Imagine a situation where you have just received a letter in the mail (or by carrier pigeon, if mail has yet to be invented) from your dear beloved. Try to refrain from opening it just for the moment (I know you are excited). Now consider the possibility that your letter has been intercepted by some mischevious crook who has nefarious intents, and the message is compromised. But unknown to you, this crook, with great care and attention to detail, folds the letter back and places it into the envelope as it was sent, sealing the envelope with no traces of it having been opened. Who could have done such a thing? What does he intend to do with this information? I know you are upset and frightened, but please remain calm. You are now the victim of what is called a “Man-in-the-Middle” Attack.
Now, some of you might be thinking, “Well, I have no reason to worry. There was nothing confidential in that letter.” or perhaps “Bah! There is no way he could decipher our ingenious code and learn the contents of that message!” If this is the case (and you are absolutely certain your encryption is cryptographically secure), then consider the case of war-time communication. How can you be certain your message is not being intercepted and read by the enemy, then passed on as usual without any sign of tampering to your intended destination? In many cases, interception is inevitable. The Internet is a medium through which fantastic resources allow near-instant communication between two or more parties. But there is a catch. Everything you do online is susceptible to a Man-in-the-Middle Attack, since the data is simply sent as packets which bounce from various places to reach the final destination. Most of the time, this attack is not much of a threat, as well-written web sites and applications will take care to ensure packets are not only sent from and to the explicitly allowed computers, but also securely encrypted to prevent attackers from gleaning any information from stolen packets.
So why should you be concerned? Well, if you ever do need to transmit some personal or confidential information to another party over the Internet, you want to be sure that information is not compromised, which could lead to potential identity theft. Unfortunately, the threat of this sort of attack is difficult to prevent from the position of an end-user. It is largely up to the communicating agent to implement the correct precautions and procedures to help avoid an attack. But occasionally not even they have control. Attackers who gain access to a central communications server could potentially be filtering private messages sent through it, searching for banking information, passwords, or even simply email addresses to be sold to spammers. No matter the nefarious deed, these attacks can be tricky to detect unless special attention is given to check for tampering.
Time for an analogy. When a figure of royal authority wishes to send a private letter to another figure of great importance in a far away land, he places a wax seal on the folded letter (or later envelope), both to hold it shut and to verify the identity and preservation of his message. The idea is that if the seal is broken when received, then it is known that the letter has been compromised. While this does not prevent the message from being intercepted, it lets the recipient know so he may take action to find and prosecute the criminal. Another more modern example of this concept is the tamper-evident product packaging found on many food items. Jars often come with a safety lid, which pops out when opened to indicate the seal has been broken, and consumers are urged to avoid buying jars with popped lids. Applying this same logic to computer security, we are able to determine whether or not a packet has been silently intercepted through a process called latency examination.
While it is not always necessary or even applicable, latency examination provides a means by which the sender and receiver can be made aware of evidence of tampering. One method of implementation is to encrypt the message with a long cryptographic hash function, which contains calculations that take up to tens of seconds, depending on the function chosen. By comparing the expected latency (sender encryption delay + average transmission delay + receiver decryption delay) with the observed latency, it is possible to determine whether or not a third party has tampered with the data.