What is Man-in-the-Middle Attack?
A Man-in-the-Middle attack (MiTM) is a type of cyberattack where the attacker inserts him/herself in between the communication between two parties (people or systems) without either of them being aware of it and relays the communication between them. As the attacker has complete access to communication, he/she can intercept, eavesdrop, or alter the information, and then send and receive communication to/from the two parties.
As the two parties believe they are communicating with each other, the attacker would be able to gain access to sensitive information being shared and inject information that he/she desires. MiTM attacks are also possible in real-time processing which would allow attackers to compromise financial transactions – such as modifying the recipient account number and the transferred amount.
How Does a Man-in-the-Middle Attack Work?
Let us consider two parties - AA and BB who need to communicate securely with each other, and CC - the attacker who wants to intercept the communication. When AA wants to send a sensitive message to BB the following process happens:
1. AA initially sends a message to BB – requesting BB for its “public key – an encrypted key”. CC intercepts the message but relays it as it is.
2. BB responds with a message and sends its public key (BBK). CC intercepts the message, replaces BB’s public key (BBK) with its own public key (CCK) and then sends the message to AA.
3. Now AA encrypts the sensitive message with the received public key (CCK), believing that the key is from BB. AA sends the encrypted message to BB.
4. CC intercepts the encrypted message, decrypts it and reads the message. CC can now modify the message if necessary. Then, CC encrypts this message with BB’s public key (BBK) and sends it to BB.
5. BB receives the message, decrypts it and reads the message, all the while unsuspecting that it is a false message.
6. The content of the messages delivered to AA and BB are as desired by CC.
How to Defend Against MitM Attacks
Presently, MiTM attacks are detected and prevented through three ways - authentication, tamper detection, and forensic analysis. Authentication guarantees that a specific message has come from a specific source. Cryptographic protocols are usually inbuilt with endpoint authentication to prevent MiTM attacks. The Transport Layer Security (TLS), which is a public key infrastructure, strengthens Transmission Control Protocol against MiTM attacks. TLS helps authenticate the parties through a mutually trusted certificate authority (CA). Clients and Servers acquire SSL/TLS Certificates from trusted CAs so that exchanging certificates enables mutual authentication.
In email communication, Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to encrypt emails, and this helps ensure that only the intended recipients are able to read them. Attackers will not be able to alter the messages. Further, Digital Certificates, that are unique to a person can be used to sign the S/MIME emails, which provides additional authentication.
Tamper Detection just detects any alteration in a message.
In Forensic Analysis, captured network traffic from a suspected MitM attack is analyzed to confirm if an attack has taken place and also to find out the source of the attack.