Protection against RSA key spoofing?

S

SKEPTIC2020-02-05 16:38:00

Information Security

SKEPTIC, 2020-02-05 16:38:00

The client communicates with the server by encrypting all messages. The server responds with encrypted messages.
How it all works.
1. The server generates a key pair and sends the public key to the client.
2. The client, having received the key, generates its own key pair and sends the public key to the server.
After these two steps, both the client and the server can communicate with each other, while encrypting all messages.

What worries me is that the person in the middle, listening to the client's channel, intercepts the key from the server, generates his keys and sends his public key to the client instead of the server. Further, all messages from the client will be decrypted with the private key of the attacker, read and encrypted with the intercepted public key of the server.
As a result, the attacker knows everything that the client sends to the server.
Next, the client generates its key pair by sending the public key to the server. But the person in the middle intercepts the message, generates their keys, and sends their public key to the client.
As a result, an attacker can read everything that the client sends and receives.
What to do, how to avoid it?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dr. Bacon, 2020-02-05
@bacon

https://ru.wikipedia.org/wiki/%D0%A1%D0%B5%D1%80%D...

X

xmoonlight, 2020-02-06
@xmoonlight

What to do, how to avoid it?

Don't use RSA. It is obvious! ;)

A

Alex, 2020-02-18
@asilonos

Look at KSI - Keyless Signature Infrastructure. All public keys are hashed into a single blockchain stored openly. And before\signing blocks, you can use the U2F hardware key to avoid the presence of a super-secret.