“Honey Encryption” overwhelms attackers with fake results
Former RSA chief scientist Ari Juels is working on an innovative approach at encryption that could make cyber crooks’ like a lot more difficult.
This new encryption system – dubbed “Honey Encryption” – does not rely on a more complex encryption algorithm, but on the fact that every time attackers attempt to decrypt the data or guess (brute force) the password, the system returns realistic-looking data – whether the guess is correct or not.
“Each decryption is going to look plausible,” says Juels. “The attacker has no way to distinguish a priori which is correct.” And will, therefore, have to test all the result if he wants to get to the correct one – a potentially formidable task that will not be worth the trouble.
The approach and the system is based on the research Juels executed with Thomas Ristenpart, an assistant professor at the University of Wisconsin, in which they put forward the idea of “honeywords” – false passwords – being associated with user accounts along with the correct one.
“An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm,” they explained.
Juels believes Honey Encryption could be a great help for password manager services, whose users’ entire online life depends on a single master password.
According to MIT Technology Review, he is currently working on creating a fake password vault generator that would provide the false results.
Given the massive number of login credentials stolen and leaked in the last few years and a smaller one of leaked password manager vaults, creating credible fake results should be an easy task.