Calamitous Cryptography: The Extortoise and the Haregretful
Pardon me for being a connoisseur of portmanteaux, but George Washington Carver once made a resounding point, among his many, in that one commands the attention of the world by doing a common thing in an uncommon way. Well, I may not command the attention of the world with my blatantly Aesopian play on words, but coupled with my elaboration on a premature subject, I may have an almost-magnetically fixating effect on the eyes of my audience. I'll attempt to arrive somewhere close to this goal by talking about a very ubiquitous subject - cryptography - within a context that only a devil would advocate.
An ingenious cryptographer, in his or her ever-maturing tenure as a practitioner of mathematical security, will gradually become saturated with an integral veracity of security; that is, it's better to think about security rationally, but conservatively, in a "just in case" manner, than become habitually dismission-happy with seemingly improbable attacks. As an ever-maturing cryptographer, myself, experience is gradually milking attentiveness from that security mentality I believe we "security folks" are born with; in fact, I'm convinced that it's swimming in my deoxyribonucleic acid. As my perception evolves, imagination seeps through as the primary catalyst for unconventional thinking, and its unconventional thinking that sets the scene for what's ahead. So, without further ado, allow me to get started on that aforementioned magnetic effect. Lights! Camera! Traction!
A brainchild of gigantic proportions is born
Cryptovirology - two surreptitious fields wedded by a malignant passion. Roughly a decade or so ago, this mathematical art was spawned and cultivated, as the brainchild of two seasoned cryptographers, Dr. Adam L. Young and Dr. Moti Yung; it is their clever, unconventional, and catholic mindset of which we can thank for pioneering and progressively examining the implications of this unique genre, as well as evangelically proclaiming the ramifications of ignoring it. Just as cryptographers design primitives and protocols for the sake of defense, so have they approached cryptovirology with the goal of proposing defensive countermeasures to this nefariously offensive application of the same cryptography designed with defense in mind.
Around two years ago, they published the seminal treatment of the subject, Malicious Cryptography: Exposing Cryptovirology. Albeit, the only book on the topic thus far due to cryptovirology's adolescence, is composed with the algorithmic substance that a cryptographer can appreciate, interspersed with thought-provoking novelties that retain the book's moisture.
(I smell an extensive review of this stellar title; it must be coming soon, and considering that my olfactory capabilities are in their prime, you might want to be expecting it. In the meanwhile, if you sharpen your aptitude of computational number theory, set theory, probability theory, random oracle model, game theory, et cetera, and have this insatiable desire to run to your nearest book store, or log in to it, I have no qualms about saying, "You won't regret it.")
Judging by the title, you might be under the impression that we're going to talk about turtles and rabbits; in a sense, we are, in that they'll personify the adversary and victim in the cryptovirological protocol we'll discuss. Okay, so there isn't anything adversarial intimidating about a box turtle, so imagine a snapping turtle in the Deep South; those of you who are familiar will certainly get my drift. There is a plethora of ways to apply cryptovirology, and it's likely that the applications we're aware of only make up an infinitesimal portion of the possibilities. However, for this piece, we're going to look at cryptoviral extortion. It's almost like a Hollywood ransom plot, without the Hollywood part. It has seen its share of press coverage as of late, though.
"The Layman's How-To For Cryptoviral Extortion"
The basic structure of the attack is rather simple. An adversary designs a cryptovirus, which is sent to the host of a victim. The cryptovirus is programmed to seek out two targets, in particular. One target is a critical resource which the adversary will hold for ransom, in exchange for another resource that is desired by the adversary. By definition, this is a denial-of-service (or "denial-of-resources") attack, in that it denies access to a resource that is owned by the victim; it follows that, to gain access, the victim must relinquish another resource, specified by the adversary. As long as the victim doesn't have a back-up of the resource that's being held for ransom, the extortion process is successful, where the security depends on the security of the cryptographic primitives involved. Pretty crafty for a tortoise, eh? Here's the cryptographic low-down.
I'll be generic here, and save the specific primitive guts for another episode, but I'll stay true to the general process of Young and Yung's original cryptoviral extortion attack; in other words, for the actual primitives they use, you'll need to consult their cryptanalytical papers and book. The general idea was to implement a hybrid approach, where either the resource was encrypted using a public key, or a public key was used to encrypt a symmetric encryption key which was used to encrypt the resource; the latter is what we'll examine. The cryptovirus would contain a source of randomness or cryptographically-secure pseudo-randomness, for generating material for the initialization vector(s) and symmetric key(s); it would also house a public key.
Upon attaching to the host, the cryptovirus seeks the resource that the adversary desires; it uses a block cipher to compute a checksum on the resource. At that point, the cryptovirus seeks the resource that is critical to the victim, in which he will hold for ransom; it uses a block cipher to encrypt the resource, after which it proceeds to overwrite the original plaintext with the ciphertext. An asymmetric primitive, and its public key, is used to encrypt a message "packet," which consists of the checksum, initialization vector(s), and symmetric key(s); it then overwrites the plaintext message packet with the asymmetrically encrypted message packet. The assumption is that while the initialization vector and symmetric key are in RAM, they're not extracted by the victim; this is, of course, crucial, as we depend on the secrecy of this information, but not the secrecy of the primitives (i.e., Kerckhoffs' principle).
Securely negotiating an "e-ransom"
Now that the cryptovirus has executed its attack payload, the negotiation process occurs. The cryptovirus instructs the victim that in order to recover the encrypted critical resource, he must send the asymmetrically encrypted message packet, along with the resource desired by the adversary. Upon receiving the public key-encrypted message packet and desired resource, the adversary uses the corresponding private key to decrypt the message packet. After decryption, the adversary now has the checksum that was computed on the desired resource, along with the initialization vector(s) and symmetric keys(s) used for computing the checksum and encrypting the victim's critical resource which was held for ransom.
Using the initialization vector and symmetric key(s), he computes a checksum on the desired resource that was sent along with the encrypted message packet. If this checksum matches the checksum that was stored inside the encrypted message packet, the adversary can assume that the desired resource is, in fact, the resource he specified; if the checksums do not match, he can assume that the victim tried to cheat. Even if the victim played by the rules and sent the specified resource, it's ultimately at the adversary's discretion, as to whether or not he sends the victim the necessary initialization vector and symmetric key(s) for recovering the encrypted critical resource being held for ransom.
The victim now hopefully assumes that the same adversary who just mounted a reversible denial-of-service cryptoviral extortion attack is suddenly feeling philanthropic, or has some heart-felt respect for fairness. In original research of my own, I've examined arbitrated and game-theoretic protocols for providing incentives for fairness and penalties for unfairness, via cooperative strategies, but while things often work nicely in the boundless utopia of theory, you run into practical complications in real-world instantiations. This research also examines methodologies for conducting information extortion (achieving both IND-CCA2 and INT-CTXT) without the need for asymmetric cryptography at all, as well as attack models that make use of insider threats.
Summarizing this "Cryptaesopian" story
This is a singular scenario among the myriad of cryptovirological techniques that incorporate the same cryptographic primitives that we rely on in modern, conventional applications; in fact, it's a simplistic, minimal, bare-bones archetype for an attack that can easily adapt to using more advanced methodologies. The significance of this lies within a corollary of sorts, in that the stronger cryptography gets, the stronger cryptovirology gets. Although cryptovirological schematics will require immense cryptanalytical scrutiny just like any new designs, they can take advantage of existing cryptanalyses of the cryptographic primitives they are composed of. As such, we're able to construct provably secure malicious applications.
For instance, a provably secure act of cryptoviral extortion could be conducted using standardized primitives, such as AES in CTR mode and CMAC-AES, in the EtA composition, achieving both IND-CCA2 and INT-CTXT notions of security. This is a case of secure standards and savage intentions. Oh, and allow me to provide some supplemental information, to spell out these odd-looking abbreviations and acronyms:
- AES - Advanced Encryption Standard
- CTR - Counter mode
- CMAC - Cipher-based Message Authentication Code
- EtA - Encrypt-then-Authenticate
- IND-CCA2 - Indistinguishability under Adaptive Chosen-Ciphertext Attack
- INT-CTXT - Integrity of Ciphertexts
Make no mistake. The notion of cryptovirology isn't to be written off as a quixotic stretch of the imagination; it is nothing short of a reality. Cryptovirology's strength is derived from a transfusion between itself and cryptography; that is, the security of the former is based on the security of the latter (i.e., think intractable computational problems, for instance). To continue exploring the mapped territories of cryptography, in a defensive context, but dismiss the notion of sailing the uncharted waters of cryptovirology, is a deliberate recipe for sinking your own ship. It's a piece of cake to lucidly realize scenarios where attacks that use our cryptography against us are more severe than attacks on the cryptography itself. The same aberration and poise that goes into concocting these attacks will prove invaluable in efforts to defend against them.
Don't underestimate the imagination; it's security's ally. This tactic will hold true when approaching the gravity of cryptovirology - a sui generis juggernaut of mathematical mayhem. After all, a tale once told of a hare's disposition after disregarding a tortoise: regretful.