Malicious Cryptography: Exposing Cryptovirology review

Wendy M Grossman ZDNet.co.uk

Published: 23 Aug 2005

'Encryption is mathematics', the science fiction writer Bruce Sterling observed at the 1994 Computers, Freedom, and Privacy conference. 'It is not our friend'. At the time, the crypto wars were at their height, and geeks and the US government were at loggerheads over whether strong cryptography was a military weapon correctly subject to export controls, or a peacetime tool that should be set free for all to use for self-protection. As prescient as that comment was, it probably didn't occur to Sterling that cryptography could be used in a malicious attack.

Yet that's what Columbia University student Adam Young figured out how to do, as he explains in the first chapter of this book. In this attack, a virus encrypts a tranche of data -- say, everything on a hard drive -- with a public key the virus author has generated and embedded into the virus. Only the private key, which is retained by the author, can decrypt the data. This is a perfect scenario for extortion, and an example of what Young has dubbed a 'cryptovirus' -- a computer virus that contains and uses a cryptographic public key.

Moti Yung, a senior researcher at Columbia University and an editor of the Journal of Cryptology, became Young's master's thesis advisor as he fleshed out these ideas. Malicious Cryptography is more or less the result. These are not -- yet, at least -- attacks found in the wild. Instead, Young and Yung are trying to look into the future at what kinds of attack may be devised.

Parts of the book are reminiscent of many mid-1990s discussions about cryptography: people like the physicist Timothy May used to speculate about how to use it to guarantee anonymity or run a crime syndicate. Many of these things are possible now. The perfectly anonymous kidnapping, for example, could be engineered using a combination of a MIX-net, peer-to-peer protocols and cryptographically secured electronic cash. Say, for example, that you want to steal some information, but you don't want to reveal the details of what information you are stealing. As the authors explain in describing the technique of Private Information Retrieval, placing a public key within the virus would make such obfuscation possible.

Despite the frequent sprinklings of mathematics and equations, a fair portion of this book is readable by a non-expert. Readers need to understand the basics of public key cryptography, a system devised in the late 1970s to allow strangers to spontaneously exchange encrypted information. The cryptographic software generates a pair of asymmetric keys, one public and one private; each decrypts anything encrypted with the other. Much of the book is technical detail explaining such things as the inner workings of, and potential flaws in, random number generators, how to make a cryptocounter or how to create subliminal channels. The book also provides background material on computer virus basics and number theory in appendices.

Malicious Cryptography is the sort of book you'd give to a security expert who'd like to be a little more paranoid. After all, it's not paranoia if they really are out to get you.

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit