Give hackers your data, says former RSA man

Just don't make it real data: feeding them fakes should see them off

23 Reg comments Got Tips?

Former RSA chief scientist Ari Juels has outlined a cunning way to foil crackers: let them think they've busted into a system and then give them fake data to play with.

The idea is not entirely novel because Juels last year proposed a scheme he called “Honeywords” in this paper, co-authored with RSA founder Ronald Rivest. Honeywords is a kind of “security by obscurity”, but in a good way: instead of an attacker stealing a table that has one password per user, the password table has the real password as well as a bunch of fakes – the “honeywords” – for each user.

As well as putting a potential fog of confusion in front of an attacker, a system could be setup to raise an alarm on attempts to log in using the honeywords, because that's a reliable indicator that the password table has been accessed.

Juels' new “Honey Encryption” proposal, with co-developer Thomas Ristenpart of the University of Wisconsin, takes this idea a step further, be refining a systems' response to unauthorised access attempts: instead of a login failure, the attacker would be served up fake data that resembles real data.

As MIT Review reports, even if an attacker eventually hits upon the right user ID / password combination, “the real data should be lost amongst the crowd of spoof data.”

For example, ten thousand attempts to get a credit card number would yield ten thousand fake-but-plausible numbers, leaving the attacker with the job of testing the validity of each number. Even better: if an attacker was trying to access a system's password store, each attempt failed at a master password would yield fake data.

MIT Review says Juels is now working on the code for a fake password vault generator for use with the Honey Encryption scheme. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago

After blowing $100m to snoop on Americans' phone call logs for four years, what did the NSA get? Just one lead

Section 215 more useless than we suspected yet they still want to keep it

After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

Lawmakers will attempt to bend the laws of mathematics to their will

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously

GRU crew actively exploit hole – but you patched it months ago, right?

Americans should have strong privacy-protecting encryption ...that the Feds and cops can break, say senators

I don't care if it's mathematically impossible, make it happen nerds!

Made-up murder claims, threats to kill Twitter, rants about NSA spying – anything but mention 100,000 US virus deaths, right, Mr President?

Opinion Trump's throwing everything at the social wall to see what will stick

Not only is Zoom's strong end-to-end encryption not actually end-to-end, its encryption isn't even that strong

Updated Video calls also routed through China, probe discovers

Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number...

Just in case the Feds take an interest in your calls

Biting the hand that feeds IT © 1998–2020