How do digital fingerprints prevent fake public keys from being passed?

Question

I'm reading about public key cryptography. Consider the scenario in which Bob wants to pass his public key to Alice so that she can send him messages that only he can decrypt. Now suppose there's a man-in-the-middle attack in which John intercepts the public key passed from Bob to Alice and passes his (John's) public key to Alice. Alice thinks she received Bob's public key, encrypts a message with it, and sends it back. John intercepts it and decrypts it with his private key, thereby intercepting Alice's message to Bob. The article I was reading says the solution is to use a digital fingerprint: Bob passes his fingerprint to Alice so that when he later passes his public key to her, she can use Bob's fingerprint to verify that the public key is valid.

What I Want to Know:

If John was able to impersonate Bob by sending his own public key instead of Bob's, why can't he do the same with the digital fingerprint? Bob would send his digital fingerprint to Alice, John would intercept and send his own fingerprint instead, then when Bob sends his public key, John would again send his own instead, and Alice would think it was Bob's because she verified it (John's public key, thinking it was Bob's) using John's digital fingerprint, thinking it was Bob's.

What am I missing here? How do digital fingerprints solve the public key impersonation attack?

Answer 1

You are correct that if the Alice receives a (message, public key, signature) triplet — and has no other information — that the message can be spoofed.

If Bob and Alice met in person in the past and exchanged public keys then Alice would know that the key sent with the message (which now doesn’t necessarily need to be sent with the message) was not from Bob.

Alternatively, Bob could get something like a Notary Public to assert that they know that this key really belongs to Bob. Now it’s a question of whether or not Alice wants to trust that Notary. In PKI (Public Key Infrastructure) the most common way of representing that is an X.509 Public Key Certificate (“a digital certificate”). The role of the Notary is served by an Issuing Certificate Authority. That CA was probably “notarized” by another CA which Alice(‘s OS) has already been told was trusted to only trust trustworthy CAs.

Answer 2

Short answer: A man-in-the-middle attack is not possible if Bob's certificate was signed by a certificate authority (CA). This is the case in reality for example if you visit a web site.

Long answer: Alice should have a list of trusted root CAs (provided by the web browser or operating system for example).

Bob should have a email address or domain which uniquely identifies him. This email address or domain name is embedded into his certificate.

Now when Alice receives the public certificate she can check if it belongs to Bob by checking the email address or domain name. She can also check if the certificate is trusted by one of her root CAs. If the certificate is from John she will see that it is not trusted and the man-in-the-middle attack will be detected.

Please note that in reality there are also intermediate CAs.

Also my answer does not cover self signed certificates.

Answer 3

You're right -- they don't help at all in and of themselves. What helps is having multiple channels of communication betweeen Alice and Bob. John needs to be able to intercept and alter ALL channels to implement an MITM attack. More channels make that harder. Thus sending a fingerprint over a different (or multiple different) additional channels give an extra "check" that John might miss, revealing his attack.