Contents - Keywords - Search || InstantCrypt Home - Previous - Next

Key Authentication: Importance

These are the dangers if you do not properly check the authenticity of another person's key: You could be deceived and send your confidential messages to the wrong person. Here are methods that could be employed against you:


Simple Impersonation


Someone sends you a key with the name of a friend, acquaintance, or business partner, but with a wrong e-mail address: If your friend Joe Schmitt's e-mail actually is

JoeSchmitt@aol.com


the impersonator sends you a key with the e-mail address


JoeSchmitt@gmx.com


and you fail to notice. Now, when you think you share all your secrets with JoeSchmitt, you actually send them to the impersonator. You may notice one day, when you talk to Joe Schmitt in person and find out he never got any of your messages.


A similar method works if the impersonator has access to JoeSchmitt's e-mail account; then he (or she) does not even have to lie about the e-mail address, he or she just has to send you his own key and not the one of the real Joe Schmitt. (Joe Schmitt will not be able to read anything you send him and may wonder about the gibberish in his in-box.)


Man In The Middle (MITM) Attack


This is more sophisticated:


(a) Someone sends you a key with the name of a friend, acquaintance, or business partner (again: Joe Schmitt), but with a wrong e-mail address, just as described above.


(b) The same someone sends your friend Joe Schmitt another key, with your name, but (again) with a wrong e-mail address. Both of you send your public key to this someone, thinking you send it to each other.


This "Man In The Middle" can now read your correspondence. If he (or she) always faithfully re- encrypts and forwards the mail to you and your friend after reading it, none of you will even notice that a message is missing!


What to do about it:


a) For lower level security: When you get a key from someone you know, call him/her or send a letter (or if you use e-mail: use at least another e-mail address of this person than the key has) and ask if he or she sent you a key.


b) Higher level security:

    1. Call the apparent owner of the key on the phone.
    2. Identify the voice. Ask if he or she sent you a key.
    3. Compare the LENGTH and the FINGERPRINT of the key you received to the fingerprint of the other person's key. The fingerprint uniquely identifies a key, thus, if the fingerprints match, you know you have his/her key.


And just while you are at it: Also compare the fingerprint of your own key, so the other person can make sure he or she actually has your key.