Article

Cryptovirology: Extortion-Based Security Threats and Countermeasures

Authors:

Adam Young,

Moti YungAuthors Info & Claims

SP '96: Proceedings of the 1996 IEEE Symposium on Security and Privacy

Page 129

Published: 06 May 1996 Publication History

Publisher Site

Abstract

Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of ``Cryptovirology'' which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a ``cryptovirus'' that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks''). We also suggest countermeasures and mechanisms to cope with and prevent such attacks. These attacks have implications on how the use of cryptographic tools should be managed and audited in general purpose computing environments, and imply that access to cryptographic tools should be well controlled. The experimental virus demonstrates how cryptographic packages can be condensed into a small space, which may have independent applications (e.g., cryptographic module design in small mobile devices).

Cited By

View all

Ding YWei TWang TLiang ZZou WGates CFranz MMcDermott J(2010)Heap TaichiProceedings of the 26th Annual Computer Security Applications Conference10.1145/1920261.1920310(327-336)Online publication date: 6-Dec-2010
https://dl.acm.org/doi/10.1145/1920261.1920310
Kartaltepe EXu S(2005)On Automatically Detecting Malicious Impostor EmailsProceedings of the 2005 conference on Applied Public Key Infrastructure: 4th International Workshop: IWAP 200510.5555/1564104.1564109(33-47)Online publication date: 9-May-2005
https://dl.acm.org/doi/10.5555/1564104.1564109
Payton AWhitman M(2005)Determining the proper response to online extortionProceedings of the 2nd annual conference on Information security curriculum development10.1145/1107622.1107651(122-126)Online publication date: 23-Sep-2005
https://dl.acm.org/doi/10.1145/1107622.1107651
Show More Cited By

Cryptovirology: Extortion-Based Security Threats and Countermeasures

Recommendations

Cryptovirology: the birth, neglect, and explosion of ransomware

Recent attacks exploiting a known vulnerability continue a downward spiral of ransomware-related incidents.
Cryptovirology: extortion-based security threats and countermeasures
SP'96: Proceedings of the 1996 IEEE conference on Security and privacy

Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be ...
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SP '96: Proceedings of the 1996 IEEE Symposium on Security and Privacy

May 1996

ISBN:0818674172

Publisher

IEEE Computer Society

United States

Publication History

Published: 06 May 1996

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ding YWei TWang TLiang ZZou WGates CFranz MMcDermott J(2010)Heap TaichiProceedings of the 26th Annual Computer Security Applications Conference10.1145/1920261.1920310(327-336)Online publication date: 6-Dec-2010
https://dl.acm.org/doi/10.1145/1920261.1920310
Kartaltepe EXu S(2005)On Automatically Detecting Malicious Impostor EmailsProceedings of the 2005 conference on Applied Public Key Infrastructure: 4th International Workshop: IWAP 200510.5555/1564104.1564109(33-47)Online publication date: 9-May-2005
https://dl.acm.org/doi/10.5555/1564104.1564109
Payton AWhitman M(2005)Determining the proper response to online extortionProceedings of the 2nd annual conference on Information security curriculum development10.1145/1107622.1107651(122-126)Online publication date: 23-Sep-2005
https://dl.acm.org/doi/10.1145/1107622.1107651
Schechter SSmith MStaniford SSavage S(2003)Access for saleProceedings of the 2003 ACM workshop on Rapid malcode10.1145/948187.948191(19-23)Online publication date: 27-Oct-2003
https://dl.acm.org/doi/10.1145/948187.948191
Weaver NPaxson VStaniford SCunningham RStaniford SSavage S(2003)A taxonomy of computer wormsProceedings of the 2003 ACM workshop on Rapid malcode10.1145/948187.948190(11-18)Online publication date: 27-Oct-2003
https://dl.acm.org/doi/10.1145/948187.948190

Abstract

Cited By

Recommendations

Cryptovirology: the birth, neglect, and explosion of ransomware