How a certificate patch a Man-In-The-Middle attack ?

Why do we need a certificate which includes personal information?

Let’s imagine a person on the network subnet. The hacker intercepts the network stream from Bob and forwards it to Alice. Each one has its own couple keys. Bob wants to communicate with Alice:

Now, Bob to cipher its message. So he asks naturally toward Alice asking her public key to cipher the email. But because the hacker is on the network, he intercepts the request, and forward toward Bob its own public key saying “Hi it is Alice, here is my public key, feel free to communicate securely with me by using it!”

Because Bob can’t verify that the public key is really associated with Alice, he has to trust!

So Bob was trap by the hacker, he sends to him his own public key!

Now Bob send the ciphered mail to Alice, using the hacker public key believing he has used Alice public key!

The hacker will receive the mail because he is in MiTM. But instead of forwarding it directly, he will intercept it, decipher it and see the content. To do it, he uses its own private key:

Now the hacker ciphers again the mail using Alice public key!

He then forwards the mail toward Alice:

Alice finally deciphers the mail using her private key:

As we could see, the real problem here is that Bob was not aware that the public key he used to cipher the mail was not the Alice public key but the hacker public key!

Then all was totally transparent. Here is the certificate utility: to trust the public key we used to cipher communication because it is related to a person or an entity.

Leave a Reply

Your email address will not be published. Required fields are marked *