Are there benefits to be gained performance-wise by using the same encryption/decryption mechanism when clients communicate via messages sent-to/received-from the same nats server?

[dsidirop]

Forward Warning: I take it for granted that the nats-server does indeed support having different clients connect to it using their own encryption-decryption schemes/keys. If I'm missing something please feel free to point it out.

Essentially what the subject says.

Consider for instance the following two scenarios for nats-based communication:

---

Scenario#1:

• A publisher (P) is publishing over to nats on subject "foo.bar", using encryption-decryption-scheme (A) with his own encryption-key (A)

• A consumer (C) is subscribed to nats-subject "foo.bar", using encryption-decryption-scheme (B) with his own encryption-key (B)

In this scenario I assume that that nats-server will decrypt messages published by (P) using decryption scheme (A) examine the subject and forward "foo.bar" messages over to consumer (C) after having re-encrypted these messages using encryption-scheme (B).

---

Scenario#2:

• A publisher (P) is publishing over to nats on subject "foo.bar", using encryption-decryption-scheme (A) with his own encryption-key (A)

• A consumer (C) is subscribed to nats-subject "foo.bar", using the exact same encryption-decryption-scheme (A) as the publisher

In this scenario I assume that that nats-server would only need to decrypt just the subject of the message published by (P) using decryption scheme (A) and after examining the subject it would forward "foo.bar" messages over to consumer (C) by "copy-pasting" the payload (data) of the message "as-is" since the encryption-decryption mechanism is the exact same.

I guess this symmetry in encryption-decryption should lead to a considerable performance boost when the load is high.

Am I right in these assumptions? Or do I miss something? I haven't seen anyone pointing out scenario#2 as a means to boost performance and reduce latency (potentially reducing error rates as well).

Thoughts? Insights? Links to relevant documentation?

[tbeets]

NATS does not do encrypt/decrypt at the NATS Protocol [1] (Layer 7) level as in your assumption. "On the wire" NATS does fully support TLS with NATS clients [2]. As TLS terminates at a NATS server, in affect, NATS is playing a pattern as in Scenario 1 (i.e. 1..N subscribing NATS Clients have independent TLS connections and keys).

[1] https://docs.nats.io/reference/reference-protocols/nats-protocol#client-protocol
[2] https://docs.nats.io/using-nats/developer/security/tls

[dsidirop]

@tbeets

Thanks for the most useful insights.

Is scenario#2 so fatally flawed from a security standpoint to such an extent that it would clearly be an anti-pattern for now and the foreseeable future? (seems to be the case - just want to make sure)