Related Links

Related Stories

  • Michaels Investigates Possible Data Breach
    Hard on the heels of Target and Neiman Marcus being hit with point-of-sale cyber-heists, another retailer is warning of a potential data breach. The arts-and-crafts supply purveyor Michaels has confirmed that it is working with the US Secret Service to investigate whether fraudulent activity on some payment cards used at its stores is a sign of a larger compromise of its systems.
  • 1.1 Million Cards Exposed in Neiman Marcus Breach
    Neiman Marcus broke its silence recently on the point of sale (PoS) hack it suffered. It turns out that 1.1 million customer credit and debit cards may have been affected – they were, the company said, "potentially visible to the malware."
  • 74,000 Data Records Breached on Stolen Coca-Cola Laptops
    Coca-cola admitted Friday to the theft of an unspecified number of laptops containing personal information on 74,000 individuals – including, it turns out, variously social security numbers, driving license details, salaries, and ethnicity; but fewer than ten credit card numbers. Data loss prevention, it would appear, was not in operation.
  • Credit Card Details of 20 Million South Koreans Stolen
    In a classic 'insider' breach, an employee of the Korea Credit Bureau (KCB) has been arrested for stealing and later selling the personal details of millions of South Koreans to phone marketing companies. The Financial Supervisory Service (FSS) has said that the credit card firms will cover any financial losses suffered by customers through this incident.
  • JPMorgan Warns 465,000 UCard Users' Personal Data May Have Been Stolen
    Preloaded UCards are used by corporations to pay employees and for government agencies to issue tax refunds, unemployment and other benefits because they are often easier for the recipient to cash than paper checks. The stolen data may have been in plaintext at the time of the breach.

Top 5 Stories


Honey Encryption joins Honeywords and Honeypots in the Security Lexicon

30 January 2014

'Honey' is the traditional term used to indicate a 'decoy' in computing. Two researchers have now used the epithet to describe their process of hiding a true key within a large number of false keys, making brute forcing stolen databases considerably more tricky.

Security by obscurity is often dismissed, but hiding in plain sight really can sometimes work. This is the principle behind a new approach to encryption key security developed by Ari Juels (former chief scientist at RSA) and Thomas Ristenpart (of the University of Wisconsin), which gives a new layer of protection for passwords and encryption keys.

The principle is very simple: instead of returning a 'fail' or nothing or garbage when a password or key is incorrectly entered, it returns fake but plausible information. It is designed to make brute forcing stolen password/credit card databases more difficult.

Brute forcing usually uses software and dictionaries to repeatedly guess the key until the correct one is found. MIT Technology Review explains how the Honey Encryption principle makes this more difficult: "If an attacker used software to make 10,000 attempts to decrypt a credit card number, for example, they would get back 10,000 different fake credit card numbers. 'Each decryption is going to look plausible,” says Juels. “The attacker has no way to distinguish a priori which is correct.”

Honey Encryption seems to have evolved out of the Honeywords project jointly undertaken by Juels and Ron Rivest (the 'R' of RSA). "Honeywords," explains its associated FAQ, "are a defense against stolen password files. Specifically, they are bogus passwords placed in the password file of an authentication server to  deceive attackers." It inserts false passwords into the password database.

An attacker could steal and brute force all of the passwords – but if the majority of them are Honeywords, then statistically the attacker is likely to use a false one. "If a honeyword-enabled system detects an attempt to login using a honeyword, it raises an alarm indicating that the password file has been compromised."

It isn't yet clear whether Honey Encryption will include a similar 'alarm' system (the authors plan to present their research paper at Eurocrypt 2014 in Copenhagen, May); but MIT Technology Review notes that Juels is already working on an application of the principle to protect password managers. These applications can automatically generate very strong passwords, but are often themselves protected by weak user-generated passwords.

But, it says, "if those vaults were protected with Honey Encryption, each incorrect attempt to decrypt a vault would yield a fake one instead."

This article is featured in:
Encryption  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×