Man-In-The-Middle Attack

See also: Attack | Fingerprint | Cryptography/Attacks

Acronym: Man-In-The-Midle or Man-In-The-Midle Attack

A type of attack upon Cryptography that can happen when two users are communicating remotely exchange public keys to begin secure communications. If both keys are intercepted en route by someone, he can act as a conduit and send on the messages but with his own faked public keys. Then, communications are eavesdropped on by a third party.

With e-mail, this can be a difficult process since public keys often contain the user’s address and intercepting two email addresses en route and preventing them from sending is difficult, time consuming, and requires a dedicated organization with high resources. Compromising the e-mail server is easier, at the server where mail is sent and received. During a temporary prevented send, the man-in-the-middle uses his own public keys and passes on the information. Neither party is any the wiser that someone is listening on their conversation.

So if the two sources were called Person One and Person Two, a normal connection would work like this:

Person One <–> Public Key Exchange <–> Person Two

The eavesdropped communication:

Person One <–> Public Key Exchange <–> Man-In-Middle <–> Public Key Exchange <–> Person Two

Contents

Defeating MITM Attacks

Public Key’s Fingerprint

Users can check that the public key they are getting is the correct one by checking the Fingerprint. This fingerprint is a hash of a given public key and should be distributed by different means than the public key was exchanged (such as a public forum or separate Web server).

Fingerprint Example:

B186 3E69 36CD 4174 6B7D 3740 1A16 3404 027B 025F

Fingerprints are used because they are much smaller than an entire public key and therefore easier to discern if correct. Some are expressed in numbers and letters (such as above) or a series of words. See fingerprint for more information.

Often, people exchange e-mail with their Fingerprint placed in the signature.

Certificate Authority (CA) or Public Key Server

Checking a separate, independent online database that specializes in making sure public keys are verified and correct, a Certificate Authority or Public Key Server allow users to be sure, when they download a public key, its legitimate.

Example of a MITM Warning

The following is a direct screen-copy from a local Linux SSH program connecting to a server when that server was reloaded after a system failure. The error appeared because the machine had a newly generated key but stayed on the same domain (slowmo.com inserted):

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@WARNING: HOST IDENTIFICATION HAS CHANGED!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that the host key has just been changed.Please contact your system administrator.Add correct host key to “/home/slowmo/.ssh2/hostkeys/key-22-slowmo.com.pub”to get rid of this message.Received server key’s fingerprint:xetar-dibup-lizav-gulaz-fosud-lekuf-patir-zypem-fyzed-seled-hoxexYou can get a public key’s fingerprint by running% ssh-keygen -F publickey.pubon the keyfile.Agent forwarding is disabled to avoid attacks by corrupted servers.X11 forwarding is disabled to avoid attacks by corrupted servers.Are you sure you want to continue connecting (yes/no)?

Users who receive this message while connecting via SSH should notify their administrator. Admins should check that their systems have not been compromised, or hacked.

Related:

TakeDown.NET -> “Man-In-The-Middle-Attack