What is the man-in-the-middle (MitM) attack on Diffie-Hellman, and why can't DH prevent it?
Eve intercepts both messages and performs separate DH exchanges with Alice and Bob — establishing two different shared keys. Neither Alice nor Bob knows Eve exists.
* Eve shares K_AE with Alice and K_EB with Bob, relaying between them undetected. *
The thing to grasp is that DH authenticates nothing: each side only ever receives a number $g^{(\cdot)} \mod p$, and one such number looks exactly as valid as any other regardless of who actually sent it. That blind spot is precisely what lets Eve sit in the middle running two independent exchanges — one with each victim — and relay traffic between them.
The attack:
- Alice sends $g^a \mod p$ → Eve intercepts, sends $g^t \mod p$ to Bob
- Bob sends $g^b \mod p$ → Eve intercepts, sends $g^t \mod p$ to Alice
- Alice computes $K_{AE} = g^{at} \mod p$ (shared with Eve)
- Bob computes $K_{EB} = g^{bt} \mod p$ (shared with Eve)
- Eve can now decrypt Alice's messages with $K_{AE}$, re-encrypt with $K_{EB}$, and forward to Bob
Why DH can't prevent this:
- DH provides no authentication — Alice can't verify that the received value actually came from Bob
- It's a pure key exchange with no identity verification
- This is an impersonation attack, not a mathematical weakness
Solution: Authenticate the DH exchange using:
- Digital signatures (signed DH values)
- Certificates (PKI)
- Pre-shared secrets
- This is covered in KRYPTOE (Protocols)
Tip: Don't confuse "man-in-the-middle" (network attack) with "meet-in-the-middle" (cryptanalysis technique for 2DES)!
Go deeper:
Key Exchange Problems — Computerphile — why unauthenticated DH falls to a middleman.
Man-in-the-middle attack — Wikipedia — the general attack pattern and its defences.