A Review of Man-in-the-Middle Attacks

This paper presents a survey of man-in-the-middle (MIM) attacks in communication networks and methods of protection against them. In real time communication, the attack can in many situations be discovered by the use of timing information. The most common attacks occur due to Address Resolution Protocol (ARP) cache poisoning, DNS spoofing, session hijacking, and SSL hijacking. Introduction Man-in-the-Middle (MIM) attacks make the task of keeping data secure and private particularly challenging since attacks can be mounted from remote computers with fake addresses. Whereas communications security was primarily that of breaking of encryption transformations (as in the case of the Enigma machine during the Second World War [1]), the problem of security in computer networks also involves active interference by intruders, and of these MIM attack is one of the most spectacular. The MIM attack takes advantage of the weaknesses in the authentication protocols being used by the communicating parties. Since authentication is generally provided by third parties who issue certificates, the system of certificate generation becomes another source of potential weakness. The MIM attack allows the intruder or the unauthorized party to snoop on data through the backdoor. This intervention is also being used by companies to pry upon their employees and for adware. For example, in early 2015, it was discovered that Lenovo computers came preinstalled with adware called Superfish that injects advertising on browsers such as Google Chrome and Internet Explorer. Superfish installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate. This could allow hackers to potentially steal sensitive data like banking credentials or to spy on the users’ activities [2]. Cryptographic protocols designed to provide communications security over a computer network are a part of Transport Layer Security (TLS). These protocols use X.509 which is an ITU-T standard that specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm [3]. The X.509 certificates are used for authentication the counterparty and to negotiate a symmetric key. As mentioned, certificate authorities are a weak link within the security system. In electronic mail, although servers do require SSL encryption, contents are processed and stored in plaintext on the servers. Google and Mozilla recently announced that they would stop accepting certificates issue by CNNIC (China Internet Network Information Center) [4]. According to Google’s Security Blog [5]: On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC. CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. ... We promptly alerted CNNIC and other major browsers about the incident, and we