Encrypted batches of sensitive data all too often fall into the hands of cyber criminals. Earlier this summer Russian hackers managed to collect 1.2 billion usernames and passwords, dwarfing the theft of 110 million customers’ data when the retailer Target was hacked last year. And a cyber-attack against Adobe in 2013 involved 38 million users.
Researchers Ari Juels and Thomas Ristenpart believe that the introduction of trickery could be an important advance in IT security technology.
The two have developed a new encryption system that includes the element of deception, which offers an additional layer of protection. With so-called honey encryption, fake, but real-looking data is served up in response to incorrect guesses of passwords or encryption keys. If a hacker does guess correctly, he probably won’t realize it, because the real data will be floating in a sea of spoof data that appears every bit as real.
What Is Honey Encryption?
When hackers capture encrypted data, they often use software to engage a brute force attack of repeatedly guessing the cryptographic key or password that protects it. With conventional cryptographic systems, wrong keys return gibberish. Honey encryption turns this concept on its head. When data is protected by honey encryption, wrong keys don’t return gibberish, but rather something that looks just like real data. That means if an attacker used software that made thousands of brute force attempts to decrypt passwords, for example, they would get back thousands of fake, but real-looking passwords. The attacker can’t distinguish the fake from the real in this situation. Password databases could be stuffed with false passwords to thwart this type of attack.
Honey Encryption and Password Management
Honey encryption is a natural fit for password managers, because they’re enticing to attackers. People often use inadequately strong master passwords because it’s something they have to type in repeatedly, perhaps on a mobile device, where typing isn’t as easy as on a full-sized keyboard. That means that if a hacker obtained a collection of encrypted passwords, they could possibly guess the master password without a lot of trouble. But with honey encryption, each incorrect guess would yield up a fake password. There are currently enough leaked password dumps online that making fakes that mimic these is plausible, and Juels is currently creating a fake password vault generator that will allow honey encryption to be used to protect password managers.
Honey Encryption Plus Conventional Intrusion Detection Systems
One main problem with honey encryption is that honeypots start out with the assumption that all traffic is “bad.” The technology will have to improve its intrusion detection capabilities. But conventional intrusion detection systems often suffer from false positives and lack of “alert” capabilities. Honeypots won’t replace conventional intrusion detection, but in the future the two technologies may be merged to greatly improve intrusion detection. With this type of scenario, both the honeypot and the traditional intrusion detection system will connect to a central database to correlate information. The honeypot can reduce false positives by identifying attacks for which the conventional intrusion detection system doesn’t have signatures.
Traditional intrusion detection systems monitor all traffic and flag threats from known attack signatures and statistical anomalies. Honeypots, on the other hand, are less comprehensive in terms of monitoring traffic, but are more discerning. They only report connections they receive, most of which will be real attacks. The hope is that this combination of technologies will give organizations less, but more precise data to analyze, so real attacks can be identified more quickly.
Honey encryption is a first step toward the selective use of decoys in thwarting security breaches. Cyber-attacks are, of course, constantly evolving, but honey encryption shows promise in deterring attackers, slowing them down, and potentially burying correct keys in a masses of false ones. It’s technology worth watching in organizations with valuable data to protect, which is basically all of them.