Researchers are attempting to beat hackers at their own game. Photo: Matt Davidson
Security researchers have devised a cunning trick to foil hackers' attempts to crack encrypted data: convincing lies.
One way of preventing cyber attackers is to try to block every attempt to penetrate systems - an arduous task for even the most secure of infrastructures. Another, taking a leaf from ‘honey trap’ spies, is to welcome adversaries into a world of deceit.
Decoy systems known as honeypots have helped computer defenders combat spammers and hackers for years. Taking a cue from this approach, researchers Ari Juels and Thomas Ristenpart from the University of Wisconsin–Madison, in the US, have unveiled Honey Encryption - a scheme that uses phoney secrets to withstand exhaustive guessing attacks on encrypted data, such as an encryption key one might use to unlock a private message.
Honey Encryption reverses what normally would happen if an attacker were to nab encrypted data and tried to decode it with an incorrect password. Instead of producing an indecipherable response to each failed attempt, Honey Encryption offers up plausible but fake “honey” messages. Every wrong attempt produces another bogus possible.
The scheme is meant to tackle automated computer-based guessing attacks capable of millions of attempts until they hit the jackpot. Faced with Honey Encryption, the attacker would then need to sift through each bogus possibility to determine which one was real.
Despite the appeal of turning an attacker’s strength into a weakness, Juels told IT Pro that it’s limited to scenarios where encrypted data, such as a crypto key, is derived from passwords.
It wouldn’t, for example, be used to protect a company’s database of passwords. That rules out the scheme for large databases containing passwords for multiple users, such as the stolen file with Adobe’s 152 million encrypted passwords found online.
However, Juels said it would be well-suited to “password vaults”, which people often use to cope with the proliferation of logins for different accounts. Examples of password stores include the open source KeePass, or the popular LastPass, which rely on one encrypted master password to protect a list of others. The problem is that master passwords can be stolen.
“[Password vaults] are often stored in the cloud, and vulnerable to capture and cracking, resulting in a very serious loss of all of a user's passwords,” said Juels.
This happened to users of LastPass in a breach in 2011. The master passwords were encrypted, but LastPass was concerned its users chose passwords found in a dictionary, which are more prone to guessing attacks than non-dictionary words or phrases.
“If such a vault is encrypted under a good Honey Encryption scheme, then on attempting to decrypt it with a incorrectly guessed password, the attacker would obtain a valid-looking but incorrect list of passwords,” explained Juels.
The catch to developing any decoy system though is generating plausible passwords. Fortunately, said Juels, there are rich pickings for these, such as 32 million that were exposed in the 2009 breach of the social network RockYou, or even password cracking software.