Man in Middle attack - Can such an attack occur if symmetric keys are used?
https://stackoverflow.com/questions/846402
-
21-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If we consider Man In the Middle Attack; Can such an attack occur if symmetric keys are used?
Solution
Sure. All you need to do is intercept the key exchange. Then you can pass on your own (fake) key to the other end. You intercept the messages using the key you obtained fraudulently and re-encrypt with your fake key and pass on to the other end.
OTHER TIPS
The trick is to agree on the symmetric key in the first place. Man-in-the-middle attacks usually occur during the key exchange phase (making you agree on the key with the middle-man instead of your real partner).
So what usually happens (in web browsers' SSL sessions) is that you use asymmetric cryptography to exchange the symmetric key. However, that depends on your partner's public key really belonging to who you think it does. Usually, you take Verisign's or (some other CA's) word for that.
At some point, a secure and authenticated key exchange has to have taken place.
Since the MIM attack can happen during the key exhange, you could do what SSL/TLS does.
SSL/TLS uses RSA in the key exchange, so that the exchange of the symmetric key is [heavily] protected with RSA.
Above answers correct of course, but you should note that there are several efficient, cryptographically secure methods for securely exchanging keys. I think the one wow uses is SRP6.
Yup. Even if you use symmetric key you have to use authentication/integrity checks. Using symmetric key encryption without authentication/integrity checks makes you susceptible to various forms of replay attacks or substitution attacks. An attacker can modify your ciphertexts and may even know what the effect of his changes are.
