messages and replay this information at a later point in time (almost) unchanged. It can
also be sufficient to use only parts of a message, such as a password, in order to enter an
IT system without authorisation.
• When conducting a "man-in-the-middle attack", the attacker takes an intermediary
position in the communication between different participants without being noticed.
Usually, the attacker deceives the sender of a message by pretending to be the actual
recipient, and also deceives the recipient by pretending to be the actual sender. If
attackers succeed in deceiving both, they can thus receive messages which are not
meant for their eyes and evaluate and specifically manipulate the messages before
passing them on to the actual recipient.
An encryption of the communication does not provide for protection against man-in-the_x0002_middle attacks when there is no secure authentication of the communication partners.
Examples:
• An attacker records the authentication data (e.g. user ID and password) during the login
procedure of a user and uses this information in order to gain access to a system. In the
case of authentication protocols that are purely static, a password transmitted in
encrypted form can also be used in order to access a third-party system in an
unauthorised manner.
• In order to cause financial damage to the employer (public authority or company), an
employee places an approved order several times. " />
When conducting this type of attack, attackers send specially crafted messages to systems or
people with the aim of obtaining an advantage for themselves or causing damage to the
victim. To design the messages for this purpose, the attackers use, for example, interface
descriptions, log specifications or records of past communication behaviour.
In practice, there are two important special cases of attack with specially crafted messages:
• When carrying out a "replay attack" (reimporting messages), attackers record valid
messages and replay this information at a later point in time (almost) unchanged. It can
also be sufficient to use only parts of a message, such as a password, in order to enter an
IT system without authorisation.
• When conducting a "man-in-the-middle attack", the attacker takes an intermediary
position in the communication between different participants without being noticed.
Usually, the attacker deceives the sender of a message by pretending to be the actual
recipient, and also deceives the recipient by pretending to be the actual sender. If
attackers succeed in deceiving both, they can thus receive messages which are not
meant for their eyes and evaluate and specifically manipulate the messages before
passing them on to the actual recipient.
An encryption of the communication does not provide for protection against man-in-the_x0002_middle attacks when there is no secure authentication of the communication partners.
Examples:
• An attacker records the authentication data (e.g. user ID and password) during the login
procedure of a user and uses this information in order to gain access to a system. In the
case of authentication protocols that are purely static, a password transmitted in
encrypted form can also be used in order to access a third-party system in an
unauthorised manner.
• In order to cause financial damage to the employer (public authority or company), an
employee places an approved order several times.
Impressum