A new encryption method is being de

A new encryption method is being developed that could frustrate hackers by giving them fake data while making it appear real. As reported in MIT Technology Review, Honey Encryption turns every incorrect password guess made by a hacker into a confusing dead-end.

When an application or user enters and sends a password key to access an encrypted database or file, as long as the password is correct, the data is decrypted and accessible in its original, and readable, format. If the password key is incorrect the data will continue to be unreadable and encrypted.

Hackers who steal databases of user logins and passwords only have to guess a single correct password in order to get access to the data. The way they know they have the correct password is when the database or file becomes readable. To speed up the process, hackers have access to sophisticated software that can send thousands of passwords each minute to applications in an attempt to decrypt the data. Using higher speed, multi-core processors also shortens the time it can take to break encryption.
Ari Juels, a former chief scientist at the computer security company RSA, and Thomas Ristenpart, an Assistant Professor in the Department of Computer Sciences at the University of Wisconsin, are working on an encryption package that would give hackers more information than they can handle, making them question every result.

With Honey Encryption, decrypting with an incorrect password results in fake, but realistic looking data for every incorrect password attempt. For example, if a hacker made 100 password attempts, they would receive 100 plain text results. Even if one of the passwords were correct, the real data would be indistinguishable from the fake data.

"Each decryption is going to look plausible. The attacker has no way to distinguish a priori which is correct," says Juels.

One of initial uses for the encryption software is to protect password manager services. According to Juels, "The way they're constructed discourages the use of a strong password because you’re constantly having to type it in -- also on a mobile device in many cases." These would be prime targets for criminals since users tend to create weak master passwords.

In order to make the fake data look as convincing as possible, Juels has been reviewing leaked password dumps located online. This will allow the creation of more convincing fake passwords. Juels is also working on a fake password vault generator that Honey Encryption will use to protect the online password managers.

However, as Hristo Bojinov, CEO of a mobile software company, Anfacto, who has some experience as a security researcher, point out Honey Encryption will not work in all encryption systems because it is not possible to know the data well enough to create realistic fake data. Juels is hopeful that the password dumps will provide him with enough data to overcome that difficulty.

If successful, Honey Encryption may help to curb the interest of hackers and reduce the amount of user data that makes its way to the web from companies like Adobe with 152 million user accounts leaked last November and Snapchat's much smaller, although still significant breach of 4.6 million users.

For those interested, the paper created by Juels and Ristenpart introducing Honey Encryption, is available at pages.cs.wisc.edu.