Alice would like to send an encrypted e-mail to Bob. To do so she uses Bob's public
key (see Sections 6.4 and 6.7). If the villain, Mallory, palms off Alice’s own key as
Bob’s without her noticing, then he can decrypt the mail himself.
Mallory has several ways of carrying out this kind of attack. If Bob sends Alice
his public key over the Net, Mallory can intercept it and replace it with his own
(man-in-the-middle attack). He can also do this if Alice downloads Bob's key from
a server. In addition, Mallory can try to distribute his own key on the Net under the
pretence that it is Bob's.
The problems arise because there is nothing about a public key that indicates to
whom it belongs.
Revoking keys
Mallory has stolen Alice's private key from her hard disk. This means that he can
use it to read all messages that were encrypted with the associated public key. In
addition, using Alice's private key he can forge her digital signature. Fortunately
Alice has noticed the theft. She immediately generates a new key pair and does not
continue using the old private key (this is called revocation of the old key). But
how can these with whom she is communicating know that Alice's old key has been
revoked?
The problem is that one cannot tell from a public key whether it has been
revoked or not.
Non-repudiation
The purpose of a digital signature is to ensure non-repudiation. This means that
Alice cannot contest her completed signature in retrospect. When all is said and
done, a digital signature is an excellent way of meeting this requirement. If Alice
keeps her private key secret (which is in her own interests), then no one else can
imitate it. However, Alice does have one way to contest a signature: she simply
claims that the key used in the transformation of the signature was not hers.
The problem here is that there is no way of proving that a particular key belongs
to Alice.