Building Deception Into Encryption Software - Slashdot

Follow Slashdot stories on Twitter

×

Building Deception Into Encryption Software 106

Posted by Soulskill on Wednesday January 29, 2014 @03:06PM from the would-be-better-to-build-decepticons dept.

holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."

This discussion has been archived. No new comments can be posted.

Building Deception Into Encryption Software

Search 106 Comments Log In/Create an Account

Comments Filter:

Re:This is more of authentication than encryption. (Score:2, Insightful)

by Anonymous Coward writes: on Wednesday January 29, 2014 @03:30PM (#46102875)

This works provided you don't have a known cleartext to test against. So if I had a known credit card or password in the database (by signing up legitimately for a website that uses th is) then I have a method of determining the dataset to be decrypted.

Parent Share
twitter facebook
Re:This is more of authentication than encryption. (Score:4, Insightful)

by Joce640k ( 829181 ) writes: on Wednesday January 29, 2014 @03:33PM (#46102925) Homepage

Why would an attacker be using the enemy-provided 'honey' program to try to brute force the decryption?
Surely he'd use a program that isn't known for serving up fake results.

Parent Share
twitter facebook
Re:Security through obscurity (Score:4, Insightful)

by hawguy ( 1600213 ) writes: on Wednesday January 29, 2014 @03:35PM (#46102943)

I guess it DOES have some benefit, huh?
People misunderstand what "security through obscurity" means. Most (all?) encryption relies on security through obscurity at some level.
Hiding your house key under a loose floorboard in your back deck is the kind of security through obscurity that can really work, assuming that there are no other clues that lead to the hiding place. However, hiding the prybar that you use to pry up the floorboard under the belief that hiding the method of access makes your key safer is not the kind of obscurity that works because if the attacker can find your hiding place, he can figure another way to get to the key.
Similarly, hiding or not writing down your password is security through obscurity that works. But trying to hide the implementation details of your cipher algorithm does not, because cryptoanalysis can break your encryption even without access to your encryption algorithm.
So, obscuring your real password among an endless number of fake passwords is the kind of obscurity that can work -- even if the attacker knows that your password is somewhere among the billions of fake ones, unless he has some clue to tell him what your real password looks like, just knowing that fakes are there doesn't help him.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky