MAN IN THE MIDDLE

10/9/2004

Man In The Middle (MITM) attacks on security are attacks on a communication link. Conceptually at least, they can be exploited by worms and viruses as well as by individuals.

Man in the Middle attacks are potentially possible whenever a communications path can be compromised such that traffic can be read and altered by the "Man in the Middle". For example,a router might be compromised because of some security flaw. Or it might be physically replaced with a MITM controlled unit. In either case, a MITM can edit packets flowing between its clients.

For the most part, MITM attacks will target specific vulnerable points in communications. For example, when two clients initially contact each other they might exchange public cryptographic keys. This is intended to be a secure transaction since reading the data encrypted with the public key requires private keys known only to the individual clients. But the man in the middle can simply use Client A's public key when talking to A and can provide client B with his own public key which is used when communicating with B. Both A and B believe they are engaging in a secure transaction ... and they are. Just not with each other. In fact, each is engaged in secure exchanges with the Man In the Middle who is free to monitor or alter the message contents.

MITM attacks can be used to monitor "secure" transaction links, to obtain the data necessary to compromise access controls, to fake transactions, etc.

The only current defenses against MITM attacks are attempting to design communication links such that there are no vulnerable attack points, and the use of digitally signed public keys. But signed keys only work if the MITM is unable to obtain a plausible signed key to use in the attack

Return To Index Copyright 1994-2002 by Donald Kenney.