In the world of espionage, a honeypot is an operation that uses sex to recruit an agent. An attractive person seduces the target, then sweet-talks or blackmails the duped lover into giving up secrets. In the world of computing, a honeypot is a more cerebral kind of trap: Lure hackers with the sweet scent of valuable-seeming but bogus information and get them to reveal themselves.
Two computer scientists have developed a clever twist on the idea. Ari Juels, an independent researcher who used to be the chief scientist at the computer security firm RSA, and Thomas Ristenpart of the University of Wisconsin have figured out how to take advantage of the brute force password-cracking hackers often employ. To learn a password, digital attackers can use computer programs that just guess over and over. While that may sound like a futile approach, it’s much less so when you can cycle through billions of guesses a second, as computer clusters allow savvy hackers to do.
Honey Encryption turns this method against the hackers in a sort of cryptographic jujitsu. With each incorrect guess, Juels and Ristenpart’s program, rather than just denying access, releases what looks like the sought-after data. If the encrypted data amount to a hoard of credit card numbers, for example, it releases a list of fake credit card-like numbers. Multiply that by millions or billions of attempts, and the hackers are deluged with useless information. Even if the hackers do manage to crack the password, they have no way of knowing it, no way to distinguish the real data from the tidal wave of decoys without trying all of them.
Juels has a particular interest in honeypot-type defenses. He published a paper last year on “honeywords“—fake passwords that, once stolen and tried, function as an alarm that warns an account owner that the account has been hacked. He’s working on incorporating that feature into his and Ristenpart’s encryption software.
Right now Honey Encryption exists only as a prototype focused on protecting password vaults, services such as LastPass and Dashlane that store all of a person’s passwords under one master password. And the prototype for the time being is a custom product. As Juels freely admits, creating the bogus data requires a knowledge of what the real protected data look like—the targeted data are a bunch of credit card numbers, and Honey Encryption gives them alphanumeric passwords (or vice versa), the thieves will know the data aren’t real.
The other major issue the programmers are dealing with is how to distinguish hacking attacks from honest errors. It wouldn’t do for the actual owner of a password vault to get served up a bunch of fake passwords if she mistypes her master password. Juels won’t get too specific about how the software will distinguish typos from attacks, but he says he’s adopting methods used in computer networks to determine when data packets have been corrupted in transmission.
In general, he sees a bright future for trickery as a part of the arsenal of data protection. “It’s a really underappreciated defense strategy,” he says. Put another way, he believes computer security types should think more like spies. You thwart more hackers, as the saying (very roughly) goes, with honey than with vinegar.