I'm reading about public key cryptography. Consider the scenario in which Bob wants to pass his public key to Alice so that she can send him messages that only he can decrypt. Now suppose there's a man-in-the-middle attack in which John intercepts the public key passed from Bob to Alice and passes his (John's) public key to Alice. Alice thinks she received Bob's public key, encrypts a message with it, and sends it back. John intercepts it and decrypts it with his private key, thereby intercepting Alice's message to Bob. The article I was reading says the solution is to use a digital fingerprint: Bob passes his fingerprint to Alice so that when he later passes his public key to her, she can use Bob's fingerprint to verify that the public key is valid.
What I Want to Know:
If John was able to impersonate Bob by sending his own public key instead of Bob's, why can't he do the same with the digital fingerprint? Bob would send his digital fingerprint to Alice, John would intercept and send his own fingerprint instead, then when Bob sends his public key, John would again send his own instead, and Alice would think it was Bob's because she verified it (John's public key, thinking it was Bob's) using John's digital fingerprint, thinking it was Bob's.
What am I missing here? How do digital fingerprints solve the public key impersonation attack?
You're right -- they don't help at all in and of themselves. What helps is having multiple channels of communication betweeen Alice and Bob. John needs to be able to intercept and alter ALL channels to implement an MITM attack. More channels make that harder. Thus sending a fingerprint over a different (or multiple different) additional channels give an extra "check" that John might miss, revealing his attack.