Baffle thy enemy: The case for Honey Encryption

January 30, 2014 by Nancy Owano weblog
Encryption
Credit: Symantec

(Phys.org) —Database breaches are making today's headlines, revealing events where thieves scoff up millions of passwords. Security experts meanwhile think about, talk about and work towards fighting against such crimes. A fresh twist in the security arsenal might be to simply baffle criminals by unleashing a flood of data that appears real but is fake. "Honey Encryption" is an approach being proposed to protect sensitive data. You beat attackers by making it difficult to figure out if the password or encryption key they are trying to steal is correct or incorrect.

A discussion about the approach on Wednesday in Threatpost said the tool results in the attacker seeing a plausible-looking password or encryption key which is actually incorrect, and the attacker cannot tell the information is incorrect. The two people behind this Honey Encryption approach is Ari Juels, former chief scientist at computer security company RSA, and Thomas Ristenpart, an assistant professor at the University of Wisconsin.

As it is now, a criminal intruder, with each try of an incorrect key, sees gibberish. The unsuccessful try clearly indicates it is not what he or she wants. With honey encryption, however, trying to guess the password or becomes mystifying; the attacker is dealing with thousands of, say, fake credit card numbers, and each one looks plausible. A report about their work in MIT Technology Review said Juels was convinced that "by now enough password dumps have leaked online to make it possible to create fakes that accurately mimic collections of real passwords."

In October, Juels had said that "Honeywords and honey-encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent, sophisticated, and damaging breaches." He said that the honeywords and honey encryption are joint work, respectively, with Ron Rivest and Tom Ristenpart. He said honey-encryption creates "ciphertexts that decrypt under incorrect keys to seemingly valid (decoy) messages."

The Honey Encryption system, meanwhile, will be the subject of a paper later this year when Juels and Ristenpart present their "Honey Encryption: Security Beyond the Brute-Force Bound" at the Eurocrypt conference in May, an event that is focused on cryptographic techniques, in Copenhagen.

Explore further: Beefing up public-key encryption

Related Stories

Beefing up public-key encryption

February 18, 2013

Most financial transactions on the Internet are safeguarded by a cryptographic technique called public-key encryption. Where traditional encryption relies on a single secret key, shared by both sender and recipient, public-key ...

Researchers test quantum encryption hacking risk

May 28, 2013

(Phys.org) —Quantum communication systems offer the promise of virtually unbreakable encryption. Unlike classical encryption, which is used to send secure data over networks today and whose security depends on the difficulty ...

Advancing privacy and security in the cloud

December 24, 2013

IBM inventors have received a patent for a breakthrough data encryption technique that is expected to further data privacy and strengthen cloud computing security.

NSA eyes encryption-breaking 'quantum' machine

January 3, 2014

The US National Security Agency is making strides toward building a "quantum computer" that could break nearly any kind of encryption, The Washington Post reported Thursday.

Experts withdraw from Internet security conference

January 8, 2014

At least eight researchers or policy experts have withdrawn from an Internet security conference after the sponsor reportedly used flawed encryption technology deliberately in commercial software to allow the National Security ...

Recommended for you

Netherlands bank customers can get vocal on payments

August 1, 2015

Are some people fed up with remembering and using passwords and PINs to make it though the day? Those who have had enough would prefer to do without them. For mobile tasks that involve banking, though, it is obvious that ...

Power grid forecasting tool reduces costly errors

July 30, 2015

Accurately forecasting future electricity needs is tricky, with sudden weather changes and other variables impacting projections minute by minute. Errors can have grave repercussions, from blackouts to high market costs. ...

Microsoft describes hard-to-mimic authentication gesture

August 1, 2015

Photos. Messages. Bank account codes. And so much more—sit on a person's mobile device, and the question is, how to secure them without having to depend on lengthy password codes of letters and numbers. Vendors promoting ...

4 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

mikec59
not rated yet Jan 30, 2014
A simpler way is not to keep the passwords at all but store a hash vale of the password (such as SHA).
Rick150
not rated yet Jan 30, 2014
As I said previously, the best defense is to include rubbish in everything. All my PC's respond with rubbish to interrogation. During war mis-information has been the most effective weapon. Those that wish to data mine me better have developed a lie detector. The more crap data they capture the more time they waste and bog them down. Best defense on the internet is lots of data with only you knowing what data is the truth. That's why data mining is ultimately useless, too much information obscures the real picture.
gcbailey
not rated yet Jan 31, 2014
very interesting concept ... and by the way it's *thine* enemy.
cabhanlistis
not rated yet Mar 29, 2014
and by the way it's *thine* enemy.

Source? Because all I have is:

"Now go to thine own country and take care of the ring, for by means of it thou wilt baffle thine enemies; and be not ignorant of its puissance."
-The Arabian Nights

If Nancy was cribbing this line then sure. But otherwise I can't find a reference that shows the use in the title is wrong.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.