Building Deception Into Encryption Software - Slashdot

Follow Slashdot stories on Twitter

×

Building Deception Into Encryption Software 106

Posted by Soulskill on Wednesday January 29, 2014 @03:06PM from the would-be-better-to-build-decepticons dept.

holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."

This discussion has been archived. No new comments can be posted.

Building Deception Into Encryption Software

Search 106 Comments Log In/Create an Account

Comments Filter:

This is more of authentication than encryption... (Score:3, Interesting)

by mlts ( 1038732 ) writes: on Wednesday January 29, 2014 @03:11PM (#46102643)

TFA was murky, but generating bogus data? If one is brute forcing a data blob, how can it make stuff up? Authentication is another story.
Are they meaning to make a system similar to Phonebookfs? This is an interesting filesystem used with FUSE. You have different layers over the same directory, so one encryption key may allow you to grab one set of files, another key, a different set. Then there is chaff present that cannot be decrypted under any circumstances and provides plausible deniability.
Is something like phonebookfs what they are intending?

Share
twitter facebook
Re:interesting idea (Score:4, Interesting)

by hawguy ( 1600213 ) writes: on Wednesday January 29, 2014 @03:22PM (#46102769)

So you decrypt something and it *looks* like real data.
So it would have to be a function that produces 'good' results and 'bad results' but the bad results look like good ones.
Would have to be careful that the 'bad' results do not do things like open the lock though. For instant in the case of login list breaches.
If randomly generated "fake" data matches someone else's password (or whatever is being encrypted), that other person didn't use a strong enough password. This system is just acting like a hash function -- criminal tries password A and he decrypts the data to some string, then he tries password B and the data gets decrypted to another string. If those randomly generated strings happen to match someone elses password on the system, the criminal could have saved himself some time by generating the password guesses himself.

Parent Share
twitter facebook
Fake info generation to stop intrusive phone apps (Score:5, Interesting)

by Animats ( 122034 ) writes: on Wednesday January 29, 2014 @03:28PM (#46102853) Homepage

I'd been looking into this in a slightly different context. Recently, at Hacker Dojo, someone demonstrated an Android mod to me which dealt with applications that demand too many privileges. It has the usual "disable privileges" option, but for apps that won't run with privileges disabled, it sends fake info.
The demo showed generation of fake phone serial numbers and such. That's easy. Apps that improperly try to upload your address book, though, require generation of a plausible, but fake, address book. That's wasn't in the demo, but it's worth doing. Location data should probably be sent as a random walk from some random starting point.
If enough people do this, it will garbage marketing databases.

Share
twitter facebook
Re:This is more of authentication than encryption. (Score:5, Interesting)

by Phreakiture ( 547094 ) writes: on Wednesday January 29, 2014 @04:23PM (#46103319) Homepage

Consider a case of a credit card number. A CC# consists of 15 digits plus a check digit for 16 digits total.
Now, in encrypting, validate the check digit and then drop it. Take the remaining 15 digits and express them as a binary value. It should be around 50 bits. XOR it against a 50-bit mask, and that will be your ciphertext value.
To decrypt, XOR against that same value and recompute the check digit.
Any incorrect value will produce a number that passes basic validation (as long as it doesn't exceed 2^15).
For bonus points, you can probably encode the first digit in only 2 bits, because most cards begin with 3, 4, 5 or 6, depending on the issuer.
Now, is this a good encryption scheme? Maybe not, but it does at least demonstrate the concept.

Parent Share
twitter facebook
Re:This is more of authentication than encryption. (Score:4, Interesting)

by Splab ( 574204 ) writes: on Wednesday January 29, 2014 @04:27PM (#46103343)

Many a years ago I had a phone that included a password storage application. You gave it a 4 digit pin and it would show you a checkword, then list all your passwords (key->value). If the pin was wrong, it would still give you a checkword, but different from what your correct word get and then list all the same keys, but different passwords.
Was a pretty nice application, but can't remember the make of the phone, probably a Sony-Ericsson.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky