RE: [pen] would it be fair to say...

["Brandon J. Schmidt" <schmidbj@xxxxxxxxxxxxxxxxxx>]

>   If you use public key encryption then you shouldn't have to worry about
> man in the middle attacks on the key because the key used to decrypt the
> message is never supposed to be exchanged.
>

That's not necessarily true. For Example:

Eve is sitting between 2 hosts Alice and Bob.  Alice wants to securely talk
with Bob.  Alice issues a request and Bob sends out it's public key. Eve
intercepts the public key and transmits it's own to Alice.  Alice sends it's
public key and it is again intercepted by Eve who again sends it's own
public key on to Bob.  Whenever Alice wants to send an encrypted
transmission to Bob, it is unknowingly using Eve's Public Key. Eve can then
decrypt the message using it's Private key, save the message, then
re-encrypt it using Bob's public key.  The same is true in reverse.   Man in
the Middle attacks work just as well against asymmetric cryptography.  You
don't need to have the private keys of either host.

If you ever connect to a host and you get a message that it's public key has
changed, it's a good indication that there is someone sitting between you
and the remote machine, or the remote machine has been compromised.  (It
could also mean that the sys admin decided to change the public key, but
that would be a very rare occurrence.)  The problem here is that you will
always get this message upon your initial connection to a remote host.

--
"They shall not overcome. Whoever told them that the truth shall set them
free was obviously and grossly unfamiliar with federal law."
-- John Ashcroft

http://www.helixcomputers.com
http://www.helixcomputers.com/cdlist