Is encryption useless against packet sniffing?

[Red Squirrel]

I was thinking, for a encryption such as a SSL connection to take place, there needs to be some kind of handshake and key exchange. IF the entire process is packet sniffed, can it be decoded based on the handshake?

The client needs to know how to decrypt the pages, and the only way for it to know, is to be told by the server during the handshake, which is also sniffed assuming the packet sniffer is started before it takes place.

Am I missing something on how encryption works? This just seems too easy.

 

[seepy83]

There are indeed tools that can successfully sniff SSL traffic. This is why it is important to design networks in a way that sniffing and/or Man In The Middle Attacks are not possible (or at least extremely unlikely).

 

[RadiclDreamer]

That's why you need to trust the network you are on.

 

[blackangst1]

Sure. Ettercap, Clearwatch, and Burpsuite are a few. But as the previous posters mentioned, these are MITM attacks, and you do need to trust your network. If youre trying to get or give onformation you dont want intercepted there are better ways.

 

[Red Squirrel]

Ah ok, so I'm not totally on the wrong track then. So really the bottom line is to trust the network. Guessing the odds of being intercept off the LAN, and on the actual internet side is quite slim right? Like what are the odds of someone capturing my banking session other then an ISP employee up to no good (who would get fired!).

Guess encryption that has a key that was sent using a different medium is probably way more secure then right? For example SSH with key pair, and lets assume the key was actually physically brought to the end point without leaving the hands of the person. Kinda over the top mind you, but guess if you REALLY want to be sure...

 

[blackangst1]

Ah ok, so I'm not totally on the wrong track then. So really the bottom line is to trust the network. Guessing the odds of being intercept off the LAN, and on the actual internet side is quite slim right? Like what are the odds of someone capturing my banking session other then an ISP employee up to no good (who would get fired!).

Guess encryption that has a key that was sent using a different medium is probably way more secure then right? For example SSH with key pair, and lets assume the key was actually physically brought to the end point without leaving the hands of the person. Kinda over the top mind you, but guess if you REALLY want to be sure...

Youre on the right track. The only plausable chance of your banking sessions getting intercepted is if someone were to gain control over your PC. But thats the problem with any encryption scheme. As far as sending receiving, I dont know of a better way than with assymetric public keys.

 

[Red Squirrel]

Youre on the right track. The only plausable chance of your banking sessions getting intercepted is if someone were to gain control over your PC. But thats the problem with any encryption scheme. As far as sending receiving, I dont know of a better way than with assymetric public keys.

Yeah and if someone has access to my PC or network then that would be a bigger problem on it's own, that no encryption can protect against. It becomes more or less a firewall / app security thing.

 

[theevilsharpie]

Am I missing something on how encryption works?

Yes. The key exchange process is encrypted.

 

[theevilsharpie]

So really the bottom line is to trust the network.

What? No. The entire purpose of SSL is to ensure the authenticity, integrity, and privacy of data over an untrusted network.

 

[RebateMonger]

Man-in-the-middle is not really "sniffing" in its purest form. The MITM takes an active part in setting up the encryption. That's not the same thing as a passive sniffer that's "listen-only".

 

[daishi5]

Man-in-the-middle is not really "sniffing" in its purest form. The MITM takes an active part in setting up the encryption. That's not the same thing as a passive sniffer that's "listen-only".

Can you execute a MITM attack against a connection that has a pre-shared key? I don't want to say that is not possible, but it seems like the pre-shared key form of encryption protects against MITM and sniffer attacks. Is there any form of encryption that does not have pre-shared information, or is otherwise vulnerable to these attacks?

 

[gsellis]

Can you execute a MITM attack against a connection that has a pre-shared key? I don't want to say that is not possible, but it seems like the pre-shared key form of encryption protects against MITM and sniffer attacks. Is there any form of encryption that does not have pre-shared information, or is otherwise vulnerable to these attacks?

In theory. But if you do not have the key, you have to guess it. Therefore, if the key has a weakness, you gather lots of packets and attack it offline. The stronger the key and the better the hash, the lower the probability of success. You would need a lot of PS/3's and video cards. Enough so that the police would be checking your house to see if you were running an illegal indoor pot growing operation

Alternately, you can get John Travolta to hold a gun to your head and type faster.

 

[Red Squirrel]

Yes. The key exchange process is encrypted.

Yes but the PC on the other end has to be told how to decrypt that too. So really the only way I can think of is if the key is preshared using another form of communication, like mentioned.

 

[Red Squirrel]

Man-in-the-middle is not really "sniffing" in its purest form. The MITM takes an active part in setting up the encryption. That's not the same thing as a passive sniffer that's "listen-only".

Yeah I heard some corporate firewalls even use a form of MITM to crack SSL. They basically intercept the certificate, or something like that, so they can decrypt the SSL session. That is scary as if that technology gets in the wrong hands...

This is all more or less theoretical thinking here though as it's quite hard to actually get between two endpoints if you're on a trusted network (ex: your house) since data centers, telcos etc have decent security, and most of this data is traveling over fiber from building to building which is not exactly something easy to tap into without being caught.

 

[theevilsharpie]

Yes but the PC on the other end has to be told how to decrypt that too. So really the only way I can think of is if the key is preshared using another form of communication, like mentioned.

I see where your confusion lies.

SSL uses public key encryption, which is specifically designed to avoid the need to share a key prior to establishing an encrypted session.

An SSL server uses a public/private keypair. The public key is exposed to the world within its digital certificate, whereas the private key is securely stored on the SSL server. When a client communicates with an SSL server, it uses the server's public key to encrypt a randomly-generated value. This encrypted value can only be decrypted by the private key, which only the SSL server has access to. When the SSL server decrypts the value, it uses it to negotiate a preshared key with the client.

Throughout this entire process, the only unencrypted traffic sent over the wire would be an initial query for the types of encrypted supported. A third party sniffing the traffic would see that an active SSL session exists, but they would not be (easily) able to see the SSL-encrypted data being transferred.

 

[theevilsharpie]

Yeah I heard some corporate firewalls even use a form of MITM to crack SSL. They basically intercept the certificate, or something like that, so they can decrypt the SSL session. That is scary as if that technology gets in the wrong hands...

Businesses can "intercept" SSL sessions by using a proxy server that receives the SSL session from the internal client, and then communicates with the external server on the client's behalf. They cannot simply "intercept" it straight from the wire unless the encryption is incredibly weak.