Talk:Cryptovirology

From Wikipedia, the free encyclopedia

WikiProject on Cryptography This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography on Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.
This article is part of WikiProject Malware, an attempt to better organise information in articles related to Malware. If you would like to participate, you can edit the article attached to this page, or visit the project page, where you can join the project and/or contribute to the discussion.

[edit] Cryptotrojan example sounds silly

From the current article:

An application of a questionable encryption scheme is a trojan that gathers plaintext from the host, "encrypts" it using the trojan's own public key (which may be real or fake), and then exfiltrates the resulting "ciphertext". In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e.g., anonymously).
When the public key is fake, the attacker gets no plaintext from the trojan. So what's the use? A spoofing attack is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Many months after the trojans are discovered and analayzed, the attacker anonymously posts the witnesses of non-encryption for the fake public keys. This proves that those trojans never in fact exfiltrated data. This casts doubt on the true nature of future strains of malware that contain such "public keys", since the keys could be real or fake. This attack implies a fundamental limitation on proving data theft.

At the risk of repeating myself: "So what's the use?" I think I understand everything in those two paragraphs, but I don't see the practical usefulness of such a result. I think the author is thinking of a scenario like this:

Cracker breaks into system, installs "cryptotrojan".
Cryptotrojan collects data, pseudo-encrypts it, sends it to cracker.
System administrator discovers trojan, traces it, sues cracker for data theft.
Sysadmin: Judge, this cracker broke into my system and his trojan collected and exfiltrated my private data! Here are the logs proving it.
Cracker: Judge, my trojan did collect his data, but it did not exfiltrate it! Here is a mathematical proof that my trojan in fact sent only a stream of pseudorandom bits. Therefore you must find me innocent.
Judge: Oh dear, I suppose so. Not guilty!
Sysadmin: Oh no! I cannot afford to prosecute crackers if I cannot prove their guilt a priori.

However, common sense and U.S. law would make that dialogue end more like this:

Cracker: ... Therefore you must find me innocent.
Judge: I don't care about mathematics; I care about law. You admit you broke into his system and installed malicious software without his approval. You are obviously guilty.
Cracker: Oh no! I did not expect this turn of events.

So, what's the use? Obviously you can take any first-year crypto topic and put it in a virus, but does that somehow make it interesting or worthy of comment?

I'm not disputing the usefulness of "cryptovirology" (silly buzzword!) as a whole; I'm just pointing out that the example on which the current article spends two paragraphs is very silly, and should be replaced with a good example if one exists. (The only non-trivial uses of crypto in malware design that I can think of are both mentioned already: ransomware and polymorphic viruses. And the latter doesn't require crypto anyway.) --Quuxplusone 04:46, 21 October 2007 (UTC)


Comments from legal experts might shed light on how this would turn out in court. For instance is "theft" a charge separate from "unlawful entry/use"? Does theft by itself carry, e.g. 5 years? The article appears to make no legal claims. —Preceding unsigned comment added by 70.18.230.5 (talk) 16:51, 22 November 2007 (UTC)