Most organizations would probably associate encryption with data protection and secrecy. But an unusual new book, entitled "Malicious Cryptography: Exposing Cryptovirology," is a jolting reminder that a lot of damage is going to occur if computer virus writers and hackers ever start using encryption in a widespread way.
Adam Young, a cryptography expert and consultant, teamed with Moti Yung, a senior researcher at Columbia University and editor of the Journal of Cryptology on this volume. Though their book is a tad weighty with crypto math and histrionic hacker evil, the point that Young and Yung intend to make is clear: attacks can be made based on encryption. And "Malicious Cryptography" describes several potential problems that can arise, including the "cryptovirus extortion attack" that would let an attacker subvert computer systems and encrypt data, holding it for ransom.
"The concept of a cryptovirus is a simple one," the authors write in their book. "Place a public key in a virus and let it perform one-way operations on the host system that only the author can undo. It is really the payload of a cryptovirus that gives it an edge, since the public key in no way assists in viral replications."
Data that can't be unscrambled by the rightful owner may be so valuable, the owner will pay the ransom to get it back. Or in it's a matter of combat, war or terrorism, the goal may be simply be to make valuable information unobtainable.
With that in mind, Young and Yung explore various ways that Trojan software can be used to encrypt login/password pairs and broadcast them out to the attacker. The attacker could use digital signatures to authenticate messages from the cryptotrojan. The list of possibilities, lumped under the term "kleptography," appears more abundant than many would presume. While virus writers have been known to use encryption to hide their malware in the past, the authors of "Malicious Cryptography" say their book only looks at "the tip of the iceberg" of what's possible when you blend encryption and viruses together.
"This book is our earnest attempt to explore the open research in this area, since corporations, government, and individuals have a right to know about that which threatens the integrity of their computing machinery," the authors conclude. And in rebuttal to anyone who thinks Young and Yung are giving away too much to those who might exploit the cryptovirus concept, they retort: "these attacks exist, they are real," and "it is perilous to sweep them under the rug."
There are other provocative new books out that also have their authors defending their ever-so-detailed candidness. Gary McGraw and Greg Hoglund, who wrote Exploiting Software: How to Break Code" have to fend off criticism their just-published book helps hackers. McGraw discussed this in an interview with Network World editor John Dix. But what's your opinion? Are security experts writing these tell-all books basically handing matches out to pyromaniacs? Let me know what you think.
Are there any learning institutions in the CT area that you can recommend that teach cryptography?
Posted by: Lamont Quinitchett on April 13, 2004 08:38 AM
Both Malicious Cryptography and Exploiting Software are both "Cigital" books. We're working hard to make sure the attacks we discuss do not happen!
gem
Posted by: Gary McGraw on April 15, 2004 05:20 PMPost a comment
|
Does Verizon's Voyager stack up to the iPhone? |
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
Network World on Twitter: Get our tweets and stay plugged in to networking news