Re: Need some education: Man-in-the-Middle Attacks

I think that the vulnerability which you pointed out is:

(1) Usually Client(Bob) can check whether he is really connected
to the Server(Alice) by checking the Server's host key with
the data which Bob has in the known_host directory. But in
the very first connection to the Server, the host key is not
installed yet. So in this occation Eve might BE ABLE to
IMPERSONATE Alice by sending Eve's host key.

(2) If Eve pretends Alice Server, Bob would send his authentication
information, which Eve receives and later she might use to login
to Alice with Bob's account. Or Eve might forward the
authentication information to Alice and send Eve's session key
to both Bob and Alice.

(1)'This MitM can be detected(avoided) in following ways:
(a) System Administrator tells the fingerprint of Alice's host
key to Bob (either offline or through another trusted channel)
and asks him to check the fingerprint shown on the console
together with the initial alert message. -It is virtually
impossible to forge a public-private key pair with the SAME
fingerprint as Alice's pubkey.
(b) Bob's terminal be configured to reject all unknown hosts
("StricHostKeyChecking Yes"in the OpenSSH) and Alice's host key
is supplied & installed offline.
However, (b) is rather burdensome and there are always sufficient number
of careless users, who overlook the fingerprint mismatch. Therefore
there is a chance for Eve to succeed in this attack.

(2)'If Eve succeeds in pretending Alice's node, Bob's account is
stolen and the session is open to eavesdrop -as long as PASSWORD
authentication is used in version 1. Therefore SSH(version 1)
using password authentication is by NO MEANS secure shell.
I have demonstrated this kind of MitM attack in a lecture.
However, authentication using either RSA or DSA can avoid stealing
the authentication information, because the authentication
information(secret key) is not sent to the Server.
It might be possible to just forward the authentication information
to Alice and send Eve's session key to A & B, to make the session
decryptable for EVE. But it is detected during the user

Therefore there are still a number of obstacles to Eve's perfect crime,
as long as RSA/DSA authentication is used. If password authentication is
unavoidable, at least protocol 1 be disabled. It is because most
(every?) MitM tools request protocol version 1 in establishing the
session. I am not sure whether protocol 2 detects that the
authentication process is eavesdropped.


Masahito Gotaishi, Researcher
R & D Initiative, Chuo University
1-13-27 Kasuga, Bunkyo, Japan, 112-8551
DDI:03-3817-1621, FAX:03-3817-1606

Relevant Pages

  • Re: effciency of hash-based authentication
    ... I have a question to ask; Is the efficiency low of a authentication ... The scheme can be described as follow, ... Alice sends a random number s to Bob ... On receiving the reply, Alice checks every element of her UID list, ...
  • Re: Logon documentation
    ... A single-domain logon occurs when the following takes place: ... where Alice's account has been defined (this is a local logon). ... The client software acting on behalf of Alice tries to locate a KDC ... Once the DC is found, Alice sends a Kerberos authentication request to ...
  • Re: quizz
    ... Alice>> Bob: ... A private key is a publically available key as long as the Alice ... Assume the first message is a prior authentication message. ... Alice can infer the channel key for the returned reply. ...
  • Re: pscp (Putty) batch-mode not authenticating
    ... but not for normal (host key already in cache) situation. ... It will give me authentication error! ... interactive response from the user, and it was unable to do so. ...
  • Re: Logon documentation
    ... Alice is logging on from a machine that is a member of the domain ... > where Alice's account has been defined (this is a local logon). ... Alice sends a Kerberos authentication request ... This request authenticates Alice to the DC and contains a TGT ...