spoof rsa fingerprint

Patrick O'Callaghan pocallaghan at gmail.com
Sun Nov 15 01:27:06 UTC 2009


On Sat, 2009-11-14 at 15:09 -0800, Eugeneapolinary Ju wrote:
> When I first log in to my router [192.168.1.1] through ssh, it says:
> 
> The authenticity of host 'XXXX.XX (192.168.1.1)' can't be established.
> RSA key fingerprint is 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74.
> Are you sure you want to continue connecting (yes/no)?
> 
> that's OK [it gets stored in the known_hosts file, on my client machine].
> 
> But:
> 
> what happens, if someone turns off my router, then installs a pc with ip 192.168.1.1?
> 
> And! - it spoofs _the same rsa fingerprint_, that was on my router.
>
> Then, when I want to log in to 192.168.1.1, I will type my password, and it will stole my password...
>
> So the question is:
> 
> Could that be possible, to spoof the rsa_fingerprint? [because the router say's the fingerprint when first logging in to it, etc..so could that be spoofed?]

The fingerprint is simply a hash of the router's full public key.
Spoofing the fingerprint still won't enable the spoofer to understand
encrypted communications sent to them (which will continue to use the
router's genuine public key since the client hasn't noticed anything
changed). The spoofer can't guess the private key from the public key
without physical access to the router.

If the spoofer generates its own public/private key pair, the client
will notice that the signature changed. That's the point of the warning
message.

See http://www.securityfocus.com/infocus/1806

poc




More information about the fedora-list mailing list