Honey encryption - PSJoshi/Notes GitHub Wiki

Honey cryptokens

Traps are set on the Internet to attract hackers in order to understand their behavior and tactics. Many of these traps are known as honeypots, which are deliberately unpatched computers or infrastructure exposed to the Internet that lure attackers to break in while their actions are recorded.

However, these decoys are not suusally built in security processes and is called honey encryption.Honey Encryption was presented at the Eurocrypt conference in Copenhagen in the spring of 2014.

It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.

This approach could be valuable given how frequently large encrypted stashes of sensitive data fall into the hands of criminals. After capturing encrypted data, criminals often use software to repeatedly guess the password or cryptographic key used to protect it. The design of conventional cryptographic systems makes it easy to know when such a guess is correct or not: the wrong key produces a garbled mess, not a recognizable piece of raw data. With honey encryption, it looks like real contextual data.

When the wrong key is used to decrypt something protected by their system, the Honey Encryption software generates a piece of fake data resembling the true data. If an attacker used software to make 10,000 attempts to decrypt a credit card number, for example, they would get back 10,000 different fake credit card numbers with each decryption is going to look plausible.

The initial motivation behind the project was the security of password vaults. Services such as LastPass, which was breached in 2011, enable users to secure a number of passwords with a master; synchronization of these services is often done in the cloud. The problem is that many people use an insecure master password to protect their collection, and that makes password managers a very attractive target for criminals.

If one of these password providers is breached, an attacker can crack the master password associated with any vault and extract all of their passwords. But if those vaults were protected with Honey Encryption, each incorrect attempt to decrypt a vault would yield a fake one instead.

References

• Honey encryption presentation - security against brute force attacks - http://ec14.compute.dtu.dk/talks/19.pdf
• Honey Encryption Algorithms - https://www.rapid7.com/blog/post/2017/05/03/honey-encryption-algorithms-security-combating-brute-force-attack/
• Honey encryption paper - https://www.researchgate.net/publication/316877965_Security_in_Cloud_Computing_using_Honey_Encryption
• https://www.venafi.com/blog/honey-encryption-and-machine-identities
• Honey encryption explained - https://medium.com/smucs/honey-encryption-e56737af081c
• Honey encryption python implementation - https://cskarolvargas.com/HoneyEncryption/
• https://pureadmin.qub.ac.uk/ws/portalfiles/portal/199051870/Honey_Encryption_Review.pdf ~this paper analyzes modern technologies that use honey encryption along with their successes and vulnerabilities
• Omolara, Odulare. “A comprehensive review of honey encryption scheme.” TELKOMNIKA Indonesian Journal of Electrical Engineering, Februrary 2019, https://www.researchgate.net/publication/329999109_A_comprehensive_review_of_honey_encryption_scheme.
• “An Intro to Honey Encryption: Cryptographic Parlor Tricks for Passwords.” McAfee Cloud BU, May 2015, https://www.mcafee.com/blogs/enterprise/cloud-security/cryptographic-parlor-tricks-for-passwords-an-introduction-to-honey-encryption/.
• “Honey Encryption.” Wikipedia, https://en.wikipedia.org/wiki/Honey_encryption.
• Honey encryption applications - https://courses.csail.mit.edu/6.857/2015/files/tyagi-wang-wen-zuo.pdf

Git repos

• https://github.com/daniel-constantine/honey-encryption.git ~a honey encryption algorithm written in Java with a multitude of tests for different situations
• victornguyen75. https://github.com/kejordan23/Honey_encryption.git.
• https://github.com/kejordan23/Honey_encryption.git
• Honey encryption - https://github.com/msaianand96/cryptography/tree/master/Honey%20Encryption
• Honey encryption - https://github.com/torjusbr/bip39-honey-encryption