UnlabelledMan-in-the-middle attack

Kamis, 05 Juli 2018

- -
Sponsored Links

What is Man-In-The-Middle Attack ? - The Security Buddy
src: www.thesecuritybuddy.com

In cryptography and computer security, the man-in-the-middle attack ( MITM ) is an attack in which the attacker quietly relays and possibly alters the communication between the two parties who believe them directly communicate with each other. One example of a man-in-the-middle attack is an active tapping, in which the attacker makes an independent connection with the victim and passes a message between them to make them believe that they are talking directly to each other via a private connection, when in fact the whole conversation is controlled by attacker. Attackers should be able to intercept all relevant messages passing between two victims and inject new ones. This is easy in many situations; for example, an attacker within reach of unencrypted wireless access point access (Wi-Fi) can enter himself as a human in the middle.

As an attack aimed at avoiding mutual authentication, or absence, man-in-the-middle attacks can succeed only when an attacker can mimic each end point for their satisfaction as expected from the legitimate end. Most cryptographic protocols include some form of special endpoint authentication to prevent MITM attacks. For example, TLS may authenticate one or both parties using a trustworthy certificate authority.


Video Man-in-the-middle attack



Contoh

Suppose Alice wants to communicate with Bob. Meanwhile, Mallory wants to intercept the conversation to eavesdrop and optionally to deliver Bob's false message.

First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory can intercept it, a man-in-the-middle attack can start. Mallory sends a fake message to Alice that is meant to be from Bob, but puts Mallory's public key.

Alice, who believes this public key as Bob, encrypts his message with Mallory keys and sends messages that are re-encrypted to Bob. Mallory again cuts, breaks messages using his private key, maybe alters it if he wants to, and encrypts it using a public key sent to Alice. When Bob receives a newly encrypted message, he believes it came from Alice.

  1. Alice sends a message to Bob, whom Mallory is blocking:
    Alice "Hi Bob, this is Alice. Give me your keys." -> Mallory Bob
  2. Mallory delivered this message to Bob; Bob does not know it's not really from Alice:
    Alice Mallory "Hi Bob, this is Alice. Give me your keys." -> Bob
  3. Bob responded with the encryption key:
    Alice Mallory <- [Lock Bob] Bob
  4. Mallory replaces Bob's key with his own, and passes this to Alice, claiming that it's Bob's key:
    Alice Mallory
  5. Alice encrypts the message with what she believes to be Bob's key, thinking that only Bob can read it:
    Alice "Meet me at the bus stop!" [encrypted with Mallory key] -> Mallory Bob
  6. However, since it's actually encrypted with Mallory keys, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob key, and forward it to Bob:
    Alice Mallory "Meet me in the van by the river!" [encrypted with Bob key] -> Bob
  7. Bob thinks this message is a secure communication from Alice.
  8. Bob goes to the van by the river and is mugged by Mallory.
  9. Alice did not know that Bob was mugged by Mallory, thinking Bob was late.
  10. Not seeing Bob for a while, he determines something happened to Bob.

This example shows the need for Alice and Bob to have some way of ensuring that they actually use each other's public key, rather than the attacker's public key. Otherwise, such an attack is generally possible, in principle, against any messages sent using public key technology. Various techniques can help defend against MITM attacks.

Maps Man-in-the-middle attack



Defense and detection

MITM attacks can be prevented or detected in two ways: authentication and tamper detection. Authentication provides some degree of certainty that the message provided comes from a legitimate source. Tamper detection only shows evidence that the message may have been changed.

Authentication

All cryptographic systems that are secure against MITM attacks provide several authentication methods for messages. Most require an exchange of information (such as a public key) in addition to messages over a secure channel. Such protocols often use protocol key agreements have been developed, with different security requirements for secure channels, although some have attempted to remove requirements for every secure channel at all.

Public key infrastructure, such as Transport Layer Security, can harden the Transmission Control Protocol against Man-in-the-middle attacks. In such a structure, clients and servers redeem certificates issued and verified by a trusted third party called a certificate authority (CA). If the original key to authenticate this CA has not been the subject of MITM attacks, then the certificate issued by the CA can be used to authenticate messages sent by the certificate owner. The use of mutual authentication, in which both the server and the client validate other communications, includes both ends of the MITM attack, although the default behavior of most connections is to authenticate only the server.

Attestments, such as verbal communication of shared values ​​(as in ZRTP), or recording attestments such as audio/visual recordings of a hash public key are used to ward off MITM attacks, as the visual medium is much more difficult and time consuming to replicate than simple data packet communication. However, this method requires people in a circle to successfully start a transaction.

HTTP Public Key Marking, sometimes called "pinning certificates", helps prevent MITM attacks where the certificate authority itself is compromised, asking the server to provide a list of public key "pinned" hashes during the first transaction. Subsequent transactions then require one or more keys in the list to be used by the server to authenticate the transaction.

DNSSEC extends the DNS protocol to use signatures to authenticate DNS records, preventing simple MITM attacks from redirecting clients to malicious IP addresses.

Detect tamper

Latency checks can potentially detect attacks in certain situations, such as with long-lead calculations such as hash functions. To detect potential attacks, the parties check for non-conformities in response time. For example: Let's say that two parties usually take a certain amount of time to make certain transactions. If one transaction, however, is to take an abnormal time to reach another party, this could be an indication of a third party intrusion that enters additional latency in the transaction.

Quantum Cryptography, in theory, provides proof-tamper for transactions through a non-cloned theorem. Protocols based on quantum cryptography typically authenticate some or all of their classical communications with an unconditional authentication scheme, for example. Wegman-Carter Authentication.

Forensic analysis

Network traffic captured from what is suspected as an attack can be analyzed to determine if there is an attack and determine the source of the attack, if any. Important evidence to analyze when conducting network forensics on suspected attacks includes:

  • Server IP address
  • DNS name from server
  • X.509 server certificate
    • Are the certificates self-signed?
    • Is the certificate signed by a trusted CA?
    • Has the certificate been revoked?
    • Has the certificate been changed recently?
    • Are other clients, elsewhere on the Internet, also getting the same certificate?

Man in the middle attack on public key cryptography - YouTube
src: i.ytimg.com


Important example

The notorious man-in-the-middle non-cryptographic attack was carried out by Belkin wireless network routers in 2003. Periodically, it will take over HTTP connections routed through it: it will fail to pass traffic to the destination, but otherwise it responds as the destination server. Replies submitted, in lieu of web pages requested by users, are advertisements for other Belkin products. After getting protests from technically literate users, this 'feature' has been removed from the newer software version of the router.

In 2011, a security breach of the Dutch DigiNotar certificate authority resulted in the publication of a fraudulent certificate. Furthermore, fake certificates are used to perform man-in-the-middle attacks.

In 2013, Nokia Xpress Browser is downgraded to decrypt HTTPS traffic on the Nokia proxy server, giving the company clear text access to its customers' encrypted browser traffic. Nokia responds by saying that the content is not permanently stored, and that the company has organizational and technical measures to prevent access to personal information.

In 2017, Equifax withdrew its mobile app following concerns about man-in-the-middle vulnerabilities.

Other well-known real-life implementations are as follows:

  • DSniffÃ, - the first public implementation of MITM attacks against SSL and SSH
  • HTTP (S) Fiddler2 diagnostic tool
  • NSA's impersonation from Google
  • Superfish malware
  • Forcepoint Content GatewayÃ, - used to perform SSL traffic checks in the proxy
  • Comcast uses MITM attacks to inject JavaScript code into third-party web pages, displaying their own ads and messages at the top of the page.

IPv6 and ICMPv6 Security
src: network-insight.net


See also


Man in the Middle Attack on Diffie-Hellman Key Exchange and ...
src: i.ytimg.com


References


Man-in-the-Middle Attack - YouTube
src: i.ytimg.com


External links

  • Finding Hidden Threats with Decrypt SSL (PDF). SANS Institute.
  • SSH Artificial Penetration Penetration Tool

Source of the article : Wikipedia

Comments
0 Comments
Langganan: Posting Komentar (Atom)