382 http://inventwithpython.com/hacking
Email questions to the author: [email protected]
So while public key ciphers (and, in fact, all the ciphers in this book) can provide
confidentiality (that is, keeping the message a secret), they don’t provide authentication (that
is, proof that who you are communicating with really is who they say they are).
Normally this isn’t a problem with symmetric ciphers, because when you exchange keys with the
person you can see them for yourself. However, you don’t need to see a person in order to get
their public key and begin sending them encrypted messages. This is something to keep in mind
when using public key cryptography.
There is an entire field called PKI (Public Key Infrastructure) that deals with authentication so
that you can match public keys to people with some level of security; however, PKI is beyond the
scope of this book.
The Man-In-The-Middle Attack
Even more insidious than hacking our encrypted messages is a man-in-the-middle attack. Say
Emmanuel Goldstein really did want to communicate with you and sent you the above message,
but the spy agency intercepted it. They could then replace the public key Emmanuel attached to
the email with their own public key, and then send it on to you. You would think the spy agency’s
key was Emmanuel’s key!
Now when you encrypt a reply to Emmanuel, they intercept that message, decrypt it (since you
really encrypted the message with the spy agency’s public key, not Emmanuel’s public key) and
read it, and then they re-encrypt it with Emmanuel’s actual public key and send it to him. They do
the same thing with any messages that Emmanuel sends to you.
Figure 24-1. A man-in-the-middle attack.