Two Can Play At This Game: Honey Encryption And Trickery In Password Protection

By   ISBuzz Team
Writer , Information Security Buzz | Jan 31, 2014 01:38 am PST

Two computer scientists have developed a novel way to protect users’ sensitive data online:  an encryption method that deceives hackers into believing they have perpetrated an attack successfully, when in actuality they have not.

This new computer security methodology, known as “Honey Encryption”, is the brainchild of scientists Ari Juels, former Chief Scientist at RSA Laboratories, and Thomas Ristenpart, a computer science professor at the University of Wisconsin.

When hackers obtain encrypted data, they seek to obtain a cryptographic key which will allow them to translate the information from ciphertext—data that has been encoded by a computer algorithm—into plaintext—the data in its originally readable form.  (For more information on how cryptography works, please click here for a brief primer.)

To decipher this encrypted data, hackers use software programs that try to guess the key.  It is usually clear when they have guessed correctly.  Most if not all of their wrong guesses yield plaintext nonsense, whereas the correct key will produce an understandable text passage, number sequence, or other piece of information.

Juels and Ristenpart observed this trend and asked:  what if cryptography were not so intuitive a process?

This is where Honey Encryption comes in.  As an added layer of protection, the scientists have proposed linking a password system to a honeychecker.  This latter component, which would be stored on a separate server—thereby complicating a hacker’s job even further by requiring them to penetrate both password and honeychecker systems separately—generates a piece of fake data every time a hacker inputs an incorrect password.

That is not to say the hackers could not ultimately guess the password correctly.  But what it does mean is that, instead of lots of nonsensical outputs save one that is understandable, the hacker would be in possession of a number of equally sensible plaintext passages.  This would drown out the real message in a flood of fake data.

Honey Encryption is based on the Honeywords Project, where a system could generate fake passwords in response to an attack.

There is an important caveat to Honey Encryption that should be noted, however:  the methodology is non-discriminating.  That is to say, if a user made a mistake in logging in to his/her email account, the Honey Encryption method would take over and generate a fake message.

To get around this, the system might have to generate its own password, which it can then encrypt with the user’s password as a means of doubling security.

These are the kinds of issues that are associated with using usernames and passwords for authentication purposes.

In response, some computer security experts believe that our current reliance on passwords, specifically how we both define (create) and authenticate (log in with those same) passwords, are creating a great deal of cyber security problems.  They argue that this issue could partially be addressed by shifting computer security paradigms to embrace certificates, where the user solely authenticates his/her identity.  For more information on certificates, please read here:

Dave BissonDavid Bisson | @DMBisson

Bio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation.  He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern.  Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.