RE: Im talking about the man in the middle

[Tony Gurnick <TonyG@clemenger.co.nz>]

Hmm, I guess I should have been clearer.


This is what i actually meant to imply

I am assuming 

1. you dont have and hash finger print of the public key
2. You dont have any other shared secret (because you are trying to
establish one by swapping your public keys in the first place)
3. The man in the middle really is, physically in the middle.  Like your ISP
for instance.
4. That he decides totally what he passes to you and vice - versa.
(BTW this question is totally in the realm of theory and ignores things like
legal systems, CA's and PGP introducers)

EG:

ALICE							BOB
CHARLIE

ALICE's  
Public	 ------->				key interecepted
------------>		BOBS public key
Key
					BOB keeps both ALICE and CHARLIE's
public keys

BOB's			   <---------     Key intercepted
<------------          CHARLIE's public key
public key


BOB intercepts ALICE's Public key  and then forwards his public key to
CHARLIE
BOB then intercepts CHARLIES public key and sends it to ALICE

BOB now has ALICE and CHARLIE's public keys, while ALICE and CHARLIE have
BOB's public key
thinking that they have each others.  When ALICE encrypts a message with
what she thinks is CHARLIES
public key BOB can intercept it read it and then either reencrypt it in
CHARLIES public key (cause bob has it)
and sent it on to CHARLIE or create a bogus message and forward that to
CHARLIE instead.


so harder than you many think Xena :)

Not as hard as you may think -- especially with public key cryptography.
	It's essentially what you need authentication for.