Re: Need some education: Man-in-the-Middle Attacks



On 8/29/06, Christ, Bryan wrote:
All,

Please pardon my naivete.

I was looking at the diagram on the URL listed below and contemplating
how host fingerprinting prevents MITM attacks.

http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html

So my question is this... Given the illustration in the URL above, what
prevents Eve from *first* contacting Alice to obtain a fingerprint which
then gets passed to Bob on the first connection attempt?


The server passes the client its public key; the client generates a
fingerprint of this public key, and verifies that it matches a known
one from previous connections.

Eve can pass Alice's public key to Bob, but she doesn't possess
Alice's private key, so she has no way to interfere further with the
communications (beyond tampering at a network level - introducing
delay, dropping the connection, etc.)

Only if Eve gets in the way of the very first connection attempt, can
she pass her own public key off as Alice's, without Bob detecting it.
On the first connection, he'd have to either trust what he sees, or
verify the fingerprint offline somehow. On subsequent connections,
the mismatch would be obvious.



Relevant Pages

  • RE: Need some education: Man-in-the-Middle Attacks
    ... the public key being presented is the same as Alice's public key. ... way to do this is usually an out-of-band exchange where Bob calls Alice ... matches the fingerprint of the key he's being presented. ... "Only if Eve gets in the way of the very first connection attempt, ...
    (SSH)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... That is why CAs (certification authorities) exists! ... fingerprint of this public key, and verifies that it matches a known ... Only if Eve gets in the way of the very first connection attempt, ...
    (SSH)
  • Re: Encryption question
    ... The idea behind it is that Alice will give Bob her public key in one method. ... She will then look at the fingerprint of the key, ...
    (Security-Basics)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... Eve could pass on the fingerprint, but she would not have the private key, so data encrypted using the public key associated with that fingerprint could not be decrypted by Eve. ... then gets passed to Bob on the first connection attempt? ...
    (SSH)
  • Re: missing keys on yum update -- evolution-data-server
    ... after some indirect searching and checked that the fingerprint and random pieces of the encoded key match. ... I had to drag my Mac Mini over next to the AMD box so I could look at the ID and the public key referenced and then look them up to check that I was letting the installer add a valid key. ... It then used the key to verify that the downloaded evolution-data-server package was intact and actually an official Fedora package. ...
    (Fedora)