Pierluigi Paganini February 11, 2014

Honey Encryption is the name of a new approach to encryption, elaborated by the independent researcher Ari Juels, based on misleading results.

Honey Encryption, this is the name for a new approach to encryption to deceive attackers by presenting them with fake data presented by the independent researcher Ari Juels. Ari Juels, who has worked as chief scientist at computer security company RSA, proposed a new approach for cryptography to improve protection of sensitive data based on deception. He has already worked to similar project with the mythic Ron Rivest, one of the inventors of the RSA, for the development of the Honey Words, a system to protect password databases by also padding them with fake passwords.

“Decoys and deception are really underexploited tools in fundamental computer security,” said Juels.

Juels in collaboration with Thomas Ristenpart of the University of Wisconsin, has developed a new encryption system, which implements a deception technique by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker fails to provide the decryption key the original data should will be disguised, the method avoids, in case of a data breach, that hackers decrypt the encrypted stashes of sensitive data.   The hackers use  automated tools to guess passwords, usually  wrong key produces a “garbled mess, not a recognizable piece of raw data”, but adopting the Honey Encryption data appears as legitimate deceiving the criminals. The principle behind the Honey Encryption software is the generation of a piece of fake data resembling the legitimate data. The  Honey Encryption could invalidate the brute forcing practice, for each  attempt the method provides a false set of data impossible to distinguish from the original.

“Each decryption is going to look plausible,”  “The attacker has no way to distinguish a priori which is correct.” says Juels.

A particular attention must be reserved to the protection of password manager applications, these software are used to store the entire collection of user’s password, but user use to protect them with a weak master password easy to guess with a password cracker tool. Principal doubts on the Honey Encryption relate to its capability to generate believable fakes for every set of data.

“Not all authentication or encryption systems yield themselves to being ‘honeyed.’” said Hristo Bojinov, CEO and founder of mobile software company Anfacto.

The honey Encryption technique will be presented at the next Eurocrypt cryptography conference by the two researchers.

Pierluigi Paganini

(Security Affairs –  Honey Encryption, encryption)