How to prevent a man-in-the-middle attack in case of a hacked server?

Question

How to prevent a man-in-the-middle attack in case of a hacked server?

Imagine that the server is serving the public keys of users to its partners to make encrypted communication possible. However, the server does NOT have access to private keys.

In any case, imagine that the server is hacked and it sends unsolicited public keys:

Alice asks Bob for the public key
    Server sends the public key to Eve
Bob asks Alice's public key
    Server sends Eve's public key
Alice sent a message to Bob. The server unpacks the message, reads it and repacks → sends it to Bob ...
Bob sends a message to Alice.
    The server unpacks the message, reads it and repacks → sends Alice ...

My question is: how to prevent such abuse? How can Alice be sure that she uses Bob's public key and vice versa?

+3

cryptography encryption rsa public-key

apirogov Aug 28 '10 at 15:39

source share

4 answers

, , - . , Bobs. , .

Web of Trust. , , . (3) ( ) , , .

+2

Felix Kling 28 . '10 15:45

. , , , . , HTTPS/SSL , - . , , , . , - , . , , , , . , , , . , , .

0

Chris thompson Aug 28 '10 at 15:48

source share

The FAQ for PGP (Pretty Good Privacy) explains this problem.

I would also recommend reading Bruce Schneier’s excellent book , Applied Cryptography, for “friendly and digestible” discussions of these topics.

0

Jcmaltadev Aug 28 '10 at 15:51

source share

bdonlan · Accepted Answer · 2010-08-28T15:46:05+0000

According to the scheme that you just proposed, you cannot. The key is here (no pun intended), if the method used to validate the keys is compromised, you lose.

SSL , - ( ) , , . , ( ) , , , .

PGP ( GPG) , - , ( ). , , , . , N (/ M ).

, , , . , , -, ...

, - ... /// :)

How to prevent a man-in-the-middle attack in case of a hacked server?

More articles: