Talk:Man-in-the-middle attack

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Cryptography / Computer science  (Rated C-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 Mid  This article has been rated as Mid-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Mid-importance).
 
WikiProject Computer Security / Computing  (Rated C-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 

public key is?[edit]

It won't be clear until i know what a public-key is. Kingturtle 02:42 Apr 16, 2003 (UTC)

general attack?[edit]

I answered my own question by wikifying public key. It seems to me that there are many instances in the natural world in which this strategy works. Don't some viruses operate this way? Or some insects or fish? Kingturtle 02:45 Apr 16, 2003 (UTC)

more on terminology[edit]

The author uses non-canonical imaginary characters in the discussion. See characters in cryptography. Should we change Adam, Betsy, Edith etc to Alice Bob Eve and Mallory? This is something which fails to rise, I suggest, even to the status of a storm in a teacup. I have installed a link, though. ww 18:17, 3 Jun 2004 (UTC)

It was ignorance on my part. Feel free to make the change, if your teacup is quivering too much. Graft 01:53, 4 Jun 2004 (UTC)
Graft, The reference to teapot tempest was by contrast to cy v ci spelling issues. See under discussions at WikiProject Cryptography for surfing advice. Perhaps you'd like to chyme in? ww 14:00, 22 Jul 2004 (UTC)

reversion of spellyng correction[edit]

The list of WP correct spellings includes all of those 'corrected' during this edit. Please see the link immediately above for the teapot tempest in re this question. ww 13:59, 22 Jul 2004 (UTC)

alice[edit]

sur la première page on di alice doi demander a bob sa clef publique alor dabor c koi la clé publique é si il ne veut pa la donner ?

fr:Cryptographie ? — Matt 22:55, 1 Sep 2004 (UTC)

Newbee[edit]

Would you class A session ID within ASP, as a public key? why not use Https by default? A ideas would be much app.

tnx C

I'm afraid I'm not quite sure what you're asking here. You might want to post a question to Wikipedia:Reference desk, as this page is for discussion about improving the associated encyclopedia article, "Man in the middle attack. Thanks. — Matt Crypto 23:32, 20 Dec 2004 (UTC)

Where's Alice's key pair?[edit]

Public key is supposed to provide two assurances: that the apparent sender is really the sender and that no intermediate party can read an encrypted message. Considering only the first one, if Alice signs her messages to Bob, how can Mallory undetectably doctor it? Does Mallory have access to Alice's private key so that she can convincingly sign the modified message, or has Mallory managed to dupe Bob with an incorrect public key for Alice?

-- Ventura 20:25, 2004 Dec 31 (UTC)

The same vulnerability is inherent in signing. Alice sends her public key to Bob, but it is intercepted and replaced by a false one with Mallory. Whenever Bob receives messages from "Alice", he will check the signature with this fake key, for which Mallory has the corresponding private key. Thus, signature is no bar to forged messages, if you cannot be sure who the owner of a public key is. Graft 20:39, 31 Dec 2004 (UTC)
This is why you use a trusted signature certificate authority, such as Verisign, which signs a certificate for you, and you need that certificate to sign your messages. Then it comes down to compromising the Verisin root certificate; that's a pretty hard problem. --User:Pokeme444 20:48, 20 Mar 2010 (UTC)

Biometrics are no more secure, deleted...[edit]

Most biometrics don't change; if they do, a secure-channel transfer must be made...since they are unchanging, they don't add any extra authentication security. They can just be relayed along as-is. It is generally impractical to do more than one secure channel transfer, so real-time biometrics are out. The only example I can think of that works is voice, but that is unreliable, easy to fool in only a few tries, and would rely on strings of randomly chosen words. Also, if your voice is hoarse, etc., it will lock you out. Eyes don't change, fingerprints don't change, etc. --Pokeme444 22:11, Mar 20 2010 (UTC)

One-time pads[edit]

One-time pads are invulnerable to MITM, assuming the security of the one-time pad. In fact, the data can be translated in plaintext if you trust the pad. 22:11, Mar 20 2010 (UTC)

chrome://global/skin/media/imagedoc-darknoise.png http://res1.windows.microsoft.com/resbox/en/windows/main/a7faf27c-2c92-4f71-aa9a-6f8f5b2c561b_18.pngCite error: There are <ref> tags on this page without content in them (see the help page).

Is the case of Eve being, say, the ISP, hopeless?[edit]

I think the article should mention explicitly that it assumes Eve, the MITM, is only present in the route between Bob and Alice. If Eve is some government agency that is able to be in the middle of Bob's single connection to his ISP, this is a more complicated situation.

This might be confusing. Most people have a single ISP. In which case, if Eve's manage to be in the middle of the path to the ISP, can't she forge Bob's attempt to verify a certificate by a certificate authority, assuming she modified earlier his browser's knowledge about the certificate authority own certificate?

Is such a situation hopeless?

11-Feb-2016, 12:30 UTC.