Baffle thy enemy: The case for Honey Encryption

Credit: Symantec

( —Database breaches are making today's headlines, revealing events where thieves scoff up millions of passwords. Security experts meanwhile think about, talk about and work towards fighting against such crimes. A fresh twist in the security arsenal might be to simply baffle criminals by unleashing a flood of data that appears real but is fake. "Honey Encryption" is an approach being proposed to protect sensitive data. You beat attackers by making it difficult to figure out if the password or encryption key they are trying to steal is correct or incorrect.

A discussion about the approach on Wednesday in Threatpost said the tool results in the attacker seeing a plausible-looking password or encryption key which is actually incorrect, and the attacker cannot tell the information is incorrect. The two people behind this Honey Encryption approach is Ari Juels, former chief scientist at computer security company RSA, and Thomas Ristenpart, an assistant professor at the University of Wisconsin.

As it is now, a criminal intruder, with each try of an incorrect key, sees gibberish. The unsuccessful try clearly indicates it is not what he or she wants. With honey encryption, however, trying to guess the password or becomes mystifying; the attacker is dealing with thousands of, say, fake credit card numbers, and each one looks plausible. A report about their work in MIT Technology Review said Juels was convinced that "by now enough password dumps have leaked online to make it possible to create fakes that accurately mimic collections of real passwords."

In October, Juels had said that "Honeywords and honey-encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent, sophisticated, and damaging breaches." He said that the honeywords and honey encryption are joint work, respectively, with Ron Rivest and Tom Ristenpart. He said honey-encryption creates "ciphertexts that decrypt under incorrect keys to seemingly valid (decoy) messages."

The Honey Encryption system, meanwhile, will be the subject of a paper later this year when Juels and Ristenpart present their "Honey Encryption: Security Beyond the Brute-Force Bound" at the Eurocrypt conference in May, an event that is focused on cryptographic techniques, in Copenhagen.

Explore further

Research trio crack RSA encryption keys by listening to computer noise

© 2014

Citation: Baffle thy enemy: The case for Honey Encryption (2014, January 30) retrieved 20 August 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Jan 30, 2014
A simpler way is not to keep the passwords at all but store a hash vale of the password (such as SHA).

Jan 30, 2014
As I said previously, the best defense is to include rubbish in everything. All my PC's respond with rubbish to interrogation. During war mis-information has been the most effective weapon. Those that wish to data mine me better have developed a lie detector. The more crap data they capture the more time they waste and bog them down. Best defense on the internet is lots of data with only you knowing what data is the truth. That's why data mining is ultimately useless, too much information obscures the real picture.

Jan 31, 2014
very interesting concept ... and by the way it's *thine* enemy.

Mar 29, 2014
and by the way it's *thine* enemy.

Source? Because all I have is:

"Now go to thine own country and take care of the ring, for by means of it thou wilt baffle thine enemies; and be not ignorant of its puissance."
-The Arabian Nights

If Nancy was cribbing this line then sure. But otherwise I can't find a reference that shows the use in the title is wrong.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more