX1IOBnu265vmxBYsutuDhN2bzB9zQg4dKVrvGWONy4JWKs/OdlggifYyRYYI2
V8gSzUf/46UtS/tXzaT70LVEMZ8Dz4xJJ98IAO1/oN5xFJoYyu/beodwxZmB3Ybg
dHBCJcXYTFKoTixharUgXzFrBNZaN5OCtbViIUFH+zvGOUTqodpkjQEqoOxEom1O
uQ+EYyddBdYMv0LBtIvO20FZbAtuVAfGYuo//jDNMGm5IFqL5hbazvTb74pje36/
11nc23NmgcwovYMxlo1m+lHgvggYxt+2AcQILxT9U7vKmvpEORSJ/vJU4M/a09aH
enzCKFMHHclEXvnWjtc+6d8dOMAk+sHPuPnhpWV19SqhEl095hXF27hdnPARLw3k
vPa73J5pFHxAMgjwS4I8Twsfy1OExBXfFRKSGEzeRQnFL3gjjjAFR0JelIAYWBDS
wCIBh5azZpzfe83wXmi9W3IGTP5kbAbt8XbWJWlWhIeospMTkFwc83EfJdkKg2YJ
x/+Pgd4O4hkH4NLLkf8XgOFbW9ACs7nNPBx3I0STIiSeBqrjsuRFesDIp67yePuy
uI/PY/j1t29DC1o3fvKJJ0PGzmrxbcZKMGJweqBym/Z8ZNinU99EHqQnWacdJZhG
E4ZYtB3KWH60LiZRTJj14D7N+pVOZB4NevFeHtBz9mK8JajACvUrxxforw6yLCrg
tYGy8+R0Cj9ZjGRDYS3Y0GX+GlN3iZVzIoSnMSMhTHtuwM0R
=5CYT
-----END PGP MESSAGE-----

The output is ciphertext containing the zrok access token which may be shared on insecure channels because it can only be decrypted by Bob.

1 Like