Let us assume that there is a man in the middle who can read (not modify) all the data that’s being transferred between a client and the server. We want the client to be able to login without sacrificing their credentials.
We will be using asymmetric Encryption here.
When the client wants to login, client will send a signal to server to initiate the process and generate a key pair and send the public key to server, The server will create a session and generate a key pair for itself and return the public key to client. Now, both have key pairs, so any data transfer between them can be encrypted and there is no way the man in the middle will be able to read the data.
Thus, the client can send encrypted login credentials to server and, server can return encrypted login data.
Our assumption that the man in the middle can’t modify data is mostly wrong, and thus, if the middleman replaces the keys with the ones he generated, then he will be able to read all the data.
Is there any scope in this proposal?
Would love to hear feedback from fellow cybersecurity engineers