Forgot your password?
typodupeerror
Encryption Privacy

Building Deception Into Encryption Software 106

Posted by Soulskill
from the would-be-better-to-build-decepticons dept.
holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
This discussion has been archived. No new comments can be posted.

Building Deception Into Encryption Software

Comments Filter:
  • by Anonymous Coward on Wednesday January 29, 2014 @03:30PM (#46102875)

    This works provided you don't have a known cleartext to test against. So if I had a known credit card or password in the database (by signing up legitimately for a website that uses th is) then I have a method of determining the dataset to be decrypted.

  • by Joce640k (829181) on Wednesday January 29, 2014 @03:33PM (#46102925) Homepage

    Why would an attacker be using the enemy-provided 'honey' program to try to brute force the decryption?

    Surely he'd use a program that isn't known for serving up fake results.

  • by hawguy (1600213) on Wednesday January 29, 2014 @03:35PM (#46102943)

    I guess it DOES have some benefit, huh?

    People misunderstand what "security through obscurity" means. Most (all?) encryption relies on security through obscurity at some level.

    Hiding your house key under a loose floorboard in your back deck is the kind of security through obscurity that can really work, assuming that there are no other clues that lead to the hiding place. However, hiding the prybar that you use to pry up the floorboard under the belief that hiding the method of access makes your key safer is not the kind of obscurity that works because if the attacker can find your hiding place, he can figure another way to get to the key.

    Similarly, hiding or not writing down your password is security through obscurity that works. But trying to hide the implementation details of your cipher algorithm does not, because cryptoanalysis can break your encryption even without access to your encryption algorithm.

    So, obscuring your real password among an endless number of fake passwords is the kind of obscurity that can work -- even if the attacker knows that your password is somewhere among the billions of fake ones, unless he has some clue to tell him what your real password looks like, just knowing that fakes are there doesn't help him.

The degree of technical confidence is inversely proportional to the level of management.

Working...