What's the actual danger of public key spoofing?

Imagine you have a cryptosystem that uses a public key to encrypt sensitive data (possibly other keys). If key is not authenticated (not coming from a trusted certificate) an attacker can replace the public key to one of his own.

What's the problem? That he will also have the corresponding private key, so he would be able to decrypt it.

If he also knows the correct public key he can just reencrypt the content using that key. For the other end everything is fine, but the attacker just got the sensitive data.

If the sensitive data was the "genesis" for a key exchange mechanism then all the system is now compromised. This is why it is very important to ensure authentication of the public key. To authenticate the public key you use trusted certificates.

Please note that it is impossible to ensure full trust automatically, at some point a manual step to verify the identity should be performed, like a Certificate Authority (CA) contacting you before issuing you a certificate, or using a trustworthy procedure to deliver the root certificate of a CA (trust anchor). In most operating systems and browsers the most popular commercial CAs are built-in. You can for instance run certlm.msc on Windows to view and manage installed certificates, or see the trusted CA roots for Mozilla:

https://ccadb-public.secure.force.com/mozilla/CACertificatesInFirefoxReport

For most "common devices" development like phones and PCs the use of an already trusted CA like DigiCert simplifies trust-handling a lot. For custom developments using specific hardware you may need to use your own chain of trust.

Also refrain from using self-signed certificates (except trust-anchor), because you come back to the original problem: That's like if I give you a piece of paper where I say that I am me, signed by me. Everyone can claim any identity and self-sign, that's why a trusted third-party (CA) is required, it is the equivalent of asking for an ID issued by the government, not the person himself.

See more at:

• https://en.wikipedia.org/wiki/X.509#Certificate_chains_and_cross-certification
• https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce

If you implement a custom chain of trust it is very recommended that private keys are stored securely, if possible hardware-backed (inside an HSM).

It's an attack, FOR SURE And that's why : all the crypto-systems have JUST ONE common problem, regardless of their other differences, : a key distribution problem. Yjat's why it's essential to buy a holographically-protected licensed CD with Windows and so forth : it contains a correct and true public key. If a malicious third party will ship you a software with public key changed - it will easily wiretap your traffic and - maybe - even make a MitM with a correct key, so the software vendor will likely see no difference.