Why can a man-in-the-middle attack not happen with RSA?

This is the problem of key distribution, and it is difficult. In general, Alice must already know that the key belongs to Bob, or have someone she trusts attest that it belongs to him.

For HTTPS this is accomplished by a Public Key Infrastructure (PKI), where Certificate Authorities (CAs) attest that a key belongs to a certain domain or set of domains. This scheme quickly falls apart if any widely trusted CA proves unworthy of the trust placed in it, and unfortunately this has happened multiple times in the past (WoSign, Symantec).

SSH mitigates it by storing the host key for each server you connect you, then warning you if the host key changes for future connections (this is called trust on first use). It also warns you and allows you to verify the key's fingerprint when first connecting, but this requires obtaining the fingerprint through some other means, so it doesn't solve the problem so much as pass it on to the user.


The problem you described can indeed happen - nothing in RSA (or any other encryption scheme) prevents it. This is called eg. "key distribution problem".

Yes, exchanging they key over a secure channel, instead of the insecure one of the message, is one way to solve it. Depending on the use case there might be other useful ways (or not).

In TLS, this is prevented by already having something on the other side - the public vertificates of various CAs, pre-installed with the operating system or browser. It can be used to check the signature of the transmitted public key, that a CA first made.

(Not really relevant for this question, but no one encrypts messages directly with RSA. Eg. because it is slow. Encrypting the messages with AES and then only the AES key with RSA is much more common, but this doesn't change the problem here).