The key to beating hackers might not just lie in stronger security measures and ‘unbreakable’ passwords. Now, it seems like an element of trickery is required – almost beating hackers at their own game.
Two independent security researchers have developed a system which they call ‘Honey Encryption’, which promises to make it harder for hackers to know when they have arrived at the information they want. When the wrong key is used to decrypt information protected by their system, the hacker would be presented with fake, but plausible data, giving them no way of knowing whether they have succeeded or failed.
The system takes its name from the common practise of setting a ‘honey trap’ to catch hackers online.
Dr. Air Juels, an independent researcher, teamed up with Thomas Ristenpart from the University of Wisconsin to create the system. Quoted in MIT Technology Review, Juels said that “Decoys and deception are really underexploited tools in fundamental computer security. Each decryption is going to look plausible...the attacker has no way to distinguish a priori which is correct.”
As BGR reports, the fake data generated will be partly based on data released in previous security breaches – for example, the databases of passwords revealed in large-scale hacks on companies such as Adobe and Playstation Network. Juels is also working on using Honey Encryption to protect password manager software, which is designed to securely store dozens of passwords per user.
Juels has said that “by now, enough password dumps have leaked online to make it possible to create fakes that accurately mimic collections of real passwords.” The system works best with data that can be convincingly spoofed, like passwords or credit card numbers. More complex information might be harder to replicate to a level that would fool an attentive hacker.
Under standard procedures, it would be easy for hackers to recognise when they have been unsuccessful in breaking into files, as Threat Post points out, as the ‘answer’ is returned in the form of gibberish. And although it may not always be easy to fully replicate fake data, Juels said that isn’t a big problem: “The model doesn’t have to be perfect to be good. If just half of the decryption attempts yield something plausible, you still achieve the desired bafflement of the attacker.”
Juels and Ristenpart will present a talk on “Honey Encryption: Security Beyond the Brute-Force Bound” at the Eurocrypt conference in May, in Copenhagen. Dr. Juels was formerly chief scientist at RSA, where he began his work on Honey Encryption.