tags:

views:

34

answers:

1
+1  Q: 

How do certificate avoid the man in the middle attack?

Hello,

I have another question to security in the web. If I understand it correctly certificates are for identify who you really are. So the man in the middle attack isn't possible. But when I see this image:

http://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Digital_Signature_diagram.svg/800px-Digital_Signature_diagram.svg.png

I think a man in the middle attack is possible. You could split the Signature, the certificate from the data. Make your own signature with your fake data and send the fake data with the fake signature (but the right certificate) to the server/client.

What I also not understand in this picture is where the certificate gets checked, on the verification side.

thanks.

SCBoy

+1  A: 

Make your own signature with your fake data and send the fake data with the fake signature (but the right certificate) to the server/client.

The problem is that the receiver will then look at the fake signature and see that it does not match the certificate of the real sender.

You can only create signatures that match a given certificate when you have the correct private key for that certificate (even though the certificate itself is public, that is the magic of asymmetric cryptography). This private key is being kept secret by the owner of the certificate (the original sender of the message).

The man-in-the-middle is prevented by distributing trusted certificates in advance. You have to trust the authenticity of the certificates, either by trusting them directly (root certificates) or by trusting a chain of signatures on the certificate leading up to one that you trust.

If the man in the middle can make you believe that his fake certificate is the real deal, then the whole system fails.

Thilo  2010-10-15 07:43:41
But why do the certificate match to the signature. In the picture from wikipedia the signature gets created from the data and not from the certificate? I dont see the context between certificate and signature.
SCBoy  2010-10-15 08:04:16
The signature is created using the data and your private key (which is linked to the certificate, the certificate contains the matching public key).
Thilo  2010-10-15 08:05:08
ah k now makes all sense :) thanks!
SCBoy  2010-10-15 08:49:30
Just to clarify, it's the private key of the issuer that's used to sign a given certificate.
Bruno  2010-10-15 10:04:39
And the private key of the certificate owner that is used to sign the message.
Thilo  2010-10-15 10:06:59

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL