Wikipedia, a free encyclopedia

In the fields of cryptography and computer security, a man-in-the-middle attack (MITM) means that an attacker establishes independent contacts with both ends of a communication and exchanges the data they receive, so that both ends of the communication think that they are talking directly to each other through a private connection, but in fact, the whole conversation is interrupted. In the man-in-the-middle attack, the attacker can intercept the communication between the two parties and insert new content. In many cases, this is very simple (for example, a man-in-the-middle attacker within the acceptance range of an unencrypted Wi-Fi wireless access point can insert himself as a man-in-the-middle into this network).

The prerequisite for a man-in-the-middle attack to succeed is that the attacker can disguise himself as every terminal participating in the conversation and not be seen by other terminals. Man-in-the-middle attack is a (lack of) mutual authentication attack. Most encryption protocols specially add some special authentication methods to prevent man-in-the-middle attacks. For example, SSL protocol can verify whether the certificate used by one or both parties involved in communication is issued by an authoritative and trusted digital certificate authority, and can perform two-way authentication.

directory

1 needs extra transmission through a secure channel

2 attack examples

3 defense attacks

4 forensic analysis of man-in-the-middle attacks

5 other unencrypted man-in-the-middle attacks

6 implementation

7 See

8 Resources

Need extra transmission through a secure channel

. In order to meet the different security requirements of different security channels, many key exchange protocols have been studied.

attack example

suppose Alice wants to communicate with Bob. At the same time, Mallory hopes to intercept the stolen conversation for eavesdropping and may send a false message to Bob at some point.

First, Alice will ask Bob for his public key. If Bob sends his public key to Alice, and Mallory can intercept this public key at this time, a man-in-the-middle attack can be implemented. Mallory sent Alice a forged message, claiming to be Bob, and attached Mallory's own public key (not Bob's).

After receiving the public key, Alice believed that it was Bob's, so Alice encrypted her message with Mallory's public key (which Alice thought was Bob's) and sent the encrypted message back to Bob. Mallory intercepts Alice's message back to Bob again, and uses Mallory's own private key to decrypt the message. If Mallory wants, she can also modify the message, and then Mallory uses Bob's original public key to encrypt the message again. When Bob receives the newly encrypted message, he will believe that it is from Alice.

1. Alice sent a message to Bob, but Mallory intercepted it: Alice "Hi, Bob, it's Alice. Give me your public key "--> Mallory Bob

2. Mallory forwarded this intercepted message to Bob; At this time, Bob couldn't tell whether the news was from the real Alice: Alice Mallory "Hi, Bob, it's Alice. Give me your public key "--> Bob

3. Bob responded to Alice's message and attached his public key: Alice Mallory < -[Bob's public key]-Bob

4. Mallory replaced Bob's key in the message with his own key and forwarded the message to Alice, claiming that it was Bob's public key: Alice <; -[Mallory's public key]-Mallory Bob

5. Alice encrypted her message with the public key she thought was Bob's, thinking that only Bob could read it: Alice "Let's meet at the bus stop!" -[Encrypt with Mallory's public key] --> Mallory Bob

6. However, since this message is actually encrypted with Mallory's key, Mallory can decrypt it, read it and modify it if he wants. He uses Bob's key to re-encrypt and forwards the re-encrypted message to Bob: Alice Mallory "Wait for me at home!" " -[Encrypt with Bob's public key] --> Bob

7. Bob thinks that this message came from Alice through a secure transmission channel.

This example shows that Alice and Bob need some way to make sure that they really got the public key belonging to each other, not the public key from the attacker. Otherwise, such attacks are generally feasible, and in principle, attacks can be launched against any communication message using public-key technology. Fortunately, there are various technologies that can help defend against MITM attacks.

defending against man-in-the-middle attacks

Many technologies to defend against man-in-the-middle attacks are based on the following authentication technologies:

Public key infrastructure

In PKI schemes, the main scheme to defend against man-in-the-middle attacks is the mutual authentication mechanism of PKI. Using such a mechanism, the user is authenticated by the application, and the user equipment authenticates the application. But in some rogue applications, this is not very useful, so it is necessary to pay attention to distinguish rogue software from regular software.

stronger mutual authentication, such as:

keys (usually keys with high information entropy, thus being more secure), or passwords (usually keys with low information entropy, thus reducing security)

delayed testing, such as using complex cryptographic hash functions to calculate, resulting in tens of seconds of delay; If it usually takes 2 seconds for both parties to calculate, and it takes 6 seconds for the whole communication to reach the other party, this can indicate that there is a third-party middleman.

verification of the second (secure) channel

One-time password book can be immune to man-in-the-middle attack, which is created on the basis of the security and trust of one-time password book. The integrity of the public key system must usually be guaranteed in some way, but it does not need to be kept secret. Passwords and * * * sharing keys have additional confidentiality requirements. Public keys can be verified by certificate authorities, and these public keys are distributed through secure channels (for example, installed with a Web browser or operating system). Public * * * keys can also be verified online through Web online trust, and public keys can be distributed in a secure way (for example, through face-to-face distribution).

check the key exchange protocols to learn about different kinds of protocols that use different key forms or passwords to resist man-in-the-middle attacks.

forensic analysis of man-in-the-middle attack

capturing network packets from links suspected to be man-in-the-middle attacks and analyzing them can determine whether there is a man-in-the-middle attack. When conducting network analysis and obtaining evidence for suspected SSL man-in-the-middle attacks, important analysis evidences include:

IP address of remote server

DNS domain name resolution server

X.59 certificate server

Is the certificate a self-signed certificate?

was the certificate issued by a trusted authority?

has the certificate been revoked?

has the certificate been changed recently?

have other clients on the internet obtained the same certificate?

other unencrypted man-in-the-middle attacks

a famous example of unencrypted man-in-the-middle attack was caused by a version of Belgin wireless router in 23. It periodically takes over the HTTP connection through it, preventing packets from reaching their destination. And returns its own response to the request as a reply. The response it sends is to display an advertisement about other Belgin products where the user should have displayed the webpage. After being strongly protested by users who know the technical details, this function was deleted from the firmware of subsequent versions of the router by Belgin. [1]

Another typical example of unencrypted man-in-the-middle attack is "Turing porn farm". Brian Warner said that this is an "imaginable attack" used by spammers to bypass the verification code. Spammers set up a pornographic website, and accessing this pornographic website requires users to solve some authentication problems. These verification problems are actually verification problems of other websites. In this way, the purpose of sending spam can be achieved by bypassing the website verification. [2] However, Jeff Atwood pointed out that the attack was only theoretical-there was no evidence that the spammer had founded Turing porn farm in 26. [3] However, in October 27, it was reported that the spammer did create a Windows game, and when the user typed in the verification code of the registered email address received from Yahoo, the program would reward the user with pornographic pictures. [4] This will allow spammers to create temporary free email accounts to send spam.

realizing

dsniff-a tool for realizing man-in-the-middle attacks of SSH and SSL

Cain and Abel-a tool for the graphical interface of Windows, which can execute man-in-the-middle attacks. Sniffing and ARP poisoning

Ettercap-a man-in-the-middle attack tool based on LAN

Karma-a tool to execute MITM attack by using 82.11 Evil Twin

AirJack-a tool to demonstrate 82.11 MITM attack

SSLStrip, a tool to attack MITM based on SSL.

SSLSniff is a tool for MITM attack based on SSL. It was originally realized by using a defect in Internet Explorer.

interceptor-ng-a Windows network password sniffer with ARP poisoning attack capability.

SSL-based MITM attacks including SSLStrip can be carried out.

Mallory-a transparent TCP and UDP contracting proxy. Extended to MITM SSL, SSH and many other protocols.

wsniff-an 82.11HTTP/HTTPS tool based on MITM attack

an additional card reader installed in the slot of ATM bank card and an additional password recorder installed on the keyboard.

see

browser man-in-the-middle attack-a Web browser man-in-the-middle attack

Boy-in-the-browser-a simple web browser man-in-the-middle attack

Aspidistra transmitter-a radio transmitter used in Britain's "invasion" in World War II, an early man-in-the-middle attack.

computer security-the design of a secure computer system.

security analysis-cracking the encrypted information without fully knowing the encryption method.

digital signature-a guarantee of the authenticity of encrypted words, usually a result that only the author expects to be able to perform calculations.

interlocking protocol-a specific protocol to avoid possible man-in-the-middle attacks when the key may have been compromised.

key management-how to manage keys, including generating, exchanging and storing keys.

key agreement protocol-also known as key exchange protocol, is an agreement to negotiate how to create a key suitable for communication between two parties.

mutual authentication-how to communicate the confidence of all parties is based on each other's identity.

password authentication key protocol-create a protocol that uses a password key.

quantum cryptography-the use of quantum mechanics provides secure encryption (the old method relies on one-way functions).

secure channel-a way to prevent interception and tampering in communication.

spoofing attack

HTTP strict transmission security

references

1. leyden, John.help! my Belkin router is spamming me. The Register. 23-11-7.

2. ^ Petmail Documentation: Steal People's Time To Solve CAPTCHA Challenges. [28-5-19] .

3. Captcha Effectiveness. 26-1-25.

4. PC Stripper Helps Spam to spread. BBC News. 27-1-3.

Taken from "https://zh.wikipedia.org/w/index.php? Title= Man-in-the-middle attack &; Oldid = 488488 "

This page was last revised at 3:4 on May 13th, 216 (Friday).

All the texts of this site are provided under the terms of the 3. agreement that Knowledge * * * enjoys signature-in the same way * * *, and additional terms may be applied (please refer to the terms of use).

Wikipedia? And Wikipedia logo are registered trademarks of Wikimedia Foundation; Vicky? It's a trademark of Wikimedia Foundation.

Wikimedia Foundation is a 51(c)(3) tax-free, non-profit and charitable organization registered in Florida, USA.