Malicious Cryptography outlines how a virus could contain and use a cryptographic public key, and speculates on the kind of attacks that might use this method.

Yet that's what Columbia University student Adam Young figured out how to do, as he explains in the first chapter of this book. In this attack, a virus encrypts a tranche of data -- say, everything on a hard drive -- with a public key the virus author has generated and embedded into the virus. Only the private key, which is retained by the author, can decrypt the data. This is a perfect scenario for extortion, and an example of what Young has dubbed a 'cryptovirus' -- a computer virus that contains and uses a cryptographic public key.

Moti Yung, a senior researcher at Columbia University and an editor of the Journal of Cryptology, became Young's master's thesis advisor as he fleshed out these ideas. Malicious Cryptography is more or less the result. These are not -- yet, at least -- attacks found in the wild. Instead, Young and Yung are trying to look into the future at what kinds of attack may be devised.

Parts of the book are reminiscent of many mid-1990s discussions about cryptography: people like the physicist Timothy May used to speculate about how to use it to guarantee anonymity or run a crime syndicate. Many of these things are possible now. The perfectly anonymous kidnapping, for example, could be engineered using a combination of a MIX-net, peer-to-peer protocols and cryptographically secured electronic cash. Say, for example, that you want to steal some information, but you don't want to reveal the details of what information you are stealing. As the authors explain in describing the technique of Private Information Retrieval, placing a public key within the virus would make such obfuscation possible.

Despite the frequent sprinklings of mathematics and equations, a fair portion of this book is readable by a non-expert. Readers need to understand the basics of public key cryptography, a system devised in the late 1970s to allow strangers to spontaneously exchange encrypted information. The cryptographic software generates a pair of asymmetric keys, one public and one private; each decrypts anything encrypted with the other. Much of the book is technical detail explaining such things as the inner workings of, and potential flaws in, random number generators, how to make a cryptocounter or how to create subliminal channels. The book also provides background material on computer virus basics and number theory in appendices.

Malicious Cryptography is the sort of book you'd give to a security expert who'd like to be a little more paranoid. After all, it's not paranoia if they really are out to get you.

Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.