Talk:Man-in-the-middle attack

From Wikipedia, the free encyclopedia

WikiProject on Cryptography This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.

Contents

[edit] thanks

interesting...ur explaination and examples has made me understand man in the middle attacks in a public key system

[edit] public key is?

It won't be clear until i know what a public-key is. Kingturtle 02:42 Apr 16, 2003 (UTC)

[edit] general attack?

I answered my own question by wikifying public key. It seems to me that there are many instances in the natural world in which this strategy works. Don't some viruses operate this way? Or some insects or fish? Kingturtle 02:45 Apr 16, 2003 (UTC)

[edit] terminology not gender matched

Should this term be renamed to "Person in the middle attack"? heh heh. I mean either that, or "Edith" should be "Edward". =)

[edit] more on terminology

The author uses non-canonical imaginary characters in the discussion. See characters in cryptography. Should we change Adam, Betsy, Edith etc to Alice Bob Eve and Mallory? This is something which fails to rise, I suggest, even to the status of a storm in a teacup. I have installed a link, though. ww 18:17, 3 Jun 2004 (UTC)

It was ignorance on my part. Feel free to make the change, if your teacup is quivering too much. Graft 01:53, 4 Jun 2004 (UTC)
Graft, The reference to teapot tempest was by contrast to cy v ci spelling issues. See under discussions at WikiProject Cryptography for surfing advice. Perhaps you'd like to chyme in? ww 14:00, 22 Jul 2004 (UTC)

[edit] reversion of spellyng correction

The list of WP correct spellings includes all of those 'corrected' during this edit. Please see the link immediately above for the teapot tempest in re this question. ww 13:59, 22 Jul 2004 (UTC)

[edit] alice

sur la première page on di alice doi demander a bob sa clef publique alor dabor c koi la clé publique é si il ne veut pa la donner ?

fr:Cryptographie ? — Matt 22:55, 1 Sep 2004 (UTC)

[edit] Eve

It occurs to me that Eve should be Mallory. Yes? Graft 04:03, 9 Sep 2004 (UTC)

Yep, I've changed it. — Matt 17:12, 9 Sep 2004 (UTC)
64.190.67.147 changed it back to Eve, without explaining why (the comment identifies the section and nothing more), so I've reverted the change. - DPJ, 2006-01-18 22:51 UTC
For some reason it has been changed to Charles, so I changed it to Mallory. --Phantom784 16:54, 18 July 2006 (UTC)

[edit] Impossibility of fixing this problem

I think it should be mentioned that this problem is theoretically (but not practically) impossible to fix. Any mechanism to avoid this problem is itself a key exchange that can be attacked with MITM. -- Myria 16:48, 21 Sep 2004 (UTC)

Does anyone have a reference explaining why this is so? Thanks! Ehn 23:25, 23 January 2006 (UTC)
It is not obvious to me whether or not MITM is impossible to detect/avoid. Why do you think it is impossible to fix? The interlock Protocol was designed to stop MITM attacks, but apparently it is possible for some MITM attacks to succeed against it. Do you have some reason for thinking we'll never discover a better algoithm than the interlock protocol? If you have some alternative to the interlock protocol that works better against MITM attacks, I would really, really like to see that. So far, the best protocol I've seen is the "Merkle protocol" -- distribute your public key across many different media (newspaper, TV, radio, various web pages, etc), in hopes that Mallory won't be able to insert himself in *all* of them, and misses at least one. --68.0.120.35 23:22, 30 November 2006 (UTC)
the real problem is that to secure against MITM you need strong authentication, and for that authentication to work you need some sort of out of band communication of credecials that you can trust; likewise you could both share credencials of a trusted third party that can vouch for you (thats how PKI is supposed to work), but at some point you have to have a secure out of band communication of credencials or you can't trust the authentication (thus you cant trust MITM protection)...to explain further, without any out of band communication you are, in effect, trying to authenticate someone you don't know, at best you can authenticate that they are the same people you spoke with last time (this is what ssh does) and that is often adiquate for most users but it is not the same... --Michael Lynn 09:33, 4 April 2007 (UTC)

[edit] The initial secure channel dispute

I disagree with your (David Jablon's) edits on the MITM page. You make it sound as if public key encryption can be secure in an enviroment where an attacker can perform widespread tampering ('either eavesdropping or tampering or both').

I was trying to point out that if you fear a MITM attack (as the designers of SSL/TLS did) you need a physically secure channel for the initial exchange. After Jablon's edits, that point was lost. -- Nroets 10:27, 12 July 2005 (UTC)

I tried to address some of your concerns on my talk page. (These concerns and follow-up discussion are now copied here.) "A physically secure channel for an initial exchange" is just one way to prevent MITM attack, so it is incorrect to say that "you need" it.
"Public key encryption" refers to a fairly narrow subcategory of "public key cryptography", with the latter term embracing a wide variety of tricks. Many different methods use public key cryptography in very different ways to create secure channels in environments where an enemy has full control over the communication channel, given some pretty-well-defined meanings of the word "secure".
In my edits I was trying to show some of the variety of ways that is done. Some use an *initial* (prior) secure channel, as you suggested, but others use a secure channel established after the fact. And "secure" doesn't necessarily imply "private". And some work with keys, others with passwords, etc. Some are two-party, others three or more. Etc.
In any case, I don't see how any points in your edits were lost. Both versions still have a clear reference to the need for a separate "secure" channel. And I don't see how either your text or mine limited "secure" to meaning "physically secure".
Furthermore, I don't see how your text implied that "public key {encryption|cryptography} cannot be secure in an environment where an attacker can perform widespread tampering". If that's what you intended to say, I cannot agree with that remark without further explanation.
That said, I agree that discussing the concept of physical vs. cryptographic security could help to clarify things. If you want to take a pass at fixing it to restore or expand on your viewpoint, feel free to do it on the page or in private email to me. -- David Jablon 10:57, 21 July 2005 (UTC)
Ok, I should not have used the word "physical" (on this page). And I'm not saying my version of the MITM page was faultless.
But people read long Wikipedia articles very fast and they often have very little background. So when you close the 'need for authentication' paragraph with something about public key cryptography, they assume it can solve the problem.
The first sentence (All cryptographic systems ... require an additional exchange ... of some kind of authentication information ...) only applies to public key cryptographic systems. The same goes of the title of the paragraph. I've indicated on the MITM talk page that I feel the page should also be kept applicable to secret key systems.
You were hinting that there are usefull (real world) systems where the secure exchange (transmission) need not be in the beginning (initial). If so, can you give an example. If not, can we use the word 'initial' in the paragraph ? -- Nic Roets 11:34, 22 July 2005 (UTC)
First, public key techniques can be used to solve the problem, and so can symmetric techniques. I think the text says this. But, in at least an historical sense, MITM attack is created by a mis-application or misunderstanding of public key cryptography, so I think it makes sense to highlight such issues.
Regarding the sentence ("All cryptographic systems ..."), I think it clearly applies to both symmetric and asymmetric systems. Regarding real world systems, useful or otherwise, I really wasn't trying to hint anything one way or another. I was correcting an error of fact. Diffie-Hellman, and many other public key systems (e.g. PGP, SSH) may be used in an effectively anonymous manner, where at a subsequent time the parties securely verify, preferrably out-of-band, the values of a shared DH key, or exchanged public keys, to retroactively prove that no MITM was ever present. -- David Jablon 10:59, 22 July 2005 (EDT)
Well for symmetric systems authentication is only half the story. Now we have clarity, I'll fix the page. -- Nic Roets 16:25, 22 July 2005 (UTC)

[edit] Interlock Protocol

As I explained to Shellreef, the interlock protocol also requires an initial transfer over a secure channel. -- Nic Roets 18:48, 27 July 2005 (UTC)

Not necessarily -- Jeff Connelly 03:18, 6 August 2005 (UTC)

[edit] Newbee

Would you class A session ID within ASP, as a public key? why not use Https by default? A ideas would be much app.

tnx C

I'm afraid I'm not quite sure what you're asking here. You might want to post a question to Wikipedia:Reference desk, as this page is for discussion about improving the associated encyclopedia article, "Man in the middle attack. Thanks. — Matt Crypto 23:32, 20 Dec 2004 (UTC)

[edit] Where's Alice's key pair?

Public key is supposed to provide two assurances: that the apparent sender is really the sender and that no intermediate party can read an encrypted message. Considering only the first one, if Alice signs her messages to Bob, how can Mallory undetectably doctor it? Does Mallory have access to Alice's private key so that she can convincingly sign the modified message, or has Mallory managed to dupe Bob with an incorrect public key for Alice?

-- Ventura 20:25, 2004 Dec 31 (UTC)

The same vulnerability is inherent in signing. Alice sends her public key to Bob, but it is intercepted and replaced by a false one with Mallory. Whenever Bob receives messages from "Alice", he will check the signature with this fake key, for which Mallory has the corresponding private key. Thus, signature is no bar to forged messages, if you cannot be sure who the owner of a public key is. Graft 20:39, 31 Dec 2004 (UTC)

[edit] Why focus on public key issues ?

IMHO the article should start by identifying all the attacks a good system should defend against, and then say how such a system could work :

  • Impersonation (highlighting the need for a reliable way to distribute root certificates or secret keys)
  • Evesdropping
  • Modification of messages for which the attacker can guess the plaintext.
  • Replaying of messages.
  • Synchronization of clocks, or some other technique to prevent the attacker from delaying selected messages.
  • The attacker is able to 'simulate' communications breakdowns. So a well designed system should not assume anything from the absence of messages from the other side.

The current article focus on a public key system, but non-public key systems exist fighting all the issues I mentioned. Nroets 21:20, 16 Jun 2005 (UTC)

I agree that symmetric systems can and should be stated as being able to solve the problem. However, MITM is historically related to mis-understanding or mis-application of public key cryptography, and I think it is important for the MITM page to discuss how this is a preventable problem in public key systems. --David Jablon 11:21, 22 July 2005 (EDT)
This article isn't about cryptographic attacks in general - it's about the MITM attack. It should discuss what weaknesses that particular attack exploits, perhaps, but a general description is probably outside the scope of this article. Graft 06:03, 23 July 2005 (UTC)
Having only just noticed this comment by Nroets, I'll reply some months after it was made. Perhaps someone doing some archaeological digging will benefit.
Crytographic system design is unique (to my knowledge anyway) amongst all engineering design disciplines in being unable to assume the operating conditions (eg, Mallory's knowledge, resources, abilities) are constant (see cryptographic engineering). So the suggestion that a WP article (not this one as Graft noted above) shold list the attacks to be resisted is a bit fanciful, and applies not at all to the real world problems of crypto system design. Mallory may figure out something new tomorrow... And you can't espect to know anything about it today, and may not even know the day after tomorrow, as Mallory will not be doing much talking about things. Cf, US break into Purple during WWII. Only from Congressional hearings after the War did the Japanese learn that traffic had been (and was being) read. They promptly changed away from Purple. ww 18:13, 18 February 2006 (UTC)

So which article *is* appropriate for listing (known) kinds of cryptographic attacks in general? I agree that "man-in-the-middle attack" is not the right article, but that sort of information is encyclopedic enough to go in at least one article, right? I agree that it is (theoretically) not possible to know all possible attacks -- just as it is not possible to know the complete List of Presidents of the United States from 1789 to 2099. However, I think we should still list all the ones we know about. It should be possible to *classify* all possible attacks, known and unknown, by listing what we *want* a cryptosystem to do -- any successfull attack must cause a cryptosystem to fail in at least one of those ways. --68.0.120.35 23:22, 30 November 2006 (UTC)

[edit] How is this possible in IP?

What mechanism could be used on the Internet to intercept messages? Wouldn't you have to have direct access to routers? And don't only ISPs and the government generally have that? If you're worried about one of those snooping, I can understand, but how could some random Joe hacker pick up your message? —Simetrical (talk • contribs) 00:45, 30 December 2005 (UTC)

You're assuming all routers are secure. Try [1] on for size. Also, I don't see why, in this day and age, one shouldn't be worried about governments and ISPs snooping and consider this a significant cause for more concern than "random Joe hacker". Graft 19:50, 30 December 2005 (UTC)
I can speak to this, im Michael Lynn, read that link if you need to know why; there are a number of ways you can get MITM, first is to get it at layer 1, an example of this was my work on AirJack on 802.11, another is ARP posioning, then we move on to other issues, like hacking routers, remember its not always about hacking the router that is already between you, if I take control of the right router I can change my advertisements to make my route more favorable for dynamic routing schemes, likewise I can DoS attack other routers you're using to increase the chance that you route through me, thats all very doable --Michael Lynn 09:25, 4 April 2007 (UTC)

I don't see any obvious link to the promised part two. What exactly could you do with a router? Tell it to forward all packets going to a specific IP address or something? Okay, I can see where you might want to secure your passwords and whatnot. But how common are such attacks? The only hacking attacks I generally hear about tend to be basic virus spreading and stuff like that, things infecting clients and occasionally servers (then generally by means of clients). Even if it's possible to hack routers, surely personal computers are much easier targets; how many people bother hacking routers?

As for the government and ISPs snooping, those fall into something of a different category. I don't have any reason to care if the government or my ISP has the administrator password to some computer-game forum I run or something, since the one could do a lot more than screw with my bulletin board and the other won't do anything for fear of lawsuits. Although some might be unhappy with programs like ECHELON, you have to admit that for an average person, the hacker out to steal your credit card number is a much more immediate threat. —Simetrical (talk • contribs) 11:23, 3 January 2006 (UTC)

I can speak to this as well, I've hacked routers, big ones and small ones (in my lab of course), if I take control of the router I can tunnel all traffic for your host (or a collection of hosts) back to another machine where I filter, change, and/or block any content there, I can also do this all local on the router itself with no need to do the forwarding game. Once I've done that I can play lots of games, I can pretend to be your bank, etc...but perhaps the worst thing I can do is to break any weakly authenticated encryption you're using, a tool that came with something I used to maintain called AirJack (the tool was KrackerJack) did this very thing to break a weakly authenticated (read as password authentication) IPSEC tunnel over 802.11, so yes the threats are very real if you have something an attacker wants (on the other hand, you probably dont)... --Michael Lynn 09:25, 4 April 2007 (UTC)
I fail to see your point. There are people who want secure communications. Other people want to break those communications. Secure cryptographic protocols are one important way to avoid that. Consider competing governments, e.g. the USSR and the US back in the day. The Soviet ambassador wants to send a secure communication to Moscow. The NSA wants to intercept it via MITM. Simple enough? Just because it doesn't apply to YOU does not mean it's not an important cryptographic problem. Why does this have to be relevant to the "average person"? Graft 17:53, 3 January 2006 (UTC)

I wasn't suggesting it had to be. I was just asking if it was, for personal reference (and maybe to add to the article). I see people worried about SSL, etc., and wonder whether it's really that important. —Simetrical (talk • contribs) 09:26, 4 January 2006 (UTC)

S, I'm afraid you're committing a common, and classic, error in security / crypto analysis. This is not, in real respects, a ranking of threat problem, but an identification of any threat problem. For, you see, the problem isn't which attack zMallory is likely to undertake against you (or whether he will find you worthy of bothering with at all, another even more common classic evaluation error) but that you can't know beforehand (and often afterhand either) what Mallory will do (or is even likely to do). In such a condition of ignorance, one must merely observe that, if an attakc exists, Mallory might use it. And for your purposes, you'd best assume he will use it.
I think it was Anderson in Security Engineering (or maybe Schneier in Crypto-Gram) who noted that protecting a house against a break-in usually involves good doors (maybe steel even), door locks, deep screws and maybe metal shields on the strike plates, perhaps reinforced windows and window opening mechanisms, alarms, glass breakage sensors, infrared beams, ... But, against thieves with a little more imagination than the usual run (ie, with chainsaws) none of this is very effective however well (and expensively) done. They'll just go straight through the walls. Those with a little more cash on hand might use a recipro saw (the big straight in things, not a little jig saw type) and leave a little less mess. But most of those require wall current which might not be available if it were dead to kill the alarm system. Gas powered chain saws are independent of all that. Leave a bigger mess, but unless you're Bernie Rhodenbarr who specialized in surreptuity, this doesn't mean much. You won't have to clean up the mess, so ...? ww 18:29, 18 February 2006 (UTC)

[edit] Spelling of article title wrt hyphens

Shouldn't this article be renamed "man-in-the-middle attack"? Ehn 23:26, 23 January 2006 (UTC)

Yeah, I think so. I'd be bold, but the target page has been edited, so it needs to be deleted to make room for this. I've listed it for speedy deletion. —Simetrical (talk • contribs) 06:44, 24 January 2006 (UTC)
OK, I've moved the article and fixed all redirects, as well as the spelling in the article text. Ehn 15:05, 24 January 2006 (UTC)

[edit] TV show Malcom in the middle

The TV show "Malcom in the middle" article does not mention the MITM acronym. —The preceding unsigned comment was added by Touisiau (talkcontribs) 09:02, 4 April 2007 (UTC).