What's the actual danger of public key spoofing?

Information Security Asked on November 14, 2021

I am reading an excellent beginner’s cryptography tutorial, and on this page there is the following blurb:

Public-key cryptosystems have one significant challenge − the user needs to trust that the public key that he is using in communications with a person really is the public key of that person and has not been spoofed by a malicious third party.

I’m not immediately/inherently understanding this. If private keys cannot be feasibly derived from public keys, who cares if I have a spoofed public key? All that means is that someone handed me a bad public key, and the receiver won’t be able to decrypt it. Or is that the attack?!?

2 Answers

Imagine you have a cryptosystem that uses a public key to encrypt sensitive data (possibly other keys). If key is not authenticated (not coming from a trusted certificate) an attacker can replace the public key to one of his own.

What's the problem? That he will also have the corresponding private key, so he would be able to decrypt it.

If he also knows the correct public key he can just reencrypt the content using that key. For the other end everything is fine, but the attacker just got the sensitive data.

If the sensitive data was the "genesis" for a key exchange mechanism then all the system is now compromised. This is why it is very important to ensure authentication of the public key. To authenticate the public key you use trusted certificates.

Please note that it is impossible to ensure full trust automatically, at some point a manual step to verify the identity should be performed, like a Certificate Authority (CA) contacting you before issuing you a certificate, or using a trustworthy procedure to deliver the root certificate of a CA (trust anchor). In most operating systems and browsers the most popular commercial CAs are built-in. You can for instance run certlm.msc on Windows to view and manage installed certificates, or see the trusted CA roots for Mozilla:

For most "common devices" development like phones and PCs the use of an already trusted CA like DigiCert simplifies trust-handling a lot. For custom developments using specific hardware you may need to use your own chain of trust.

Also refrain from using self-signed certificates (except trust-anchor), because you come back to the original problem: That's like if I give you a piece of paper where I say that I am me, signed by me. Everyone can claim any identity and self-sign, that's why a trusted third-party (CA) is required, it is the equivalent of asking for an ID issued by the government, not the person himself.

See more at:

If you implement a custom chain of trust it is very recommended that private keys are stored securely, if possible hardware-backed (inside an HSM).

Answered by Guillermo Garcia Maynez on November 14, 2021

It's an attack, FOR SURE And that's why : all the crypto-systems have JUST ONE common problem, regardless of their other differences, : a key distribution problem. Yjat's why it's essential to buy a holographically-protected licensed CD with Windows and so forth : it contains a correct and true public key. If a malicious third party will ship you a software with public key changed - it will easily wiretap your traffic and - maybe - even make a MitM with a correct key, so the software vendor will likely see no difference.

Answered by Alexey Vesnin on November 14, 2021

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP