Forgot your password?
typodupeerror
Encryption Privacy

Building Deception Into Encryption Software 106

Posted by Soulskill
from the would-be-better-to-build-decepticons dept.
holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
This discussion has been archived. No new comments can be posted.

Building Deception Into Encryption Software

Comments Filter:
  • by js_sebastian (946118) on Wednesday January 29, 2014 @02:19PM (#46102733)

    TFA was murky, but generating bogus data? If one is brute forcing a data blob, how can it make stuff up?

    Actually, it wasn't murky. That it cannot work for arbitrary data types is spelled out towards the end. This is for data of which the encryption system knows the data type well enough to fake it, and the encryption system has to be built to target the specific data type. The examples given are credit card numbers or passwords.

    For instance imagine a password manager that, for every decryption attempt with a wrong master password, returns a different set of bogus but plausible passwords. How would a brute force attack automatically determine which one is the "real" set of passwords of the user, even if it can guess the right password?

  • by sayno2quat (1651749) on Wednesday January 29, 2014 @02:47PM (#46103023)
    There is XPrivacy [xda-developers.com], which uses the XPosed framework [xda-developers.com]. That doesn't disable permissions, but rather sends fake data to the app.
  • by Anonymous Coward on Wednesday January 29, 2014 @02:58PM (#46103105)

    No, the idea is that the protection is built into the algorithm itself. Rolling your own decryptor would spit out the same fake info for the same key. To balance this out, the algorithm works only for limited types of data.

  • Re:interesting idea (Score:4, Informative)

    by aviators99 (895782) on Wednesday January 29, 2014 @03:20PM (#46103287) Homepage

    The criminal doesn't care, as long as their goal is met (get a valid card - it doesn't have to be yours). If we're talking about "invalid" data, then we need some mechanism to validate the generated data before it's returned.

    If you are worried about a random credit card generating algorithm generating real credit card numbers via this method, you should be just as worried about attackers using the same random number generator on their own!

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...