Honey Encryption is the name of a new approach to encryption, elaborated by the independent researcher AriJuels, based on misleading results.
“Decoys and deception are really underexploited tools in fundamental computer security,” said Juels.
Juels in collaboration with Thomas Ristenpart of the University of Wisconsin, has developed a new encryption system, which implements a deception technique by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker fails to provide the decryption key the original data should will be disguised, the method avoids, in case of a data breach, that hackers decrypt the encrypted stashes of sensitive data. The hackers use automated tools to guess passwords, usually wrong key produces a “garbled mess, not a recognizable piece of raw data”, but adopting the Honey Encryption data appears as legitimate deceiving the criminals. The principle behind the Honey Encryption software is the generation of a piece of fake data resembling the legitimate data. The Honey Encryption could invalidate the brute forcing practice, for each attempt the method provides a false set of data impossible to distinguish from the original.
“Each decryption is going to look plausible,” “The attacker has no way to distinguish a priori which is correct.” says Juels.
A particular attention must be reserved to the protection of password manager applications, these software are used to store the entire collection of user’s password, but user use to protect them with a weak master password easy to guess with apassword cracker tool. Principal doubts on the Honey Encryption relate to its capability to generate believable fakes for every set of data.
“Not all authentication or encryption systems yield themselves to being ‘honeyed.’” said Hristo Bojinov, CEO and founder of mobile software company Anfacto.
The honey Encryption technique will be presented at the next Eurocrypt cryptography conference by the two researchers.