Man in the middle attack

A man in the middle attack is an attack in which an attacker positions himself inbetween the server and client. This means that the attacker can read all messages that are being sent between the client and the server. Figure 1 shows the connection between the client and server. The dotted line indicates that a normal connection only involves the client and server. In this case a man in the middle is eavesdropping on the conversation.

In a normal connection the man in the middle can read anything without having to do too much work, the man in the middle has to have the posibility to position itself between the client and the server. The man in the middle can for example pretend to be the router within a local network. It will tell the client that it is the router and the router that it is the client. Now the client sends its messages through the man in the middle to the router which then forwards them to the server. With a packet sniffer the man in the middle can read the packages that are being sent over the network.

Man in the middle
Figure 1

As explained in the introduction, to be sure that a man in the middle cannot read the packages, SSL was invented. The messages are now encrypted with a key that only the client and server know of. Though it is still possible to do active eavesdropping on a secured connection.

This can only be done during the execution of the handshake protocol. The steps are described below.

  1. The client sends a request for the servers public key to the server. The man in the middle receives this message and sends a similar message (with it's own address as response address) to the server.
  2. The server replies with its public key and sends it back to the man in the middle, which is like the client for the server. Though, the man in the middle receives this key and doesn't forward it to the client.
  3. The man in the middle sends its own public key to the client and computes the pre-master secret of with the public key that it got from the server.
  4. Meanwhile, the client also computes a pre-master secret, with the public key it believes to be from the server while it is actually from the man in the middle.
  5. Then the pre-master secret from the client is sent to the man in the middle and the pre-master secret from the man in the middle is sent to the server.
  6. Now the server, and the man in the middle compute a master secret for their connection and the client and the man in the middle compute another master secret for this connection. Leaving the client and server to think that they are both securely connected with each other.
  7. Messages can now be send over the two secured networks while the man in the middle is able to read all the messages.

When a man in the middle attack is performed while a secure connection is already set up, the man in the middle won't be able to decrypt the messages anymore. Though, the man in the middle can try to break the connection so that the client and server have to set up the connection again leaving them vulnerable for an attack.

Since in many browser a certificate is needed to set up a secure connection, the man in the middle is not able anymore to set up a secure connection with the client since it doesn't have such a certificate. A certificate can be bought by companies that want to be able to communicate with their clients over a secure connection. To now perform a man in the middle attack the SSL layer of the connection can be stripped. The man in the middle can still communicate with the server over a secure connection because it is acting as a client. But it cannot set up a secure connection with the client since the man in the middle doesn't have a certificate. The only way to now eavesdrop on a 'TSL connection' is by stripping the SSL layer in this part of the connection. A client can however detect this procedure since the 's' will be deleted from 'https' leaving only 'http' in the URL.

Copyright © 2011, Chen, Hermsen & Slijpen