Categories: Security

Honey Encryption deceives attackers with fake data

Honey Encryption is the name of a new approach to encryption, elaborated by the independent researcher Ari Juels, based on misleading results.

Honey Encryption, this is the name for a new approach to encryption to deceive attackers by presenting them with fake data presented by the independent researcher Ari Juels. Ari Juels, who has worked as chief scientist at computer security company RSA, proposed a new approach for cryptography to improve protection of sensitive data based on deception. He has already worked to similar project with the mythic Ron Rivest, one of the inventors of the RSA, for the development of the Honey Words, a system to protect password databases by also padding them with fake passwords.

“Decoys and deception are really underexploited tools in fundamental computer security,” said Juels.

Juels in collaboration with Thomas Ristenpart of the University of Wisconsin, has developed a new encryption system, which implements a deception technique by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker fails to provide the decryption key the original data should will be disguised, the method avoids, in case of a data breach, that hackers decrypt the encrypted stashes of sensitive data. The hackers use automated tools to guess passwords, usually wrong key produces a “garbled mess, not a recognizable piece of raw data”, but adopting the Honey Encryption data appears as legitimate deceiving the criminals. The principle behind the Honey Encryption software is the generation of a piece of fake data resembling the legitimate data. The Honey Encryption could invalidate the brute forcing practice, for each attempt the method provides a false set of data impossible to distinguish from the original.

“Each decryption is going to look plausible,” “The attacker has no way to distinguish a priori which is correct.” says Juels.

A particular attention must be reserved to the protection of password manager applications, these software are used to store the entire collection of user’s password, but user use to protect them with a weak master password easy to guess with a password cracker tool. Principal doubts on the Honey Encryption relate to its capability to generate believable fakes for every set of data.

“Not all authentication or encryption systems yield themselves to being ‘honeyed.’” said Hristo Bojinov, CEO and founder of mobile software company Anfacto.

The honey Encryption technique will be presented at the next Eurocrypt cryptography conference by the two researchers.

Pierluigi Paganini

(Security Affairs – Honey Encryption, encryption)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.