Page 561 - StudyBook.pdf
P. 561
Basis of Cryptography • Chapter 9 545
Beware of the key exchange mechanism used by any PKE system. If the key
exchange protocol does not authenticate at least one and preferably both sides of
the connection, it may be vulnerable to MITM-type attacks.Authentication sys-
tems generally use some form of digital certificates (usually X.509), and require a
PKI infrastructure.
Also, note that MITM-based attacks can only occur during the initial corre-
spondence between two parties. If their first key exchange goes unimpeded, then
each party will authenticate the other’s key against prior communications to verify
the sender’s identity.
Bad Key Exchanges
Because there isn’t any authentication built into the Diffie-Hellman algorithm,
implementations that use Diffie-Hellman-type key exchanges without some sort of
authentication are vulnerable to MITM attacks.The most notable example of this
type of behavior is the SSH-1 protocol. Since the protocol itself does not authenti-
cate the client or the server, it’s possible for someone to cleverly eavesdrop on the
communications.This deficiency was one of the main reasons that the SSH-2 pro-
tocol was completely redeveloped from SSH-1.The SSH-2 protocol authenticates
both the client and the server, and warns of or prevents any possible MITM
attacks, depending on configuration, so long as the client and server have commu-
nicated at least once. However, even SSH-2 is vulnerable to MITM attacks prior to
the first key exchange between the client and the server.
As an example of a MITM-type attack, consider that someone called Al is per-
forming a standard Diffie-Hellman key exchange with Charlie for the very first
time, while Beth is in a position such that all traffic between Al and Charlie passes
through her network segment.Assuming Beth doesn’t interfere with the key
exchange, she will not be able to read any of the messages passed between Al and
Charlie, because she will be unable to decrypt them. However, suppose that Beth
intercepts the transmissions of Al and Charlie’s public keys and she responds to
them using her own public key.Al will think that Beth’s public key is actually
Charlie’s public key and Charlie will think that Beth’s public key is actually Al’s
public key.
When Al transmits a message to Charlie, he will encrypt it using Beth’s public
key. Beth will intercept the message and decrypt it using her private key. Once
Beth has read the message, she encrypts it again using Charlie’s public key and
transmits the message on to Charlie. She may even modify the message contents if
she so desires. Charlie then receives Beth’s modified message, believing it to come
www.syngress.com
