Just don’t make it real data: feeding them fakes should see them off
By Richard Chirgwin
Former RSA chief scientist Ari Juels has outlined a cunning way to foil crackers: let them think they’ve busted into a system and then give them fake data to play with.
The idea is not entirely novel because Juels last year proposed a scheme he called “Honeywords” in this paper, co-authored with RSA founder Ronald Rivest. Honeywords is a kind of “security by obscurity”, but in a good way: instead of an attacker stealing a table that has one password per user, the password table has the real password as well as a bunch of fakes – the “honeywords” – for each user.
As well as putting a potential fog of confusion in front of an attacker, a system could be setup to raise an alarm on attempts to log in using the honeywords, because that’s a reliable indicator that the password table has been accessed.
Juels’ new “Honey Encryption” proposal, with co-developer Thomas Ristenpart of the University of Wisconsin, takes this idea a step further, be refining a systems’ response to unauthorised access attempts: instead of a login failure, the attacker would be served up fake data that resembles real data.
As MIT Review reports, even if an attacker eventually hits upon the right user ID / password combination, “the real data should be lost amongst the crowd of spoof data.”
For example, ten thousand attempts to get a credit card number would yield ten thousand fake-but-plausible numbers, leaving the attacker with the job of testing the validity of each number. Even better: if an attacker was trying to access a system’s password store, each attempt failed at a master password would yield fake data.
MIT Review says Juels is now working on the code for a fake password vault generator for use with the Honey Encryption scheme.