display | more...

Man in the middle can also refer to a type of cryptographic attack, not just an ABBA song. The original model used to analyze cryptosystems assumed that an enemy could listen to the ciphertext traffic, and perhaps even interfere with it, but not that messages could be intercepted and completely hidden. Unfortunately, this is in fact the situation in a store-and-forward computer network like the internet. Routing is not secure on the internet, and it is at least conceivable that messages between two people could be routed through connections on the other side of the world. This leads to possibilities that encrypted information could be routed to flow through a particular computer for special processing.

These attacks are mainly applicable to public key systems such as RSA, and focuses on the idea that many people will send their public keys on the network. The bad part of this is a lack of key authentication, because the enemy can send a key just as easily, and pretend to be the other end. Then, if you use that key, then you have secure communication with the enemy, instead of your intended destination. The enemy can receive a message, decipher it, read it, re-encipher it in the correct public key, and send it along. In this way, neither end sees anything wrong, yet your enemy is reading the messages.

Perhaps the worst part of this is that a successful attack does not involve any attack on the actual cipher itself. No need to factor the product of large primes, no ecletic mathematics. This means that all proofs or confidence in the security of particular ciphering mechanisms is totally irrelevant to the security of a system which is vulnerable to man in the middle attacks.

The way to avoid man in the middle attacks is to certify public keys, but this is inconvenient and time-consuming. Unless the cipher requires keys to be certified, this is rarely done. The worst part of this is that a successful attack consumes few resources, and does not need any particular vulnerability in the cipher itself.

It is interesting to note that, regardless of how inconvenient it may be to share keys for a secret-key cipher, this is an inherent authentication which prevents man in the middle attacks.

Log in or register to write something here or to contact authors.