Re: Need some education: Man-in-the-Middle Attacks



As far as I know, the fingerprint is based on the public key (or is the key? someone who knows more than I might want to clarify this) of the SSH server. Eve could pass on the fingerprint, but she would not have the private key, so data encrypted using the public key associated with that fingerprint could not be decrypted by Eve. Of course, nothing stops Eve from presenting her own key and hoping that the user doesn't check the fingerprints.
On Aug 29, 2006, at 3:35 PM, Christ, Bryan wrote:

All,

Please pardon my naivete.

I was looking at the diagram on the URL listed below and contemplating
how host fingerprinting prevents MITM attacks.

http://www.vandyke.com/solutions/ssh_overview/ ssh_overview_threats.html

So my question is this... Given the illustration in the URL above, what
prevents Eve from *first* contacting Alice to obtain a fingerprint which
then gets passed to Bob on the first connection attempt?





Relevant Pages

  • RE: Need some education: Man-in-the-Middle Attacks
    ... the public key being presented is the same as Alice's public key. ... way to do this is usually an out-of-band exchange where Bob calls Alice ... matches the fingerprint of the key he's being presented. ... "Only if Eve gets in the way of the very first connection attempt, ...
    (SSH)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... fingerprint of this public key, and verifies that it matches a known ... Eve can pass Alice's public key to Bob, ... Only if Eve gets in the way of the very first connection attempt, ...
    (SSH)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... That is why CAs (certification authorities) exists! ... fingerprint of this public key, and verifies that it matches a known ... Only if Eve gets in the way of the very first connection attempt, ...
    (SSH)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... not have the private key, and therefore cannot decrypt, Alice does. ... Therefore Eve could send the information to Alice, get a valid response, ... and then Eve passes that response back to Bob. ... If Bob is cautious, however, he will have gotten the fingerprint from Alice beforehand, using the telephone, PGP/GPG or some other means, and he would notice that the fingerprint of Eve's key doesn't match the fingerprint that Alice told him to expect. ...
    (SSH)
  • Re: Need some education: Man-in-the-Middle Attacks
    ... The fact that SSH tells you the fingerprint has changes. ... >> then gets passed to Bob on the first connection attempt? ... > Alice's private key that Eve can not obtain easily. ... > private key and it will break the connection between Bob and Eve. ...
    (SSH)