Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building Deception Into Encryption Software

Posted by Soulskill on from the would-be-better-to-build-decepticons dept.

holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."

4 of 106 comments (clear)

  1. Re:This is more of authentication than encryption. by js_sebastian · · Score: 5, Informative

    TFA was murky, but generating bogus data? If one is brute forcing a data blob, how can it make stuff up?

    Actually, it wasn't murky. That it cannot work for arbitrary data types is spelled out towards the end. This is for data of which the encryption system knows the data type well enough to fake it, and the encryption system has to be built to target the specific data type. The examples given are credit card numbers or passwords.

    For instance imagine a password manager that, for every decryption attempt with a wrong master password, returns a different set of bogus but plausible passwords. How would a brute force attack automatically determine which one is the "real" set of passwords of the user, even if it can guess the right password?

  2. Fake info generation to stop intrusive phone apps by Animats · · Score: 5, Interesting

    I'd been looking into this in a slightly different context. Recently, at Hacker Dojo, someone demonstrated an Android mod to me which dealt with applications that demand too many privileges. It has the usual "disable privileges" option, but for apps that won't run with privileges disabled, it sends fake info.

    The demo showed generation of fake phone serial numbers and such. That's easy. Apps that improperly try to upload your address book, though, require generation of a plausible, but fake, address book. That's wasn't in the demo, but it's worth doing. Location data should probably be sent as a random walk from some random starting point.

    If enough people do this, it will garbage marketing databases.

  3. Re:Fake info generation to stop intrusive phone ap by sayno2quat · · Score: 5, Informative

    There is XPrivacy, which uses the XPosed framework. That doesn't disable permissions, but rather sends fake data to the app.

    --
    Sure I sold you robot insurance. But you were attacked by a cyborg. Not covered.
  4. Re:This is more of authentication than encryption. by Phreakiture · · Score: 4, Interesting

    Consider a case of a credit card number. A CC# consists of 15 digits plus a check digit for 16 digits total.

    Now, in encrypting, validate the check digit and then drop it. Take the remaining 15 digits and express them as a binary value. It should be around 50 bits. XOR it against a 50-bit mask, and that will be your ciphertext value.

    To decrypt, XOR against that same value and recompute the check digit.

    Any incorrect value will produce a number that passes basic validation (as long as it doesn't exceed 2^15).

    For bonus points, you can probably encode the first digit in only 2 bits, because most cards begin with 3, 4, 5 or 6, depending on the issuer.

    Now, is this a good encryption scheme? Maybe not, but it does at least demonstrate the concept.

    --
    www.wavefront-av.com