Traps are constantly set on the Internet to snare hackers in order to research their behavior and tactics. Many of these traps are known as honeypots, which are deliberately unpatched computers or infrastructure exposed to the Internet that lure attackers to break in while their actions are recorded.
However, these decoys are not usually built into security processes. That was the original idea behind Honey Encryption.
What is Honey Encryption?
“Decoys and deception are really underexploited tools in fundamental computer security,” said Ari Juels, former chief scientist at computer security company RSA, who together with Thomas Ristenpart, of the University of Wisconsin, has developed a new encryption system with a devious streak.
The project called Honey Encryption was presented at the Eurocrypt conference in Copenhagen in the spring of 2014. It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.
This approach could be valuable given how frequently large encrypted stashes of sensitive data fall into the hands of criminals. After capturing encrypted data, criminals often use software to repeatedly guess the password or cryptographic key used to protect it. The design of conventional cryptographic systems makes it easy to know when such a guess is correct or not: the wrong key produces a garbled mess, not a recognizable piece of raw data.
“With Honey Encryption,” said Juels, “he gets something that looks like real context.” When the wrong key is used to decrypt something protected by their system, the Honey Encryption software generates a piece of fake data resembling the true data. If an attacker used software to make 10,000 attempts to decrypt a credit card number, for example, they would get back 10,000 different fake credit card numbers. “Each decryption is going to look plausible,” says Juels. “The attacker has no way to distinguish a priori which is correct.”
The initial motivation behind the project was the security of password vaults. Services such as LastPass, which was breached in 2011, enable users to secure a number of passwords with a master; synchronization of these services is often done in the cloud. The problem is that many people use an insecure master password to protect their collection, and that makes password managers a very attractive target for criminals. “The way they’re constructed discourages the use of a strong password because you’re constantly having to type it in—also on a mobile device in many cases,” said Juels. If one of these providers is breached, an attacker can crack the master password associated with any vault and extract all of their passwords. But if those vaults were protected with Honey Encryption, each incorrect attempt to decrypt a vault would yield a fake one instead.
How does Honey Encryption work?
According to Juels, the idea behind honey encryption is a bit like that of the one-time pad, the concept developed by Claude Shannon during WWII. Trying to keep is as simple as possible, the notion behind one-time pads is that for “any desired plaintext M there exists a key that decrypts a given ciphertext to M.”
For example you may consider a variant that maps letters to their ordinal values and performs letter-by-letter mod 26 addition. The 14-letter ‘WEINVADESICILY’ plaintext can be encrypted using a 14-letter key to produce the ciphertext XGSRURRJTXAGQX. But so does plaintext ‘WEINVADEGREECE’ given another 14-letter key.
Thus, even if an adversary had an extremely powerful computer that could try all possible keys, it couldn’t tell when it had decrypted correctly. Unfortunately, the one-time pad requires a key as long as the message it encrypts and it cannot easily be used with weak keys such as passwords.
“The idea behind honey encryption is to relax the one-time pad to obtain a similar but somewhat weaker guarantee. The goal is to enable a sender to encrypt a message M under a potentially weak password P such that even an attacker with unbounded computing power cannot recover M with high probability,” says Juels.
In order to build a honey encryption scheme, we need to be aware of the users’ statistical behavior. For example, when users select a four-digit PIN, 1234 is selected by 10,7% of the users. Therefore, behind honey encryption runs an algorithm that takes passwords as an input and outputs messages according to the statistical model we have chosen. Going back to our PIN example, given a random password, an algorithm for four-digit PINs will output the PIN 1234 with probability 10,7%.
In honey encryption, a ciphertext is a way of “manipulating” this algorithm A so that the correct password P yields the correct message M. In addition, other incorrect passwords will still output effectively random sample messages according to the statistical model. The importance of honey encryption is that any password input to the algorithm results in a valid message. Using statistical models increases the effectiveness of honey encryption scheme: the messages resulting from the decryption with an incorrect password don’t just look correct, they also look as plausible choices.
“Given a ciphertext produced by honey encryption, the best an adversary can do to crack it is take her best guess P’ at the password P, decrypt, and treat the output M’ as a guess for M. Sometimes the adversary will be right, and M = M’, but the adversary will not know whether her guess is correct. And most of the time, even if P is an ordinary password, M’ will be incorrect,” concludes Juels.
As Juels and Ristenpart mention in the abstract of their paper “honey encryption (HE) [is], a simple, general approach to encrypting messages using low min-entropy keys such as passwords. HE is designed to produce a ciphertext which, when decrypted with any of a number of incorrect keys, yields plausible-looking but bogus plaintexts called honey messages. A key benefit of HE is that it provides security in cases where too little entropy is available to withstand brute-force attacks that try every key; in this sense, HE provides security beyond conventional brute-force bounds.”
“The model doesn’t have to be perfect to be good,” Juels said. “If just half of the decryption attempts yield something plausible, you still achieve the desired bafflement of the attacker.”
Honey Encryption and Machine Identities
In RSA-based client authentication used to authorize access to a remote service using HTTPS or SSH, the client stores the RSA secret / private key and registers the corresponding public key with the remote service. For an enhanced security, practitioners recommend encrypting the client’s secret key under a password to provide defense-in-depth in case the client’s system is passively compromised. With password-based encryption, though, an attacker can mount an offline brute-force attack against the encrypted secret key.
An attacker can quickly test the correctness of a candidate secret key. The existing password-based encryption methods used to protect private data are vulnerable in face of brute-force attacks, as the attacker can determine whether the guessed key is correct or not by looking at the output of the decryption process. In addition, given the passwords used in practice, key-hardening mechanisms such as hashing, do not provide an effective slowdown against brute-force attack. Cracking a password-encrypted RSA secret key remains fairly easy. The honey encryption technique is a countermeasure for the above vulnerability.
Although effective, honey encryption, is not helpful when the attacker already has a few of the puzzle pieces, for example the public key associated with the private key. In this case it will be useless in the protection of HTTPS certificate keys.