Asymmetric encryption needs the recipient's public key in advance ("Bob must send his public key to Alice first"). Why is that the moment where things can go wrong?
If an attacker can slip Alice a fake "Bob" public key, Alice will happily encrypt to the attacker instead — so the whole scheme rests on getting the right public key.
The math guarantees that only the holder of the matching private key can decrypt. But it says nothing about whose key you actually have. If a man-in-the-middle intercepts the key exchange and substitutes their public key, then:
- Alice encrypts with the attacker's key (thinking it's Bob's),
- the attacker decrypts, reads/alters, re-encrypts with Bob's real key, and forwards.
Neither Alice nor Bob notices. This is the key-authentication problem, and it's exactly what digital certificates and PKI exist to solve.
Tip: Encryption protects the message; it does not prove who owns the key. That gap is the door every interception attack walks through.