A new form of encryption called “Honey Encryption” protects data with an added deceptive security mechanism. Fake data that looks like valid information is presented to cybercriminals upon each failed password attempt.
The encryption software, developed by independent researcher and former RSA chief scientist Ari Juels and University of Wisconsin researcher Thomas Ristenpart, generates a piece of fake data resembling the user’s real information each time a hacker fails to access an account, as is common in brute-force hacking. The idea behind “Honey Encryption” is that if the intruder does ultimately enter the correct password and breach the account, the real data will be indistinguishable from the fake data.
“Decoys and deception are really underexploited tools in fundamental computer security,” Juels told MIT Technology Review. “Each decryption is going to look plausible. The attacker has no way to distinguish which is correct.”
Traditional encryption methods obfuscate the data, or make it look unintelligible, so hackers need to make sense of the garbled data after accessing it. At RSA, Juels previously worked on a precursor to “Honey Encryption” called “Honeywords,” which added additional fake passwords to the already encrypted password in a given account.
Juels and Ristenpart will present their paper, “Honey Encryption: Security Beyond the Brute-Force Bound,” at the 2014 Eurocrypt Conference, which takes place on May 11-15 in Copenhagen, Denmark.