Join Log in
Score:0
Tom avatar Crypto

Can you use MITM to hijack a public key meant for key based signing?

cz flag
Tom

After reading "Verify the identity of sender" , which was part of an answer on StackOverflow, I was wondering if the following is possible:

Based on part II, if I am sitting between Alice and Bob:

  • Can I not wait for Alice to send her public key to Bob.
  • I block this key and discard it, and send my own public key instead.
  • Bob then thinks this public key is from Alice.
  • I send any message I want now, signed with my own private key.
  • Bob 'verifies' these messages with my public key, and thinks all of these messages are from Alice.

Is this scenario possible?

59
1 + 0
Score:0
bk2204 avatar Crypto
fr flag
bk2204

Yes, this is a standard MITM attack. This is why we typically use some sort of out-of-band method for verifying public keys. For example, in OpenPGP, we can use key signatures from trusted parties or in-person verification, and in TLS, we use certificate authorities. For SSH host keys, we can verify a fingerprint on a trusted website or using DNSSEC. There are even more ways of doing the same thing: you can download someone's SSH keys from GitHub and there are sites like Keybase which tie multiple accounts to a set of credentials cryptographically, in addition to other various techniques.

Ultimately, in order to trust the integrity of the messages, you have to verify the public key somehow independently.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.