Find the word definition

Wikipedia
Cryptovirology

Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding malware and what the attacker sees. The antivirus analyst sees a public key contained in the malware whereas the attacker sees the public key contained in the malware as well as the corresponding private key (outside the malware) since the attacker created the key pair for the attack. The public key allows the malware to perform trapdoor one-way operations on the victim's computer that only the attacker can undo.

The first attack that was identified by Adam L. Young and Moti Yung in the field is called "cryptoviral extortion". In this attack a cryptovirus, cryptoworm, or cryptotrojan contains the public key of the attacker and hybrid encrypts the victim's files. The malware prompts the user to send the asymmetric ciphertext to the attacker who will decipher it and return the symmetric decryption key it contains for a fee. The victim needs the symmetric key to get the files back if there are no backups of them. Many years later the media relabeled this attack as ransomware. In 2016 cryptovirology attacks on healthcare providers reached epidemic levels prompting the U.S. Department of Health and Human Services to issue a Fact Sheet on Ransomware and HIPAA. The fact sheet states that when electronic protected health information is encrypted by ransomware a breach has occurred and the attack therefore constitutes a disclosure that is not permitted under HIPAA. The rationale being that an adversary has taken control of the information.

The field also encompasses covert malware attacks in which the attacker securely steals private information such as symmetric keys, private keys, PRNG state, and the victim's data. Examples of such covert attacks are asymmetric backdoors. An asymmetric backdoor is a backdoor (e.g., in a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, i.e., anyone that finds it can use it. Kleptography, a subfield of cryptovirology, is the study of asymmetric back doors in key generation algorithms, digital signature algorithms, key exchanges, pseudorandom number generators, and other cryptographic algorithms. The NIST Dual EC DRBG random bit generator has an asymmetric backdoor in it. The EC-DRBG algorithm utilizes the discrete-log kleptogram from Kleptography which by definition makes the EC-DRBG a cryptotrojan. A highly respected cryptographer, Ari Juels, indicated that NSA effectively orchestrated a kleptographic attack on users of the Dual EC DRBG pseudorandom number generation algorithm and that, although security professionals and developers have been testing and implementing kleptographic attacks since 1996, "you would be hard-pressed to find one in actual use until now". Due to public outcry of this cryptovirology attack, NIST rescinded the EC-DRBG algorithm from the NIST SP 800-90 standard.

Covert information leakage attacks carried out by cryptoviruses, cryptotrojans, and cryptoworms that, by definition, contain and use the public key of the attacker is a major theme in cryptovirology. In "deniable password snatching" by Young and Yung IEEE S&P 1997, a cryptovirus installs a cryptotrojan that asymmetrically encrypts host data and covertly broadcasts it. This makes it available to everyone, noticeable by no one, and only decipherable by the attacker. An attacker caught installing the cryptotrojan claims to be a virus victim. An attacker observed receiving the covert asymmetric broadcast is one of thousands if not millions of receivers and exhibits no identifying information whatsoever. The cryptovirology attack achieves "end-to-end deniability". It is a covert asymmetric broadcast of the victim's data. Cryptovirology also encompasses the use of private information retrieval to allow cryptoviruses to search for and steal host data without revealing the data searched for even when the cryptotrojan is under constant surveillance. By definition such a cryptovirus carries within its own coding sequence the query of the attacker and the necessary PIR logic to apply the query to host systems.

There has been a long-standing misconception that cryptovirology is mostly about extortion attacks (overt attacks). In fact, the vast majority of cryptovirology attacks are covert in nature. This misconception began to fade in 2013 after whistleblowing revealed that the Dual EC DRBG is a cryptovirology attack that covertly leaks the internal state of the pseudorandom number generator.