Talk:Man in the middle attack
|
Contents |
thanks
interesting...ur explaination and examples has made me understand man in the middle attacks in a public key system
public key is?
It won't be clear until i know what a public-key is. Kingturtle 02:42 Apr 16, 2003 (UTC)
general attack?
I answered my own question by wikifying public key. It seems to me that there are many instances in the natural world in which this strategy works. Don't some viruses operate this way? Or some insects or fish? Kingturtle 02:45 Apr 16, 2003 (UTC)
terminology not gender matched
Should this term be renamed to "Person in the middle attack"? heh heh. I mean either that, or "Edith" should be "Edward". =)
more on terminoloby
The author uses non-canonical imaginary characters in the discussion. See characters in cryptography. Should we change Adam, Betsy, Edith etc to Alice Bob Eve and Mallory? This is something which fails to rise, I suggest, even to the status of a storm in a teacup. I have installed a link, though. ww 18:17, 3 Jun 2004 (UTC)
- It was ignorance on my part. Feel free to make the change, if your teacup is quivering too much. Graft 01:53, 4 Jun 2004 (UTC)
- Graft, The reference to teapot tempest was by contrast to cy v ci spelling issues. See under discussions at WikiProject Cryptography for surfing advice. Perhaps you'd like to chyme in? ww 14:00, 22 Jul 2004 (UTC)
reversion of spellyng correction
The list of WP correct spellings includes all of those 'corrected' during this edit. Please see the link immediately above for the teapot tempest in re this question. ww 13:59, 22 Jul 2004 (UTC)
alice
sur la première page on di alice doi demander a bob sa clef publique alor dabor c koi la clé publique é si il ne veut pa la donner ?
- fr:Cryptographie ? — Matt 22:55, 1 Sep 2004 (UTC)
Eve
It occurs to me that Eve should be Mallory. Yes? Graft 04:03, 9 Sep 2004 (UTC)
- Yep, I've changed it. — Matt 17:12, 9 Sep 2004 (UTC)
Impossibility of fixing this problem
I think it should be mentioned that this problem is theoretically (but not practically) impossible to fix. Any mechanism to avoid this problem is itself a key exchange that can be attacked with MITM. -- Myria 16:48, 21 Sep 2004 (UTC)
Newbee
Would you class A session ID within ASP, as a public key? why not use Https by default? A ideas would be much app.
tnx C
- I'm afraid I'm not quite sure what you're asking here. You might want to post a question to Wikipedia:Reference desk, as this page is for discussion about improving the associated encyclopedia article, "Man in the middle attack. Thanks. — Matt Crypto 23:32, 20 Dec 2004 (UTC)
Where's Alice's key pair?
Public key is supposed to provide two assurances: that the apparent sender is really the sender and that no intermediate party can read an encrypted message. Considering only the first one, if Alice signs her messages to Bob, how can Mallory undetectably doctor it? Does Mallory have access to Alice's private key so that she can convincingly sign the modified message, or has Mallory managed to dupe Bob with an incorrect public key for Alice?
-- Ventura 20:25, 2004 Dec 31 (UTC)
- The same vulnerability is inherent in signing. Alice sends her public key to Bob, but it is intercepted and replaced by a false one with Mallory. Whenever Bob receives messages from "Alice", he will check the signature with this fake key, for which Mallory has the corresponding private key. Thus, signature is no bar to forged messages, if you cannot be sure who the owner of a public key is. Graft 20:39, 31 Dec 2004 (UTC)
Why focus on public key issues ?
IMHO the article should start by identifying all the attacks a good system should defend against, and then say how such a system could work :
- Impersonation (highlighting the need for a reliable way to distribute root certificates or secret keys)
- Evesdropping
- Modification of messages for which the attacker can guess the plaintext.
- Replaying of messages.
- Synchronization of clocks, or some other technique to prevent the attacker from delaying selected messages.
- The attacker is able to 'simulate' communications breakdowns. So a well designed system should not assume anything from the absence of messages from the other side.
The current article focus on a public key system, but non-public key systems exist fighting all the issues I mentioned. Nroets 21:20, 16 Jun 2005 (UTC)