"Honey Encryption" Will Bamboozle Attackers with Fake Secrets

[InfoSec News <alerts () infosecnews org>]

http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/

By Tom Simonite
MIT Technology Review
January 29, 2014

Ari Juels, an independent researcher who was previously chief scientist at 
computer security company RSA, thinks something important is missing from 
the cryptography protecting our sensitive data: trickery.

"Decoys and deception are really underexploited tools in fundamental 
computer security," Juels says. Together with Thomas Ristenpart of the 
University of Wisconsin, he has developed a new encryption system with a 
devious streak. It gives encrypted data an additional layer of protection 
by serving up fake data in response to every incorrect guess of the 
password or encryption key. If the attacker does eventually guess 
correctly, the real data should be lost amongst the crowd of spoof data.

The new approach could be valuable given how frequently large encrypted 
stashes of sensitive data fall into the hands of criminals. Some 150 
million usernames and passwords were taken from Adobe servers in October 
2013, for example.

After capturing encrypted data, criminals often use software to repeatedly 
guess the password or cryptographic key used to protect it. The design of 
conventional cryptographic systems makes it easy to know when such a guess 
is correct or not: the wrong key produces a garbled mess, not a 
recognizable piece of raw data.

Juels and Ristenpart’s approach, known as Honey Encryption, makes it 
harder for an attacker to know if they have guessed a password or 
encryption key correctly or not. When the wrong key is used to decrypt 
something protected by their system, the Honey Encryption software 
generates a piece of fake data resembling the true data.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/